Announcement Announcement Module
Collapse
No announcement yet.
Switch from 0.8.0 to 0.8.1 and anonymous authentication Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Switch from 0.8.0 to 0.8.1 and anonymous authentication

    I switched from version 0.8.0 to version 0.8.1. Before the switch, all pages which were defined as visible to "ROLE_ANONYMOUS" were visible before log in. After the switch, these pages are only visible after log in.
    I switched back to 0.8.0 and saw the expected behaviour.

    My applicationContext-security.xml has the following specified pertaining to anonymous users:

    <bean id="filterChainProxy" class="net.sf.acegisecurity.util.FilterChainProxy" >
    <property name="filterInvocationDefinitionSource">
    <value>
    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
    PATTERN_TYPE_APACHE_ANT
    /**=httpSessionContextIntegrationFilter,authenticat ionProcessingFilter,basicProcessingFilter,anonymou sProcessingFilter,securityEnforcementFilter
    </value>
    </property>
    </bean>

    <bean id="authenticationManager" class="net.sf.acegisecurity.providers.ProviderMana ger">
    <property name="providers">
    <list>
    <ref local="daoAuthenticationProvider"/>
    <ref local="anonymousAuthenticationProvider"/>
    </list>
    </property>
    </bean>

    <bean id="anonymousProcessingFilter" class="net.sf.acegisecurity.providers.anonymous.An onymousProcessingFilter">
    <property name="key"><value>foobar</value></property>
    <property name="userAttribute"><value>anonymousUser,ROLE_ANO NYMOUS</value></property>
    </bean>

    <bean id="anonymousAuthenticationProvider" class="net.sf.acegisecurity.providers.anonymous.An onymousAuthenticationProvider">
    <property name="key"><value>foobar</value></property>
    </bean>

    <bean id="filterInvocationInterceptor" class="net.sf.acegisecurity.intercept.web.FilterSe curityInterceptor">
    <property name="authenticationManager"><ref bean="authenticationManager"/></property>
    <property name="accessDecisionManager"><ref local="httpRequestAccessDecisionManager"/></property>
    <property name="objectDefinitionSource">
    <value>
    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
    PATTERN_TYPE_APACHE_ANT
    /index.jsp=ROLE_ANONYMOUS,ROLE_USER
    /logoff.jsp=ROLE_ANONYMOUS,ROLE_USER
    /acegilogin.jsp*=ROLE_ANONYMOUS,ROLE_USER
    /dataelementlist.html*=ROLE_ANONYMOUS,ROLE_USER
    ...
    /*.html*=ROLE_USER,Administrator
    </value>
    </property>
    </bean>

    With this configuration, I am able to see pages as an anonymous user with version 0.8.0 just fine, but with 0.8.1, I get the following exception:
    javax.servlet.ServletException at
    net.sf.acegisecurity.intercept.web.SecurityEnforce mentFilter.doFilter(SecurityEnforcementFilter.java :214) at
    net.sf.acegisecurity.util.FilterChainProxy$Virtual FilterChain.doFilter(FilterChainProxy.java:311) at
    net.sf.acegisecurity.providers.anonymous.Anonymous ProcessingFilter.doFilter(AnonymousProcessingFilte r.java:153) at
    net.sf.acegisecurity.util.FilterChainProxy$Virtual FilterChain.doFilter(FilterChainProxy.java:311) at
    net.sf.acegisecurity.ui.basicauth.BasicProcessingF ilter.doFilter(BasicProcessingFilter.java:212) at
    net.sf.acegisecurity.util.FilterChainProxy$Virtual FilterChain.doFilter(FilterChainProxy.java:311) at
    net.sf.acegisecurity.ui.AbstractProcessingFilter.d oFilter(AbstractProcessingFilter.java:374) at
    net.sf.acegisecurity.util.FilterChainProxy$Virtual FilterChain.doFilter(FilterChainProxy.java:311) at
    net.sf.acegisecurity.context.HttpSessionContextInt egrationFilter.doFilter(HttpSessionContextIntegrat ionFilter.java:225) at
    net.sf.acegisecurity.util.FilterChainProxy$Virtual FilterChain.doFilter(FilterChainProxy.java:311) at
    net.sf.acegisecurity.util.FilterChainProxy.doFilte r(FilterChainProxy.java:179) at
    net.sf.acegisecurity.util.FilterToBeanProxy.doFilt er(FilterToBeanProxy.java:125) at
    org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:166)


    I haved reviewed the documentation with version 0.8.1 about anonymous user configuration, but it does not appear to be different than that for 0.8.0. Is there something that I have missed?

  • #2
    Very strange. The SecurityEnforcementFilter:214 is just re-throwing a ServletException, which shouldn't ever be created by Acegi Security code. Could the URI being requested somehow be causing a ServletException independent of Acegi Security code? Maybe try to get more information on the exception, perhaps from your servlet container log or by editing a local copy of SecurityEnforcementFilter to add this to the application log.

    Comment

    Working...
    X