Announcement Announcement Module
Collapse
No announcement yet.
Help me convert my PreAuth config to 2.0 namespace Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Help me convert my PreAuth config to 2.0 namespace

    Hello.

    I manged to configure my application to my needs using the preAuth sample. I removed a bunch of beans and consolidated some others but still have a pretty huge conifig (+100 lines and 17 beans). I've been trying to reconfigure it to use the Spring 2.0 namespace configuration but I can't seem to get it to run. Here is my functioning config:

    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    	
    <beans xmlns="http://www.springframework.org/schema/beans"
    	xmlns:sec="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
                            http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd">
    	
    	<bean id="springSecurityFilterChain" class="org.springframework.security.util.FilterChainProxy">
    		 <sec:filter-chain-map path-type="ant">
    			<sec:filter-chain pattern="/**"
    				filters="sif,myPreAuthFilter,logoutFilter,anonymousProcessingFilter,etf,fsi" />
    		</sec:filter-chain-map>
    	</bean>
    	
    	<bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
    		<property name="providers">
    			<list>
    				<ref local="preAuthenticatedAuthenticationProvider" />
    			</list>
    		</property>
    	</bean>
    	
    	<bean id="preAuthenticatedAuthenticationProvider"
    		class="org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationProvider">
    		<property name="preAuthenticatedUserDetailsService" ref="preAuthenticatedUserDetailsService" />
    	</bean>
    	
    	<bean id="preAuthenticatedUserDetailsService" class="com.xxx.security.userdetails.MyUserDetails" />
    	
    	<bean id="myPreAuthFilter"
    		class="org.springframework.security.ui.preauth.j2ee.J2eePreAuthenticatedProcessingFilter">
    		<property name="authenticationManager" ref="authenticationManager" />
    	</bean>
    	
    	<bean id="preAuthenticatedProcessingFilterEntryPoint"
    		class="org.springframework.security.ui.preauth.PreAuthenticatedProcessingFilterEntryPoint" />
    	
    	<bean id="logoutFilter" class="org.springframework.security.ui.logout.LogoutFilter">
    		<constructor-arg value="/" />
    		<constructor-arg>
    			<list>
    				<bean
    					class="org.springframework.security.ui.logout.SecurityContextLogoutHandler" />
    			</list>
    		</constructor-arg>
    	</bean>
    	
    	<bean id="sif"
    		class="org.springframework.security.context.HttpSessionContextIntegrationFilter" />
    		
    	<bean id="servletContext"
    		class="org.springframework.web.context.support.ServletContextFactoryBean" />
    	
    	<bean id="etf"
    		class="org.springframework.security.ui.ExceptionTranslationFilter">
    		<property name="authenticationEntryPoint" ref="preAuthenticatedProcessingFilterEntryPoint" />
    	</bean>
    	
    	<bean id="fsi"
    		class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
    		<property name="authenticationManager" ref="authenticationManager" />
    		<property name="accessDecisionManager" ref="httpRequestAccessDecisionManager" />
    		<property name="objectDefinitionSource">
    			<sec:filter-invocation-definition-source>
    				<sec:intercept-url pattern="/secure/**" access="ROLE_ADMIN" />
    				<sec:intercept-url pattern="/insecure/**" access="IS_AUTHENTICATED_FULLY" />
            <sec:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
    			</sec:filter-invocation-definition-source>
    		</property>
    	</bean>
    	
    	<bean id="httpRequestAccessDecisionManager" class="org.springframework.security.vote.AffirmativeBased">
    		<property name="allowIfAllAbstainDecisions" value="false" />
    		<property name="decisionVoters">
    			<list>
    				<ref bean="authenticatedVoter" />
    				<ref bean="roleVoter" />
    			</list>
    		</property>
    	</bean>
    	
    	<bean id="roleVoter" class="org.springframework.security.vote.RoleVoter" />
    	<bean id="authenticatedVoter" class="org.springframework.security.vote.AuthenticatedVoter" />
    		
    	<bean id="securityContextHolderAwareRequestFilter"
    		class="org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter">
    		<property name="wrapperClass"
    			value="org.springframework.security.wrapper.SecurityContextHolderAwareRequestWrapper" />
    	</bean>
    	
    	<bean id="anonymousProcessingFilter"
    		class="org.springframework.security.providers.anonymous.AnonymousProcessingFilter">
    		<property name="key" value="foobar" />
    		<property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS" />
    	</bean>
    	
    	<bean id="anonymousAuthenticationProvider"
    		class="org.springframework.security.providers.anonymous.AnonymousAuthenticationProvider">
    		<property name="key" value="foobar" />
    	</bean>
    	
    </beans>
    And here is my attempt at converting it to namespace. This runs but I only get authenticated anonymous, never through the J2EE Preauth:

    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    	
    <b:beans xmlns="http://www.springframework.org/schema/security"
    	xmlns:b="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
                            http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.2.xsd">
    	
    	<http auto-config="false" entry-point-ref="preAuthenticatedProcessingFilterEntryPoint" >
    		<intercept-url pattern="/secure/**" access="ROLE_ADMIN" />
    		<intercept-url pattern="/insecure/**" access="IS_AUTHENTICATED_FULLY" />
    		<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    		<anonymous />
    		<logout />
    		<concurrent-session-control max-sessions="1"
    			exception-if-maximum-exceeded="true" />
    	</http>
    	
    	<b:bean id="preAuthenticatedUserDetailsService" class="com.XXX.security.userdetails.MyUserDetails" />
    	
    	<b:bean id="preAuthenticatedProcessingFilterEntryPoint"
    		class="org.springframework.security.ui.preauth.PreAuthenticatedProcessingFilterEntryPoint" />
    		
    	<b:bean id="preAuthenticatedAuthenticationProvider"
    		class="org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationProvider">
    		<custom-authentication-provider />
    		<b:property name="preAuthenticatedUserDetailsService" ref="preAuthenticatedUserDetailsService" />
    	</b:bean>
    	
    </b:beans>
    Can anyone help me get this working? I'm not really interested in selling a 100+ 17 bean configuration as "simple" and something everyone in my organization should do.
    Last edited by jozeph78; Sep 23rd, 2008, 06:25 PM.

  • #2
    Ok I got this working. What I needed to do was add my j2eePreAuthenticatedProcessingFilter with the custom-filter position set to PRE_AUTH_FILTER. Here is my new namespace based security configuration:

    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    
    <b:beans xmlns="http://www.springframework.org/schema/security"
    	xmlns:b="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
                            http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.2.xsd">
    	
    	<http auto-config="false" entry-point-ref="preAuthenticatedProcessingFilterEntryPoint" >
    		<intercept-url pattern="/secure/**" access="ROLE_ADMIN" />
    		<intercept-url pattern="/insecure/**" access="IS_AUTHENTICATED_FULLY" />
    		<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    		<anonymous />
    		<logout />
    		<concurrent-session-control max-sessions="1"
    			exception-if-maximum-exceeded="true" />
    	</http>
    	
    	<b:bean id="myPreAuthFilter"
    		class="org.springframework.security.ui.preauth.j2ee.J2eePreAuthenticatedProcessingFilter">
    		<custom-filter position="PRE_AUTH_FILTER"/>
    		<b:property name="authenticationManager" ref="authenticationManager" />
    	</b:bean>
    	
    	<b:bean id="preAuthenticatedProcessingFilterEntryPoint"
    		class="org.springframework.security.ui.preauth.PreAuthenticatedProcessingFilterEntryPoint" />
    		
    	<b:bean id="preAuthenticatedAuthenticationProvider"
    		class="org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationProvider">
    		<custom-authentication-provider />
    		<b:property name="preAuthenticatedUserDetailsService" ref="preAuthenticatedUserDetailsService" />
    	</b:bean>
    	
    	<b:bean id="preAuthenticatedUserDetailsService" class="com.XXX.security.userdetails.MyUserDetails" />
    	
    	<authentication-manager alias="authenticationManager"/>
    	
    </b:beans>
    I've attached my web.xml as well:

    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    	xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_5.xsd"
    	version="2.4">
    	<context-param>
    		<param-name>contextConfigLocation</param-name>
    		<param-value>classpath*:applicationContext-*.xml
    		</param-value>
    		<!--
    			<param-value>/WEB-INF/classes/applicationContext*.xml</param-value>
    		-->
    	</context-param>
    	<mime-mapping>
    		<extension>htc</extension>
    		<mime-type>text/x-component</mime-type>
    	</mime-mapping>
    	
    	<listener>
          <listener-class>org.springframework.security.ui.session.HttpSessionEventPublisher</listener-class>
        </listener>
        
    	<listener> 
    		<listener-class> org.springframework.web.context.ContextLoaderListener
    		</listener-class>
    	</listener>
    	
    	<login-config>
    		<auth-method>FORM</auth-method>
    		<realm-name>MyRealm</realm-name>
    		<form-login-config>
    			<form-login-page>/login.htm</form-login-page>
    			<form-error-page>/login.htm?retry=true</form-error-page>
    		</form-login-config>
    	</login-config>
    	
    	<security-role>
    		<role-name>ROLE_CONTAINER_AUTH</role-name>
    	</security-role>
    	
    	<security-constraint>
    		<web-resource-collection>
    			<web-resource-name>All areas</web-resource-name>
    			<url-pattern>*.htm</url-pattern>
    		</web-resource-collection>
    		<auth-constraint>
    			<role-name>ROLE_CONTAINER_AUTH</role-name>
    		</auth-constraint>
    	</security-constraint>
    	
    	<servlet>
    		<servlet-name>realm</servlet-name>
    		<servlet-class>org.springframework.web.servlet.DispatcherServlet
    		</servlet-class>
    		<load-on-startup>1</load-on-startup>
    	</servlet>
    	<servlet-mapping>
    		<servlet-name>realm</servlet-name>
    		<url-pattern>*.htm</url-pattern>
    	</servlet-mapping>
    	
    	<filter>
    		<filter-name>springSecurityFilterChain
    		</filter-name>
    		<filter-class>org.springframework.web.filter.DelegatingFilterProxy
    		</filter-class>
    	</filter>
    	
    	<filter-mapping>
    		<filter-name>springSecurityFilterChain
    		</filter-name>
    		<url-pattern>/*</url-pattern>
    	</filter-mapping>
    	
    	<welcome-file-list>
    		<welcome-file>index.jsp</welcome-file>
    	</welcome-file-list>
    </web-app>
    Here is the code for MyUserDetails.java if anyone is interested. I didn't want any container roles coming into the ACEGI security. That's just to get past the container to ACEGI can do its thing.

    Code:
    package com.cme.security.userdetails;
    
    import java.util.ArrayList;
    import java.util.List;
    
    import org.springframework.security.Authentication;
    import org.springframework.security.AuthenticationException;
    import org.springframework.security.GrantedAuthority;
    import org.springframework.security.GrantedAuthorityImpl;
    import org.springframework.security.userdetails.AuthenticationUserDetailsService;
    import org.springframework.security.userdetails.User;
    import org.springframework.security.userdetails.UserDetails;
    import org.springframework.util.Assert;
    
    public class MyUserDetails implements AuthenticationUserDetailsService {
    
    	public final UserDetails loadUserDetails(Authentication token) throws AuthenticationException {
    		Assert.notNull(token.getDetails());
    		UserDetails ud = createuserDetails(token);
    		return ud;
    	}
    	
    	/**
    	 * Creates the final <tt>UserDetails</tt> object. Can be overridden to customize the contents.
    	 * 
    	 * @param token the authentication request token
    	 * @param authorities the pre-authenticated authorities.
    	 */
    	protected UserDetails createuserDetails(Authentication token) {
    		List<GrantedAuthority> gaList = new ArrayList<GrantedAuthority>();
    		gaList.add(new GrantedAuthorityImpl("ROLE_USER"));
    		gaList.add(new GrantedAuthorityImpl("ROLE_CONTAINER_AUTH"));
    		if (token.getName().toUpperCase().contains("ADMIN")){
    			gaList.add(new GrantedAuthorityImpl("ROLE_ADMIN"));
    		}
    		return new User(token.getName(), "N/A", true, true, true, true, gaList.toArray(new GrantedAuthority[0]));
    	}
    	
    	
    }
    If anyone sees a way to improve on this approach I'd be glad to hear it. I'd still like to avoid any security-role or auth-constraints in the web.xml, but ACEGI doesn't redirect to the container login page (at least I don't know how configure it to do so). I hate having to add the ROLE_CONTAINER_AUTH to the realm authenticator (in this case the jetty hash realm) just to get past the container. It's a silly requirement because my enterprise wants us to use the container's security realm for authorization.

    Thanks!
    Last edited by jozeph78; Sep 23rd, 2008, 06:37 PM.

    Comment


    • #3
      URL for pre-auth sample

      Hi, Joe.

      Where did you downloaded the sample application? Could you post the url?


      Thank you very much.


      David

      Comment


      • #4
        The sample application is only available though the svn/cvs site for spring security.

        Comment


        • #5
          Originally posted by jozeph78 View Post
          The sample application is only available though the svn/cvs site for spring security.
          This isn't strictly true. You can also download the pre-built sample war files from the maven central repo:

          http://repo1.maven.org/maven2/org/sp...auth-2.0.4.war

          We'd recommend you use the source though.

          Comment

          Working...
          X