Announcement Announcement Module
Collapse
No announcement yet.
Simple Acegi configuration Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Simple Acegi configuration

    I'm trying to set up a webapp with Acegi security. I'm using Spring, Struts2, Sitemesh, Hibernate, and Tomcat.

    I have a simple directory structure. All of my jsp pages (except acegilogin.jsp) are under either /jsp or /jsp/protected. Anyone should be able to access the /jsp pages, only administrators should be able to access /jsp/protected.

    I can access any of the pages under /jsp, but when I try to go to a page under /jsp/protected, it gives me an access denied error instead of redirecting to the login page.

    I've never used Acegi before, so it's probably a simple configuration problem. Any help would be greatly appreciated!

    Thanks!

    Kelly

    Below is my web.xml and acegi context.
    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">
    
      <display-name>Lesson Downloader</display-name>
      
      <description>A web application to for downloading Lesson Packs based on a download key</description>
      
      <context-param>
        <description>This context parameter specifies the name and location
      	of the Spring root application context file.</description>
        <param-name>contextConfigLocation</param-name>
        <param-value>
        	/WEB-INF/applicationContext.xml
       		/WEB-INF/applicationContext-acegi-security.xml
       	</param-value>
      </context-param>
      
      <filter>
        <filter-name>Acegi Filter Chain Proxy</filter-name>
        <filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>
        <init-param>
          <param-name>targetClass</param-name>
          <param-value>org.acegisecurity.util.FilterChainProxy</param-value>
        </init-param>
       </filter>
     
      <filter>
        <filter-name>struts2-cleanup</filter-name>
        <filter-class>org.apache.struts2.dispatcher.ActionContextCleanUp</filter-class>
      </filter>
      <filter>
        <filter-name>sitemesh</filter-name>
        <filter-class>com.opensymphony.module.sitemesh.filter.PageFilter</filter-class>
      </filter>
      <filter>
        <filter-name>struts2</filter-name>
        <filter-class>org.apache.struts2.dispatcher.FilterDispatcher</filter-class>
      </filter>
       
      <filter-mapping>
        <filter-name>Acegi Filter Chain Proxy</filter-name>
        <url-pattern>/*</url-pattern>
      </filter-mapping>
      <filter-mapping>
        <filter-name>struts2-cleanup</filter-name>
        <url-pattern>/*</url-pattern>
      </filter-mapping>
      <filter-mapping>
        <filter-name>sitemesh</filter-name>
        <url-pattern>/*</url-pattern>
      </filter-mapping>
      <filter-mapping>
        <filter-name>struts2</filter-name>
        <url-pattern>/*</url-pattern>
      </filter-mapping>
      
      <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
      </listener>
    
      <welcome-file-list>
      	<welcome-file>/jsp/EnterDownloadKey-redirect.jsp</welcome-file>
        <welcome-file>index.jsp</welcome-file>
      </welcome-file-list>
      
      <resource-ref>
        <description>Lesson Pack DataSource</description>
        <res-ref-name>jdbc/LessonPackDS</res-ref-name>
        <res-type>javax.sql.DataSource</res-type>
        <res-auth>Container</res-auth>
      </resource-ref>
    
      <resource-ref>
      	<description>Users DataSource</description>
        <res-ref-name>jdbc/UsersDS</res-ref-name>
        <res-type>javax.sql.DataSource</res-type>
        <res-auth>Container</res-auth>
      </resource-ref>
      
      <resource-ref>
        <res-ref-name>jdbc/TestUsersDS</res-ref-name>
        <res-type>javax.sql.DataSource</res-type>
        <res-auth>Container</res-auth>
      </resource-ref>
    </web-app>
    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">
    
    <beans>
    
       <!-- ======================== FILTER CHAIN ======================= -->
       <bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">
          <property name="filterInvocationDefinitionSource">
             <value>
            	CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
            	PATTERN_TYPE_APACHE_ANT
                /**=httpSessionContextIntegrationFilter,logoutFilter,authenticationProcessingFilter,securityContextHolderAwareRequestFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor
             </value>
          </property>
       </bean>
    
       <!-- ======================== AUTHENTICATION ======================= -->
       
       <bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">
          <property name="providers">
             <list>
                <ref local="daoAuthenticationProvider"/>
                <ref local="anonymousAuthenticationProvider"/>
             </list>
          </property>
       </bean>
       
    	<bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
    		<property name="userDetailsService"><ref bean="userService"/></property>
    	</bean>
    
       <!-- Automatically receives AuthenticationEvent messages -->
       <bean id="loggerListener" class="org.acegisecurity.event.authentication.LoggerListener"/>
       
       <bean id="httpSessionContextIntegrationFilter" class="org.acegisecurity.context.HttpSessionContextIntegrationFilter"/>
    
        <bean id="logoutFilter" class="org.acegisecurity.ui.logout.LogoutFilter">
            <constructor-arg value="/jsp/EnterDownloadKey_input.action"/> <!-- URL redirected to after logout -->
            <constructor-arg>
                <list>
                    <bean class="org.acegisecurity.ui.logout.SecurityContextLogoutHandler"/>
                </list>
            </constructor-arg>
        </bean>
    
       <bean id="authenticationProcessingFilter" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
          <property name="authenticationManager"><ref bean="authenticationManager"/></property>
          <property name="authenticationFailureUrl"><value>/acegilogin.jsp?login_error=1</value></property>
          <property name="defaultTargetUrl"><value>/</value></property>
          <property name="filterProcessesUrl"><value>/j_acegi_security_check</value></property>
       </bean>
    
       <bean id="authenticationProcessingFilterEntryPoint" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
          <property name="loginFormUrl"><value>/acegilogin.jsp</value></property>
          <property name="forceHttps"><value>false</value></property>
       </bean>
       
       <bean id="securityContextHolderAwareRequestFilter" class="org.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter"/>
    
        <bean id="anonymousProcessingFilter" class="org.acegisecurity.providers.anonymous.AnonymousProcessingFilter">
            <property name="key"><value>foobar</value></property>
            <property name="userAttribute"><value>anonymousUser,ROLE_ANONYMOUS</value></property>
        </bean>
    
        <bean id="anonymousAuthenticationProvider" class="org.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider">
            <property name="key"><value>foobar</value></property>
        </bean>
    
       <!-- ===================== HTTP REQUEST SECURITY ==================== -->
    
       <bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter">
          <property name="authenticationEntryPoint"><ref local="authenticationProcessingFilterEntryPoint"/></property>
            <property name="accessDeniedHandler">
                <bean class="org.acegisecurity.ui.AccessDeniedHandlerImpl" />
            </property>
       </bean>
    
       <bean id="httpRequestAccessDecisionManager" class="org.acegisecurity.vote.AffirmativeBased">
          <property name="allowIfAllAbstainDecisions"><value>false</value></property>
          <property name="decisionVoters">
             <list>
                <ref bean="roleVoter"/>
             </list>
          </property>
       </bean>
    
    	<!-- Note the order that entries are placed against the objectDefinitionSource is critical.
    	     The FilterSecurityInterceptor will work from the top of the list down to the FIRST pattern that matches the request URL.
    	     Accordingly, you should place MOST SPECIFIC (ie a/b/c/d.*) expressions first, with LEAST SPECIFIC (ie a/.*) expressions last -->
    	 <bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
        	<property name="authenticationManager"><ref local="authenticationManager"/></property>
        	<property name="accessDecisionManager"><ref local="httpRequestAccessDecisionManager"/></property>
        	<property name="objectDefinitionSource">
    			  <value>
    			    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
    			    PATTERN_TYPE_APACHE_ANT
    			    /acegilogin.jsp=ROLE_ANONYMOUS
    			    /jsp/protected/**=ROLE_ADMIN
    			    /**=ROLE_ANONYMOUS,ROLE_ADMIN
    			  </value>
    		  </property>
    	 </bean>
    	 
    	 <bean id="roleVoter" class="org.acegisecurity.vote.RoleVoter"/>
    
    </beans>
    Last edited by Runt888; Apr 9th, 2008, 09:06 PM.

  • #2
    Ok, I think I figured out what was going on. I had been authenticated, just not with the correct role (I had "admin" in my role database, instead of "ROLE_ADMIN"). So whenever I tried to access the protected resource, I got the access denied error.

    However, it seems like closing the browser would be enough to end the session, and trying to access the protected resource in a different session would cause it to ask me to log in again. I'm assuming that acegi used a cookie to keep the session open. Is that correct? If so, is that standard behavior? Is there a way to set it up so that closing the browser will close the session?

    Thanks!

    Kelly
    Last edited by Runt888; Apr 10th, 2008, 10:59 AM.

    Comment

    Working...
    X