Announcement Announcement Module
Collapse
No announcement yet.
Struts and roles Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Struts and roles

    As I didn't manage to go through the default filter and pass through the login action (if you know how to do it please post) I've implemented my own, ActionMessages are residues of the old LoginAction, I don't know how to save them yet in the filter but that'll come later. Does it seem ok?
    I manage to authenticate and the request has the roles attached to it. I tried to apply roles to my struts mapping but even with the correct role I'm getting HTTP Status 403 - User is not authorized to access action /InsertSociety.
    Am I doing something wrong? How do I send the user to a login page instead of 403 message?


    Code:
    /**
     * 
     */
    package it.linksystem.csai.web.util;
    
    import java.util.Iterator;
    
    import it.linksystem.csai.client.delegate.UserBusinessDelegate;
    import it.linksystem.csai.common.Error;
    import it.linksystem.csai.common.Warning;
    import it.linksystem.csai.common.dto.UserDTO;
    
    import javax.servlet.http.HttpServletRequest;
    
    import org.apache.struts.action.ActionMessage;
    import org.apache.struts.action.ActionMessages;
    
    import net.sf.acegisecurity.Authentication;
    import net.sf.acegisecurity.AuthenticationException;
    import net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken;
    import net.sf.acegisecurity.ui.AbstractProcessingFilter;
    
    /**
     * @author Srepfler Srgjan
     *
     */
    public class LoginProcessingFilter extends AbstractProcessingFilter {
    
    	/* (non-Javadoc)
    	 * @see net.sf.acegisecurity.ui.AbstractProcessingFilter#getDefaultFilterProcessesUrl()
    	 */
    	public String getDefaultFilterProcessesUrl() {
    		return "/LoginSubmit.do";
    	}
    
    	/* (non-Javadoc)
    	 * @see net.sf.acegisecurity.ui.AbstractProcessingFilter#attemptAuthentication(javax.servlet.http.HttpServletRequest)
    	 */
    	public Authentication attemptAuthentication(HttpServletRequest request)
    			throws AuthenticationException {
    		ActionMessages errors = new ActionMessages();
    		ActionMessages warnings = new ActionMessages();
    		
    		UserBusinessDelegate ubd = new UserBusinessDelegate();
    		String username = request.getParameter("j_username");
    		String password = request.getParameter("j_password");
    		if(username == null){
    			username ="";
    		}
    		if(password == null){
    			password="";
    		}
    		UserDTO userDTO = new UserDTO();
    		userDTO.setUsername(username);
    		userDTO.setPassword(password);
    		UserDTO resultDTO = ubd.login(userDTO.getUsername(),userDTO.getPassword());
    		
    		if(resultDTO.isError()){
    			for (Iterator theiterator = resultDTO.errorsIterator(); theiterator.hasNext();) {
    				Error theerror = (Error) theiterator.next();
    				errors.add(theerror.getCode(),new ActionMessage(theerror.getCode()));
    			}
    		} else {
    			if(resultDTO.isWarning()){
    				for (Iterator theiterator = resultDTO.warningsIterator(); theiterator.hasNext();) {
    					Warning thewarning = (Warning) theiterator.next();
    					warnings.add(thewarning.getCode(),new ActionMessage(thewarning.getCode()));
    				}
    			}
    			request.getSession().setAttribute(Constants.USER_KEY,resultDTO);
    			logger.info("Login dell utente: "+resultDTO.getUsername());
    		}
    		
    		UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username,password);
    		authRequest.setDetails(request.getRemoteAddr());
    		return this.getAuthenticationManager().authenticate(authRequest);
    	}
    
    }
    struts-config.xml
    Code:
    <action forward="/pages/insertsociety.jsp" path="/InsertSociety" roles="ROLE_S"/>

  • #2
    Here's how I do something similair with struts:

    import java.io.IOException;
    import java.util.Enumeration;

    import javax.servlet.http.HttpServletRequest;
    import javax.servlet.http.HttpServletResponse;

    import org.apache.commons.logging.Log;
    import org.apache.commons.logging.LogFactory;

    import net.sf.acegisecurity.Authentication;
    import net.sf.acegisecurity.ui.webapp.AuthenticationProce ssingFilter;

    /**
    * @author Robert
    *
    * A class which customizes the way ACEGI gets the username and password, and
    * allows for further processing such as commons validator.
    *
    */
    public class SWAAuthenticationProcessingFilter extends
    AuthenticationProcessingFilter {

    /** commons logging declaration. **/
    private static Log logger = LogFactory.getLog(
    SWAAuthenticationProcessingFilter.class);

    /** Form login key. **/
    public static final String LOGIN_KEY = "login";
    /** Form password key. **/
    public static final String PASSWORD_KEY = "password";

    /**
    * Perform logging, and validation tasks if necessary, before
    * username/password is processed.
    * @param request HttpServletRequest
    * @param response HttpServletResponse
    */
    protected void onPreAuthentication(HttpServletRequest request,
    HttpServletResponse response) {

    // put commons validator here if desired

    if (logger.isDebugEnabled()) {
    for (Enumeration en = request.getParameterNames();
    en.hasMoreElements() {

    Object obj = en.nextElement();
    String value = request.getParameterValues((String) obj) [0];
    if (logger.isDebugEnabled()) {
    logger.debug("Retrieved Object: " + obj.toString()
    + " , Value : " + value);
    }
    }
    }
    }

    /**
    * Perform logging, and validation tasks if necessary, after
    * username/password is processed.
    * @param request HttpServletRequest
    * @param response HttpServletResponse
    * @param authResult Acegi security state of user
    * @throws IOException IOException
    */
    protected void onSuccessfulAuthentication(
    javax.servlet.http.HttpServletRequest request,
    javax.servlet.http.HttpServletResponse response,
    Authentication authResult) throws IOException {

    if (logger.isDebugEnabled()) {
    logger.debug("isAuthenticated: " + authResult.isAuthenticated());
    }
    }

    /**
    * Customize the way acegi retrieves password.
    * @param request HttpServletRequest
    * @return String password from request.
    */
    protected String obtainPassword(HttpServletRequest request) {

    String password = request.getParameter(PASSWORD_KEY);

    if (password == null) {
    throw new IllegalStateException("obtainPassword() cannot find "
    + PASSWORD_KEY);
    }

    return password;
    }

    /**
    * Customize the way acegi retrieves login.
    * @param request HttpServletRequest
    * @return String username from request.
    */
    protected String obtainUsername(HttpServletRequest request) {

    String login = request.getParameter(LOGIN_KEY);

    if (login == null) {
    throw new IllegalStateException("obtainUsername() cannot find "
    + LOGIN_KEY);
    }

    return login;
    }
    }

    That should get you to the point of your DAO, and on onSuccessfulAuthentication you should see your login state.

    Since you seem to authenticate, put not authorize, try posting your acegi config file. Furthermore, I'm not sure while you are trying to put roles in your struts config - why not just use filterInvocationInterceptor?

    HTH,
    iksrazal

    Comment


    • #3
      I decided to use the interceptor yesterday, will be implementing it today.
      Thx for the tips.
      What do you mean by put not authorize?
      In struts config you can do something like:

      Code:
      <action roles="ROLE_X" forward="/pages/inserttechnician.jsp" path="/InsertTechnician"/>
      can you edit your post and add the code tags?

      Comment


      • #4
        Hi,

        I meant 'but' not 'put.

        Here's the config I use. Not that I didn't find the need to edit struts-config.xml . Here's my config - perhaps it will help. Also note that my filterChainProxy is untraditional - I advise filtering everything in your case.

        Code:
        <?xml version="1.0" encoding="UTF-8"?>
        <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http&#58;//www.springframework.org/dtd/spring-beans.dtd">
        
        <beans>
        
           <!-- ======================== FILTER CHAIN ======================= -->
        
           <!--  if you wish to use channel security, add "channelProcessingFilter," in front
                 of "httpSessionContextIntegrationFilter" in the list below -->
           <!-- Only filter URL's with *login* Struts actions&#58; 
           httpSessionContextIntegrationFilter allows authentication/authorization info stored in HttpSession
           authenticationProcessingFilter forces authentication against db
           -->
           <bean id="filterChainProxy" class="net.sf.acegisecurity.util.FilterChainProxy">
              <property name="filterInvocationDefinitionSource">
                 <value>
                  CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
                    \A/.*login.*do.*\Z=httpSessionContextIntegrationFilter,authenticationProcessingFilter,contextHolderAwareRequestFilter
                 </value>
              </property>
            </bean>
        
            <!-- ======================== AUTHENTICATION ======================= -->
        
            <!-- Authenticate via SWA DAO -->
            <bean id="passwordAuthenticationDao" 
              class="com.siemens.swa.dao.AcegiDAOImpl">
        	<property name="sessionFactory"><ref bean="mySessionFactory"/></property>
            </bean>
        
            <!-- Simple Username/Password authentication -->
            <bean id="authenticationProvider" 
              class="net.sf.acegisecurity.providers.dao.PasswordDaoAuthenticationProvider">
              <property name="passwordAuthenticationDao">
                <ref local="passwordAuthenticationDao"/>
              </property>
            </bean>
        
            <!-- Control access/authorization via Acegi class, stored in HTTP Session
            -->
            <bean id="authenticationManager"
              class="net.sf.acegisecurity.providers.ProviderManager">
              <property name="providers">
                <list>
                  <ref local="authenticationProvider"/>
                </list>
              </property>
            </bean> 
        
            <!-- use custom class overriding net.sf.acegisecurity.providers.ProviderManager
               Control access/authorization via Acegi class, stored in HTTP Session 
            <bean id="authenticationManager" 
              class="com.siemens.swa.session.SessionAwareProviderManager">
              <property name="providers">
                <list>
                  <ref local="authenticationProvider"/>
                </list>
              </property>
            </bean> 
            -->
        
             <!-- ===================== AUTHORIZATION ==================== -->
             <!-- An access decision voter that reads ROLE_* configuration settings -->
             <bean id="roleVoter" class="net.sf.acegisecurity.vote.RoleVoter"/>
        
             <bean id="accessDecisionManager" class="net.sf.acegisecurity.vote.UnanimousBased">
               <property name="decisionVoters">
               <list>
                 <ref bean="roleVoter" />
               </list>
               </property>
             </bean>
        
             <!-- Control authorization via Roles on listed methods -->
             <bean id="userServiceSecurity" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
               <property name="authenticationManager"><ref bean="authenticationManager"/></property>
               <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
               <property name="objectDefinitionSource">
                 <value>
                    com.siemens.swa.service.UserService.find*=ROLE_EVERYONE
                    com.siemens.swa.service.UserService.update*=ROLE_EVERYONE
                    com.siemens.swa.service.UserService.create*=ROLE_EVERYONE
                    com.siemens.swa.service.UserService.remove*=ROLE_ADMIN
                    com.siemens.swa.service.UserService.changePassword=ROLE_EVERYONE
                 </value>
               </property>
             </bean>
        
             <!-- ===================== HTTP REQUEST SECURITY ==================== -->
          
             <!-- Allow SWA application to access Roles and other info via HttpServletRequest 
                  See MenuTag for an example
              -->
             <bean id="contextHolderAwareRequestFilter" class="net.sf.acegisecurity.wrapper.ContextHolderAwareRequestFilter"/> 
        
             <!-- Bean definition forcing login on REGEX filters -->
             <bean id="httpSessionContextIntegrationFilter" class="net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter">
             </bean>
        
             <!-- Define login key/value pair capture, pre/post filter tasks, error page, etc -->
             <bean id="authenticationProcessingFilter" class="com.siemens.swa.session.SWAAuthenticationProcessingFilter">
               <property name="authenticationManager"><ref bean="authenticationManager"/></property>
               <property name="authenticationFailureUrl"><value>/loginPage.do?login_error=1</value></property>
               <property name="defaultTargetUrl"><value>/</value></property>
               <property name="filterProcessesUrl"><value>/login.do</value></property>
             </bean>
        
        </beans>
        HTH,
        iksrazal

        Comment


        • #5
          I altered a little bit the final part of my processing filter and added some logging:

          Code:
          UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken&#40;username,password&#41;;
          authRequest.setDetails&#40;request.getRemoteAddr&#40;&#41;&#41;;
          Authentication authentication = this.getAuthenticationManager&#40;&#41;.authenticate&#40;authRequest&#41;;
          logger.info&#40;"Remote User&#58; "+request.getRemoteUser&#40;&#41;&#41;;
          logger.info&#40;"User Principal&#58; "+request.getUserPrincipal&#40;&#41;&#41;;
          logger.info&#40;"Is user in ROLE_S&#58; "+request.isUserInRole&#40;"ROLE_S"&#41;&#41;;
          return authentication;
          output:
          15:51:50,484 INFO [AbstractProcessingFilter] Remote User: null
          15:51:50,484 INFO [AbstractProcessingFilter] User Principal: null
          15:51:50,484 INFO [AbstractProcessingFilter] Is user in ROLE_S: false

          Even though the user has the role applyed I thought the request object should contain the principal isuserinrole and other stuff, am I doing something wrong? thanks in advance

          Comment


          • #6
            I don't see where you map your SWAAuthenticationProcessingFilter bean in the xml file?

            Comment


            • #7
              I missed this:
              Code:
              <bean id="contextHolderAwareRequestFilter" class="net.sf.acegisecurity.wrapper.ContextHolderAwareRequestFilter"/>
              Are you using an adapter? is the xml file in your WEB-INF/lib or the container conf dir?

              Comment


              • #8
                Also why the 403 error and not the login page?

                Comment


                • #9
                  Could you please clarify the question/problem? The last post correctly identified the missing bean. Is everything working correctly now, or is there a particular issue?

                  Comment


                  • #10
                    A 403 is displayed if the user IS authentication, but they get an AccessDeniedException.

                    AuthenticationEntryPoint is only launched in the case of a security exception and the user NOT being already authenticated.

                    Comment


                    • #11
                      As my project is in a state of flux of not deploying (even after I added the bean) I'll be trying to figure out this tomorrow (here it's 3AM).
                      I'm posting my acegi security file:

                      Code:
                      <?xml version="1.0" encoding="UTF-8"?>
                      <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http&#58;//www.springframework.org/dtd/spring-beans.dtd">
                      
                      <beans>
                        <bean id="filterChainProxy" class="net.sf.acegisecurity.util.FilterChainProxy">
                          <property name="filterInvocationDefinitionSource">
                            <value>
                              CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
                              PATTERN_TYPE_APACHE_ANT
                              /**=httpSessionContextIntegrationFilter,authenticationProcessingFilter,rememberMeProcessingFilter,anonymousProcessingFilter,securityEnforcementFilter,contextHolderAwareRequestFilter
                            </value>
                          </property>
                        </bean>
                      
                      
                        <bean id="authenticationManager" class="net.sf.acegisecurity.providers.ProviderManager">
                          <property name="providers">
                            <list>
                              <ref local="daoAuthenticationProvider"/>
                              <ref local="anonymousAuthenticationProvider"/>
                              <ref local="rememberMeAuthenticationProvider"/>
                            </list>
                          </property>
                        </bean>
                      
                      
                        <bean id="daoAuthenticationProvider" class="net.sf.acegisecurity.providers.dao.DaoAuthenticationProvider">
                          <property name="authenticationDao">
                            <ref local="jdbcDaoImpl"/>
                          </property>
                      	<property name="forcePrincipalAsString">
                      	<ref local="true"/>
                      	</property>
                        </bean>
                      
                        <bean id="anonymousProcessingFilter" class="net.sf.acegisecurity.providers.anonymous.AnonymousProcessingFilter">
                          <property name="key">
                            <value>foobar</value>
                          </property>
                          <property name="userAttribute">
                            <value>anonymousUser,ROLE_ANONYMOUS</value>
                          </property>
                        </bean>
                      
                      
                        <bean id="anonymousAuthenticationProvider" class="net.sf.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider">
                          <property name="key">
                            <value>foobar</value>
                          </property>
                        </bean>
                      
                      
                        <bean id="httpSessionContextIntegrationFilter" class="net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter">
                        	<property name="context"><value>net.sf.acegisecurity.context.security.SecureContextImpl</value></property>
                        </bean>
                      
                      
                        <bean id="rememberMeProcessingFilter" class="net.sf.acegisecurity.ui.rememberme.RememberMeProcessingFilter">
                          <property name="rememberMeServices">
                            <ref local="rememberMeServices"/>
                          </property>
                        </bean>
                      
                      
                        <bean id="rememberMeServices" class="net.sf.acegisecurity.ui.rememberme.TokenBasedRememberMeServices">
                          <property name="authenticationDao">
                            <ref local="jdbcDaoImpl"/>
                          </property>
                          <property name="key">
                            <value>springRocks</value>
                          </property>
                        </bean>
                      
                      
                        <bean id="rememberMeAuthenticationProvider" class="net.sf.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider">
                          <property name="key">
                            <value>springRocks</value>
                          </property>
                        </bean>
                      
                      
                        <bean id="securityEnforcementFilter" class="net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter">
                          <property name="filterSecurityInterceptor">
                            <ref local="filterInvocationInterceptor"/>
                          </property>
                          <property name="authenticationEntryPoint">
                            <ref local="authenticationProcessingFilterEntryPoint"/>
                          </property>
                        </bean>
                      
                      
                        <!--  <bean id="authenticationProcessingFilter" class="net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
                          <property name="authenticationManager">
                            <ref bean="authenticationManager"/>
                          </property>
                          <property name="authenticationFailureUrl">
                            <value>/Login.do</value>
                          </property>
                          <property name="defaultTargetUrl">
                            <value>/Welcome.do</value>
                          </property>
                          <property name="filterProcessesUrl">
                            <value>/LoginSubmit.do</value>
                          </property>
                          <property name="rememberMeServices">
                            <ref local="rememberMeServices"/>
                          </property>
                        </bean>-->
                        
                        <bean id="authenticationProcessingFilter" class="it.linksystem.csai.web.util.LoginProcessingFilter">
                          <property name="authenticationManager">
                            <ref bean="authenticationManager"/>
                          </property>
                          <property name="authenticationFailureUrl">
                            <value>/Login.do</value>
                          </property>
                          <property name="defaultTargetUrl">
                            <value>/Welcome.do</value>
                          </property>
                          <property name="filterProcessesUrl">
                            <value>/LoginSubmit.do</value>
                          </property>
                          <property name="rememberMeServices">
                            <ref local="rememberMeServices"/>
                          </property>
                        </bean>
                        
                        
                      
                      
                        <bean id="authenticationProcessingFilterEntryPoint" class="net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
                          <property name="loginFormUrl">
                            <value>/Login.do</value>
                          </property>
                          <property name="forceHttps">
                            <value>true</value>
                          </property>
                        </bean>
                      
                      
                        <bean id="httpRequestAccessDecisionManager" class="net.sf.acegisecurity.vote.AffirmativeBased">
                          <property name="allowIfAllAbstainDecisions">
                            <value>false</value>
                          </property>
                          <property name="decisionVoters">
                            <list>
                              <ref bean="roleVoter"/>
                            </list>
                          </property>
                        </bean>
                      
                      
                        <bean id="roleVoter" class="net.sf.acegisecurity.vote.RoleVoter"/>
                      
                      
                        <bean id="filterInvocationInterceptor" class="net.sf.acegisecurity.intercept.web.FilterSecurityInterceptor">
                          <property name="authenticationManager">
                            <ref bean="authenticationManager"/>
                          </property>
                          <property name="accessDecisionManager">
                            <ref local="httpRequestAccessDecisionManager"/>
                          </property>
                          <property name="objectDefinitionSource">
                            <value>
                              CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
                              PATTERN_TYPE_APACHE_ANT
                              /pages/admin/**=ROLE_A
                              /pages/operator/**=ROLE_O
                              /InsertElevator.do**=ROLE_S,ROLE_A
                            </value>
                          </property>
                        </bean>
                      
                      	<alias alias="defaultDataSource" name="dataSourcePostgresLocalhostJNDI"/>
                      	
                      	<bean id="dataSourcePostgresLocalhostJNDI" class="org.springframework.jndi.JndiObjectFactoryBean">
                      	    <property name="jndiName">
                      	      <value>java&#58;jdbc/CSAIPOSTGRESLOCALHOSTDS</value>
                      	    </property>
                        	</bean>
                        	
                        	<bean id="jdbcDaoImpl" class="net.sf.acegisecurity.providers.dao.jdbc.JdbcDaoImpl">
                        	<property name="dataSource"><ref bean="defaultDataSource"/></property>
                        	<property name="usersByUsernameQuery">
                        		<value>SELECT username,password,accountstate FROM Users WHERE username=?</value>
                        	</property>
                        	<property name="authoritiesByUsernameQuery">
                        		<value>SELECT username,role FROM Users WHERE username=?</value>
                        	</property>
                      	</bean>
                      
                      	<bean id="contextHolderAwareRequestFilter" class="net.sf.acegisecurity.wrapper.ContextHolderAwareRequestFilter"/>
                      	
                      	<bean id="daoEventsListener" class="net.sf.acegisecurity.providers.dao.event.LoggerListener"/>
                      	<!--<bean id="interceptEventsListener" class="net.sf.acegisecurity.intercept.event.LoggerListener"/>-->
                      
                      	<bean id="authByAdapterProvider" class="net.sf.acegisecurity.adapters.AuthByAdapterProvider">
                        	<property name="key"><value>my_password</value></property>
                      	</bean>
                      
                      </beans>
                      (there are things commented as I'm still experimenting)

                      beanRefFactory.xml:
                      Code:
                      <?xml version="1.0" encoding="UTF-8"?>
                      <!DOCTYPE beans SYSTEM "spring-beans.dtd" >
                      <beans>
                        <bean id="springRealm" singleton="true" lazy-init="true" class="org.springframework.context.support.ClassPathXmlApplicationContext">
                          <constructor-arg>
                            <list>
                              <value>acegisecurity.xml</value>
                            </list>
                          </constructor-arg>
                        </bean>
                      </beans>
                      and the attibute I've added in login-config
                      Code:
                      <application-policy name = "SpringPoweredRealm">
                               <authentication>
                                  <login-module code = "net.sf.acegisecurity.adapters.jboss.JbossSpringLoginModule" flag = "required">
                                     <module-option name = "appContextLocation">acegisecurity.xml</module-option>
                                     <module-option name = "key">my_password</module-option>
                                  </login-module>
                               </authentication>
                            </application-policy>
                      error on deployment:
                      Code:
                      02&#58;49&#58;38,578 ERROR &#91;&#91;/CSAIWeb&#93;&#93; Exception starting filter ContextHolderAware Filter
                      javax.servlet.ServletException&#58; Bean context must contain at least one bean of type net.sf.acegisecurity.wrapper.ContextHolderAwareRequestFilter
                      web.xml:
                      Code:
                      <filter>
                               <filter-name>ContextHolderAware Filter</filter-name>
                               <filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
                               <init-param>
                      			<param-name>targetClass</param-name>
                      			<param-value>net.sf.acegisecurity.wrapper.ContextHolderAwareRequestFilter</param-value>
                               </init-param>
                          </filter>
                      	<filter-mapping>
                          	<filter-name>ContextHolderAware Filter</filter-name>
                         		<url-pattern>/*</url-pattern>
                      	</filter-mapping>

                      Comment


                      • #12
                        You shouldn't need ContextHolderAwareRequestFilter in web.xml, as you've also got it in your FilterChainProxy (the preferable location).

                        I could not see the required declaration in the application context for that filter, though. You need:

                        Code:
                        <bean id="contextHolderAwareRequestFilter" class="net.sf.acegisecurity.wrapper.ContextHolderAwareRequestFilter"/>

                        Comment


                        • #13
                          Aaaah, I think I understand now, your FilterChainProxy has the contextaware thing in it. I only now figured what you mean by Filter as I thought I should have put two filters in web.xml and create a j2ee FilterChain in that way (similar nomenclature, gets very confusing at times).
                          Anyhow as I'd like to finish the work on which I'm working I abandoned the adapter integration. Your tip to underscore the url worked well and having the DTO in session is cool, only problem is to be seen how to report error messages. I have yet to see can I save ActionMessages the way struts does it but in the processing filter.

                          Comment


                          • #14
                            Originally posted by Ben Alex
                            A 403 is displayed if the user IS authentication, but they get an AccessDeniedException.

                            AuthenticationEntryPoint is only launched in the case of a security exception and the user NOT being already authenticated.
                            Except if the user anonymous right?

                            Comment


                            • #15
                              Originally posted by schrepfler
                              Originally posted by Ben Alex
                              A 403 is displayed if the user IS authentication, but they get an AccessDeniedException.

                              AuthenticationEntryPoint is only launched in the case of a security exception and the user NOT being already authenticated.
                              Except if the user anonymous right?
                              An anonymous user will cause an AuthenticationEntryPoint to be launched if an AccessDeniedException is thrown.

                              Comment

                              Working...
                              X