Announcement Announcement Module
Collapse
No announcement yet.
Endless loop in web authentication Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Endless loop in web authentication

    I am trying to use form based authentication and getting in to this wiered problem of getting into endless loop.
    When I try to access any page, it redirects it to login page (which is login.jsp in my case), and than it tries to redirect again and again to login page.

    I have pasted my web.xml and Spring bean entries below. Please let me know what I am missing here thats causing this.
    Please note that if I do change the url-pattern and use only *.do, it works because login page is .jsp file and filter is not recalled, but then another wiered problem happens, it would not understand j_acegi_security_check, so had to append .do at the end of j_acegi_scurity_check also. So to work with *.do url-pattern, I had to use j_acegi_security_check.do at both places (in bean and login form).

    Here are my web.xml entries
    <context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
    classpath:applicationContext.xml
    classpath:security.xml
    </param-value>
    </context-param>
    <context-param>
    <param-name>log4jConfigLocation</param-name>
    <param-value>/WEB-INF/log4j.xml</param-value>
    </context-param>

    <filter>
    <filter-name>Acegi Filter Chain Proxy</filter-name>
    <filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
    <init-param>
    <param-name>targetClass</param-name>
    <param-value>net.sf.acegisecurity.util.FilterChainProxy</param-value>
    </init-param>
    </filter>
    <filter-mapping>
    <filter-name>Acegi Filter Chain Proxy</filter-name>
    <url-pattern>/*</url-pattern>
    </filter-mapping>

    <servlet>
    <servlet-name>context</servlet-name>
    <servlet-class>org.springframework.web.context.ContextLoade rServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
    </servlet>

    Here are my Spring beans entries
    <bean id="filterChainProxy" class="net.sf.acegisecurity.util.FilterChainProxy" >
    <property name="filterInvocationDefinitionSource">
    <value> CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
    PATTERN_TYPE_APACHE_ANT /**=httpSessionContextIntegrationFilter, authenticationProcessingFilter, securityEnforcementFilter
    </value>
    </property>
    </bean>
    <bean id="authenticationProcessingFilter"
    class="net.sf.acegisecurity.ui.webapp.Authenticati onProcessingFilter">
    <property name="filterProcessesUrl">
    <value>j_acegi_security_check</value>
    </property>
    <property name="authenticationFailureUrl">
    <value>/login.jsp?failed=true</value>
    </property>
    <property name="defaultTargetUrl">
    <value>/admin/search.display.do</value>
    </property>
    <property name="authenticationManager">
    <ref bean="authenticationManager"/>
    </property>
    </bean>
    <bean id="securityEnforcementFilter"
    class="net.sf.acegisecurity.intercept.web.Security EnforcementFilter">
    <property name="filterSecurityInterceptor">
    <ref local="filterInvocationInterceptor"/>
    </property>
    <property name="authenticationEntryPoint">
    <ref local="authenticationProcessingFilterEntryPoint"/>
    </property>
    </bean>
    <bean id="authenticationProcessingFilterEntryPoint"
    class="net.sf.acegisecurity.ui.webapp.Authenticati onProcessingFilterEntryPoint">
    <property name="loginFormUrl">
    <value>/login.jsp</value>
    </property>
    <property name="forceHttps">
    <value>false</value>
    </property>
    </bean>
    <bean id="filterInvocationInterceptor"
    class="net.sf.acegisecurity.intercept.web.FilterSe curityInterceptor">
    <property name="authenticationManager">
    <ref bean="authenticationManager"/>
    </property>
    <property name="accessDecisionManager">
    <ref local="httpRequestAccessDecisionManager"/>
    </property>
    <property name="objectDefinitionSource">
    <value>
    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
    PATTERN_TYPE_APACHE_ANT
    /**=ROLE_ANONYMOUS
    </value>
    </property>
    </bean>
    <bean id="httpSessionContextIntegrationFilter" class="net.sf.acegisecurity.context.HttpSessionCon textIntegrationFilter">
    <property name="context">
    <value>
    net.sf.acegisecurity.context.security.SecureContex tImpl
    </value>
    </property>
    </bean>

    <bean id="authenticationManager"
    class="net.sf.acegisecurity.providers.ProviderMana ger">
    <property name="providers">
    <list>
    <ref bean="jaasAuthenticationProvider"/>
    </list>
    </property>
    </bean>
    <bean id="jaasAuthenticationProvider"
    class="net.sf.acegisecurity.providers.jaas.JaasAut henticationProvider">
    <property name="loginConfig">
    <value>classpath:jaas.login.conf</value>
    </property>
    <property name="loginContextName">
    <value>myLoginContext</value>
    </property>
    <property name="callbackHandlers">
    <list>
    <bean class="net.sf.acegisecurity.providers.jaas.JaasNam eCallbackHandler"/>
    <bean class="net.sf.acegisecurity.providers.jaas.JaasPas swordCallbackHandler"/>
    </list>
    </property>
    <property name="authorityGranters">
    <list>
    <bean class="gov.vha.edb.ui.util.JaasAuthorityGranter"/>
    </list>
    </property>
    </bean>
    <bean id="httpRequestAccessDecisionManager"
    class="net.sf.acegisecurity.vote.AffirmativeBased" >
    <property name="allowIfAllAbstainDecisions">
    <value>false</value>
    </property>
    <property name="decisionVoters">
    <list>
    <ref bean="roleVoter"/>
    </list>
    </property>
    </bean>
    <bean id="roleVoter" class="net.sf.acegisecurity.vote.RoleVoter"/>

  • #2
    http://forum.springframework.org/viewtopic.php?t=3522

    Comment


    • #3
      I am experiencing the same problem with an infinite loop but only happens when a user changes their password and try to move on to another page or the application gets reloaded (development server obviously).

      Is anonymous access not enough access for a login page?
      http://forum.springframework.org/viewtopic.php?t=4399

      Comment


      • #4
        I don't think there's anything weird going on. If you change the URL to *.do then the acegi filters will only be applied to these URLs, so the /j_acegi_security_check URL won't be intercepted and processed. Adding the ".do" to the login URL means the AuthenticationProcessingFilter kicks in to process the logon request:

        http://acegisecurity.sourceforge.net...ingFilter.html

        Look at how the filter is set up in the Contacts sample application for an example of how to allow anonymous access to specific URLs but protect everything else.

        Luke.

        Comment


        • #5
          I followed the Sample Contact Apps to add the anonymous authentication but still same problem.
          Here is what I added.

          <bean id="anonymousProcessingFilter" class="net.sf.acegisecurity.providers.anonymous.An onymousProcessingFilter">
          <property name="key"><value>foobar</value></property>
          <property name="userAttribute">
          <value>anonymousUser,ROLE_ANONYMOUS</value>
          </property>
          </bean>

          <bean id="anonymousAuthenticationProvider"
          class="net.sf.acegisecurity.providers.anonymous.An onymousAuthenticationProvider">
          <property name="key"><value>foobar</value></property>
          </bean>

          Added the anonymousProcessingFilter entry in my filterChainProxy bean.

          <bean id="filterChainProxy"
          class="net.sf.acegisecurity.util.FilterChainProxy" >
          <property name="filterInvocationDefinitionSource">
          <value>
          CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
          PATTERN_TYPE_APACHE_ANT
          /**=httpSessionContextIntegrationFilter, authenticationProcessingFilter, anonymousProcessingFilter, securityEnforcementFilter
          </value>
          </property>
          </bean>

          Added the anonymousAuthenticationProvider entry in provides list.

          <bean id="authenticationManager"
          class="net.sf.acegisecurity.providers.ProviderMana ger">
          <property name="providers">
          <list>
          <ref bean="jaasAuthenticationProvider"/>
          <ref local="anonymousAuthenticationProvider"/> </list>
          </property>
          </bean>

          <bean id="filterInvocationInterceptor"
          class="net.sf.acegisecurity.intercept.web.FilterSe curityInterceptor">
          <property name="authenticationManager">
          <ref bean="authenticationManager"/>
          </property>
          <property name="accessDecisionManager">
          <ref local="httpRequestAccessDecisionManager"/>
          </property>
          <property name="objectDefinitionSource">
          <value>
          CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
          PATTERN_TYPE_APACHE_ANT
          /login.jsp*=ROLE_ANONYMOUS,ROLE_USER
          /**=ROLE_USER
          </value>
          </property>
          </bean>

          Comment


          • #6
            When I use anonymous provider, it never goes to JaasAuthenticationProvider as it always sets the AnonymousAuthenticationToken that does not work with JAAS.

            Comment


            • #7
              Can you clear up whether you have the same problem? i.e. an infinite loop where you can't access the login page?

              Comment


              • #8
                I am looking at this thread and another AnonymousAuthenticationProvider/JaasAuthenticationProvider issue to see if there is a problem in the code.

                Right now I'm a little confused though, and maybe Ben and Luke can help me out.

                Wouldn't requiring ROLE_USER on the authenticationFailureUrl (login.jsp in this case) cause the infinite looping?

                Comment


                • #9
                  Originally posted by RayKrueger
                  I am looking at this thread and another AnonymousAuthenticationProvider/JaasAuthenticationProvider issue to see if there is a problem in the code.

                  Right now I'm a little confused though, and maybe Ben and Luke can help me out.

                  Wouldn't requiring ROLE_USER on the authenticationFailureUrl (login.jsp in this case) cause the infinite looping?
                  Hi Ray,

                  Yes. I think so. That's why I posted the link to the other thread above.
                  I believe it should allow anonymous access too. That's why the /login.jsp* URL has a separate access rule in the filter security interceptor.

                  Luke.

                  Comment


                  • #10
                    Hmm, we need to look at the sample then, it is configured the same way.

                    Comment


                    • #11
                      I made it working with anonymous authentication.
                      I had to do the following to get it working. I also added j_acegi_security in my filter url-pattern.


                      <bean id="filterInvocationInterceptor" class="net.sf.acegisecurity.intercept.web.FilterSe curityInterceptor">
                      <property name="authenticationManager">
                      <ref bean="authenticationManager"/>
                      </property>
                      <property name="accessDecisionManager">
                      <ref local="httpRequestAccessDecisionManager"/>
                      </property>
                      <property name="objectDefinitionSource">
                      <value>
                      CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON PATTERN_TYPE_APACHE_ANT
                      /login.jsp*=ROLE_ANONYMOUS,ROLE_USER /j_acegi_security_check*=ROLE_ANONYMOUS,ROLE_USER
                      /**=ROLE_USER
                      </value>
                      </property>
                      </bean>

                      Comment


                      • #12
                        You don't need to include /j_acegi_security_check as it is handled by the AuthenticationProcessingFilter which is listed before the SecurityEnforcementFilter. The latter applies the filter interceptor.

                        If the authentication succeeds, then the user will be forwarded to the original target URL. If it fails, they will be redirected to the failure page. So the enforcement filter should never see the /j_acegi_security_check URL.

                        The contacts app seems fine (I just ran it to check).

                        Luke.

                        Comment


                        • #13
                          If I remove that entry, submitting a login page (action j_acegi_security_check) causes error as there is no filter matching a pattern or file with this name.
                          May be it was causing because of other problems I had before. I will try it one more time today and see what happens.

                          Comment


                          • #14
                            Your original configuration is missing the leading slash from "/j_acegi_security_check". This will probably prevent the authentication processing filter from being applied when the login form is submitted and will lead to the behaviour you describe. Can you try putting that in and see if it works?

                            Luke.

                            Comment


                            • #15
                              tried again but I get 404 if I do not define a j_acegi_security_check in url-pattern of filter.

                              Comment

                              Working...
                              X