Announcement Announcement Module
Collapse
No announcement yet.
[Q] Configuring the AuthenticationProcessingFilter Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • [Q] Configuring the AuthenticationProcessingFilter

    I am new to Acegi and am starting to get the grasp, but I am having trouble with configuring the AuthenticationProcessingFilter.

    We are using a thrid-party product, Clear Trust (similar to SiteMinder), to serve as a traffic cop in front of our application and handle authentication. Our application still needs the logon information and needs to handle some Authorizations. The Pre-Authentication Scenarios examples, I was able to get the following configuration to work for us:

    Code:
    <beans:beans 	xmlns="http://www.springframework.org/schema/security"
      				xmlns:beans="http://www.springframework.org/schema/beans"
      				xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      				xsi:schemaLocation="http://www.springframework.org/schema/beans 
    									http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
                  						http://www.springframework.org/schema/security 
    									http://www.springframework.org/schema/security/spring-security-2.0.4.xsd"> 
    
    	<http entry-point-ref="preAuthenticatedProcessingFilterEntryPoint">
    		<intercept-url 	pattern="/**/npc/**" 		access="ROLE_SCA_NPC"
    						requires-channel="any"/>
    		<intercept-url 	pattern="/**/catalog/**" 	access="ROLE_SCA_CATALOG"
    						requires-channel="any"/> 
    		<intercept-url 	pattern="/**" 				access="ROLE_SCA" 
    						requires-channel="any"/>
    						
    		<logout 		invalidate-session="true" 
    						logout-url="/logout"
    						logout-success-url="http://www.mycomp.com/loggedout" />
    	</http>
    	
    	<authentication-manager alias="authenticationManager" />
    	
     	<beans:bean id="preAuthenticatedProcessingFilterEntryPoint"
                	class="org.springframework.security.ui.preauth.PreAuthenticatedProcessingFilterEntryPoint"/> 
                
    	<beans:bean id="preAuthenticatedProcessingFilter"
    				class="com.mycomp.sca.security.ScaPreAuthenticatedFilter">
        	<custom-filter position="PRE_AUTH_FILTER" />
        	<beans:property name="principalRequestHeader" 	value="scemsrowid"/>
        	<beans:property name="authenticationManager" 	ref="authenticationManager" />
    
    	</beans:bean>
    	
     	<beans:bean	id="preauthAuthProvider"
          			class="org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationProvider">
        	<custom-authentication-provider />      
        	<beans:property name="preAuthenticatedUserDetailsService">
    	      	<beans:bean id="userDetailsServiceWrapper" 
    	            		class="org.springframework.security.userdetails.UserDetailsByNameServiceWrapper">
    	        	<beans:property name="userDetailsService" ref="userDetailsService"/>
    	      	</beans:bean>    
        	</beans:property>
    	</beans:bean>
    	
    	<beans:bean	id="userDetailsService" scope="prototype" 
    				class="com.mycomp.sca.security.ScaUserDetailsService">
    		<beans:property name="authorizationService">
    		 	<beans:ref bean="authorizationService"/>	
    		</beans:property>
    	</beans:bean>	
    
    </beans:beans>
    This all works great. Unauthorized users are now sent a 403. However, what I would really like to do is send them to a login url. This is where I have run into trouble. It looks like I need to configure the AuthenticationProcessingFilter to do this. However, so far my attempts to do so have not worked. In fact when I add the code below to my configuration, it seems to have no result at all. As is it is being ignored.

    Code:
    	<beans:bean id="authenticationProcessingFilter"
    				class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter">
    		<custom-filter position="AUTHENTICATION_PROCESSING_FILTER" />
    		
    		<beans:property name="authenticationManager" ref="authenticationManager" />
    		<beans:property name="authenticationFailureUrl"
    						value="http://www.mycomp.com/login" />
    		<beans:property name="defaultTargetUrl" value="/sca/catalog/ContractSearch.action" />
    		<beans:property name="alwaysUseDefaultTargetUrl" value="true" />
    		<beans:property name="serverSideRedirect" value="false" />
    		<beans:property name="filterProcessesUrl" value="/**" />
    
    	</beans:bean>
    Any help would be GREATLY appreciated!

    Thanks in Advance,
    Ken

  • #2
    Try to use AuthenticationProcessingFilterEntryPoint instead of PreAuthenticatedProcessingFilterEntryPoint.

    Code:
    <http entry-point-ref="authenticationProcessingFilterEntryPoint">
    Code:
        <bean id="authenticationProcessingFilterEntryPoint" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
            <property name="loginFormUrl" value="/login.jsp" />
            <property name="forceHttps" value="false" />
        </bean>

    Comment


    • #3
      [Q] Configuring the AuthenticationProcessingFilter

      Thank you for the quick reply!

      I updated my configuration as suggested. However, the result was the same. Here is my configuration:

      Code:
      	<http entry-point-ref="authenticationProcessingFilterEntryPoint">
      		<intercept-url 	pattern="/**/npc/**" 		access="ROLE_SCA_NPC"
      						requires-channel="any"/>
      		<intercept-url 	pattern="/**/catalog/**" 	access="ROLE_SCA_CATALOG"
      						requires-channel="any"/> 
      		<intercept-url 	pattern="/**/static/**"		filters="none" 
      						requires-channel="any"/>
      		<intercept-url 	pattern="/**" 				access="ROLE_SCA" 
      						requires-channel="any"/>
      									
      		<logout 		invalidate-session="true" 
      						logout-url="/logout"
      						logout-success-url="XX_LOGOFF_URL" />
      	</http>
      	
      	<authentication-manager alias="authenticationManager" />
      	
       	<beans:bean id="preAuthenticatedProcessingFilterEntryPoint"
                  	class="org.springframework.security.ui.preauth.PreAuthenticatedProcessingFilterEntryPoint"/> 
                  
      	<beans:bean id="preAuthenticatedProcessingFilter"
      				class="com.mycomp.sca.security.ScaPreAuthenticatedFilter">
          	<custom-filter position="PRE_AUTH_FILTER" />
          	<beans:property name="principalRequestHeader" 	value="scemsrowid"/>
          	<beans:property name="authenticationManager" 	ref="authenticationManager" />
      
          	<beans:property name="devModeDefaultUser" 		value="ajones" />
          	<beans:property name="devModeUserParam" 		value="trader" />
      		
      		<beans:property name="resources">
      			<beans:ref bean="resourceSca"/>
      		</beans:property>
      	</beans:bean>
      	
       	<beans:bean	id="preauthAuthProvider"
            			class="org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationProvider">
          	<custom-authentication-provider />      
          	<beans:property name="preAuthenticatedUserDetailsService">
      	      	<beans:bean id="userDetailsServiceWrapper" 
      	            		class="org.springframework.security.userdetails.UserDetailsByNameServiceWrapper">
      	        	<beans:property name="userDetailsService" ref="userDetailsService"/>
      	      	</beans:bean>    
          	</beans:property>
      	</beans:bean>
      	
      	<beans:bean	id="userDetailsService" scope="prototype" 
      				class="com.mycomp.sca.security.ScaUserDetailsService">
      		<beans:property name="authorizationService">
      		 	<beans:ref bean="authorizationService"/>	
      		</beans:property>
      	</beans:bean>	
       
       	<beans:bean id="authenticationProcessingFilterEntryPoint" 
      				class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
      		<beans:property name="loginFormUrl" value="/login.jsp" />
              <beans:property name="forceHttps" value="false" />			
      	</beans:bean>
      
      	<beans:bean id="authenticationProcessingFilter"
      				class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter">
      		<custom-filter position="AUTHENTICATION_PROCESSING_FILTER" />
      		
      		<beans:property name="authenticationManager" ref="authenticationManager" />
      		<beans:property name="authenticationFailureUrl"
      						value="XX_LOGIN_URL" />
      		<beans:property name="defaultTargetUrl" value="/sca/catalog/ContractSearch.action" />
      		<beans:property name="alwaysUseDefaultTargetUrl" value="true" />
      		<beans:property name="serverSideRedirect" value="false" />
      		<beans:property name="filterProcessesUrl" value="/**" />
      
      	</beans:bean>
      </beans:beans>

      Comment


      • #4
        As I understand you have outside authentication mechanism. It is not needed to use authenticationProcessingFilter.

        Can you also try to debug ExceptionTranslationFilter line 213? You will see which AuthenticationEntryPoint is used.

        Code:
        authenticationEntryPoint.commence(httpRequest, response, reason);

        Comment


        • #5
          You are correct, I really do not need (or do not believe that I need) the authenticating ProcessingFilter. It is not real clear to me which filters are running and in which order. Do you have more information on that or know where I can get it? I hace to leave for the day soon, but will take a look at debugging as suggested on Monday.

          Thank you!!

          Comment


          • #6
            Order is described at:
            http://static.springframework.org/sp...custom-filters

            Also in the source: FilterChainOrder.java

            Which filters are used depends on configuration. The exact list possible to view in debug: FilterChainProxy.doFilter

            For you configuration chain probably will be:
            Code:
            HttpSessionContextIntegrationFilter, LogoutFilter, AstractPreAuthenticatedProcessingFilter, AuthenticationProcessingFilter,ExceptionTranslationFilter,FilterSecurityInterceptor

            Comment

            Working...
            X