Announcement Announcement Module
Collapse
No announcement yet.
Unable to configure security for path /admin in webapp Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Unable to configure security for path /admin in webapp

    I am slowly making some headway in configuring Acegi. I am a brand new user so I apologize if any of this seems trivial to the experts on the topic.

    What I am trying do is secure a web application starting at any point beyond /admin in my webapp. My filter is right below:

    <filter>
    <filter-name>Acegi-Security</filter-name>
    <filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
    <init-param>
    <param-name>targetClass</param-name>
    <param-value>net.sf.acegisecurity.util.FilterChainProxy</param-value>
    </init-param>
    </filter>

    <filter-mapping>
    <filter-name>Acegi-Security</filter-name>
    <url-pattern>/admin/*</url-pattern>
    </filter-mapping>

    <listener>
    <listener-class>org.springframework.web.context.ContextLoade rListener</listener-class>
    </listener>

    My applicationContext-security.xml contains the following:

    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">

    <beans>

    <!-- ========================= Security Configuration ========================= -->
    <bean id="filterChainProxy" class="net.sf.acegisecurity.util.FilterChainProxy" >
    <property name="filterInvocationDefinitionSource">
    <value>
    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
    PATTERN_TYPE_APACHE_ANT
    /**=httpSessionContextIntegrationFilter,authenticat ionProcessingFilter,securityEnforcementFilter
    </value>
    </property>
    </bean>

    <!-- ======================== AUTHENTICATION ======================= -->

    <bean id="securityInterceptor"
    class="net.sf.acegisecurity.intercept.web.FilterSe curityInterceptor">
    <property name="authenticationManager">
    <ref bean="authenticationManager"/>
    </property>
    <property name="accessDecisionManager">
    <ref bean="accessDecisionManager"/>
    </property>
    <property name="objectDefinitionSource">
    <value>
    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
    PATTERN_TYPE_APACHE_ANT
    /admin/**=ROLE_ADMIN
    </value>
    </property>
    </bean>

    <bean id="authenticationManager"
    class="net.sf.acegisecurity.providers.ProviderMana ger">
    <property name="providers">
    <list>
    <ref bean="daoAuthenticationProvider"/>
    </list>
    </property>
    </bean>

    <!-- Automatically receives AuthenticationEvent messages from DaoAuthenticationProvider -->
    <bean id="loggerListener"
    class="net.sf.acegisecurity.providers.dao.event.Lo ggerListener"/>

    <bean id="daoAuthenticationProvider"
    class="net.sf.acegisecurity.providers.dao.DaoAuthe nticationProvider">

    <!-- <property name="userCache">-->
    <!-- <ref bean="userCache"/>-->
    <!-- </property>-->

    <property name="authenticationDao">
    <ref local="authenticationDao"/>
    </property>

    <property name="passwordEncoder">
    <ref local="passwordEncoder"/>
    </property>
    <property name="saltSource">
    <ref local="saltSource"/>
    </property>
    </bean>

    <bean id="authenticationDao"
    class="net.sf.acegisecurity.providers.dao.jdbc.Jdb cDaoImpl">
    <property name="dataSource">
    <ref bean="dataSource"/>
    </property>
    <property name="usersByUsernameQuery">
    <value>
    SELECT username,
    password
    FROM app_user
    WHERE username = ?
    and enabled = 'YES'
    </value>
    </property>
    <property name="authoritiesByUsernameQuery">
    <value>
    SELECT username,
    role
    FROM user_role
    WHERE username = ?
    </value>
    </property>
    </bean>

    <bean id="passwordEncoder"
    class="net.sf.acegisecurity.providers.encoding.Md5 PasswordEncoder"/>
    <bean id="saltSource"
    class="net.sf.acegisecurity.providers.dao.salt.Ref lectionSaltSource">
    <property name="userPropertyToUse">
    <value>userName</value>
    </property>
    </bean>

    <bean id="roleVoter" class="net.sf.acegisecurity.vote.RoleVoter">
    <property name="rolePrefix">
    <value>ROLE_</value>
    </property>
    </bean>

    <bean id="accessDecisionManager" class="net.sf.acegisecurity.vote.AffirmativeBased" >
    <property name="allowIfAllAbstainDecisions"><value>false</value></property>
    <property name="decisionVoters">
    <list>
    <ref bean="roleVoter"/>
    </list>
    </property>
    </bean>

    <!-- <bean id="accessDecisionManager"-->
    <!-- class="net.sf.acegisecurity.vote.UnanimousBased">-->
    <!-- <property name="decisionVoters">-->
    <!-- <list>-->
    <!-- <ref bean="roleVoter"/>-->
    <!-- </list>-->
    <!-- </property>-->
    <!-- <property name="allowIfAllAbstainDecisions">-->
    <!-- <value>true</value>-->
    <!-- </property>-->
    <!-- </bean>-->

    <!-- <bean id="userCache"-->
    <!-- class="net.sf.acegisecurity.providers.dao.cache.Eh CacheBasedUserCache">-->
    <!-- <property name="minutesToIdle">15</property>-->
    <!-- </bean>-->

    <!-- ===================== HTTP REQUEST SECURITY ==================== -->

    <bean id="httpSessionContextIntegrationFilter"
    class="net.sf.acegisecurity.context.HttpSessionCon textIntegrationFilter">
    <property name="context">
    <value>net.sf.acegisecurity.context.security.Secur eContextImpl</value>
    </property>
    </bean>

    <bean id="authenticationProcessingFilter"
    class="net.sf.acegisecurity.ui.webapp.Authenticati onProcessingFilter">
    <property name="authenticationManager">
    <ref local="authenticationManager"/>
    </property>
    <property name="filterProcessesUrl">
    <value>/admin/j_acegi_security_check</value>
    </property>
    <property name="authenticationFailureUrl">
    <value>/admin/loginFail.do</value>
    </property>
    <property name="defaultTargetUrl">
    <value>/admin/loginSuccess.do</value>
    </property>
    </bean>

    <bean id="securityEnforcementFilter"
    class="net.sf.acegisecurity.intercept.web.Security EnforcementFilter">
    <property name="filterSecurityInterceptor">
    <ref local="securityInterceptor"/>
    </property>
    <property name="authenticationEntryPoint">
    <ref local="authenticationEntryPoint"/>
    </property>
    </bean>

    <bean id="authenticationEntryPoint"
    class="net.sf.acegisecurity.ui.webapp.Authenticati onProcessingFilterEntryPoint">
    <property name="loginFormUrl">
    <value>/admin/login.do</value>
    </property>
    <property name="forceHttps"><value>false</value></property>
    </bean>

    </beans>

    notice the part where net.sf.acegisecurity.intercept.web.FilterSecurityI nterceptor is defined. The object definition source is set to /admin/**=ROLE_ADMIN. Whenever I start Tomcat (5.0.28) and try to access http://localhost:8080/myWebappName/admin, acegi just goes into what appears and endless loop - see stacktrace below.

    net.sf.acegisecurity.AuthenticationCredentialsNotF oundException: Authentication credentials were not found in the SecureContext
    at net.sf.acegisecurity.intercept.AbstractSecurityInt erceptor.credentialsNotFound(AbstractSecurityInter ceptor.java:477)
    at net.sf.acegisecurity.intercept.AbstractSecurityInt erceptor.beforeInvocation(AbstractSecurityIntercep tor.java:364)
    at net.sf.acegisecurity.intercept.web.FilterSecurityI nterceptor.invoke(FilterSecurityInterceptor.java:8 1)
    at net.sf.acegisecurity.intercept.web.SecurityEnforce mentFilter.doFilter(SecurityEnforcementFilter.java :182)
    at net.sf.acegisecurity.util.FilterChainProxy$Virtual FilterChain.doFilter(FilterChainProxy.java:303)
    at net.sf.acegisecurity.ui.AbstractProcessingFilter.d oFilter(AbstractProcessingFilter.java:305)
    at net.sf.acegisecurity.util.FilterChainProxy$Virtual FilterChain.doFilter(FilterChainProxy.java:303)
    at net.sf.acegisecurity.context.HttpSessionContextInt egrationFilter.doFilter(HttpSessionContextIntegrat ionFilter.java:225)
    at net.sf.acegisecurity.util.FilterChainProxy$Virtual FilterChain.doFilter(FilterChainProxy.java:303)
    at net.sf.acegisecurity.util.FilterChainProxy.doFilte r(FilterChainProxy.java:173)
    at net.sf.acegisecurity.util.FilterToBeanProxy.doFilt er(FilterToBeanProxy.java:125)
    at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:186)
    at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:157)
    at org.apache.catalina.core.StandardWrapperValve.invo ke(StandardWrapperValve.java:214)
    at org.apache.catalina.core.StandardValveContext.invo keNext(StandardValveContext.java:104)
    at org.apache.catalina.core.StandardPipeline.invoke(S tandardPipeline.java:520)
    at org.apache.catalina.core.StandardContextValve.invo keInternal(StandardContextValve.java:198)
    at org.apache.catalina.core.StandardContextValve.invo ke(StandardContextValve.java:152)
    at org.apache.catalina.core.StandardValveContext.invo keNext(StandardValveContext.java:104)
    at org.apache.catalina.core.StandardPipeline.invoke(S tandardPipeline.java:520)
    at org.apache.catalina.core.StandardHostValve.invoke( StandardHostValve.java:137)
    at org.apache.catalina.core.StandardValveContext.invo keNext(StandardValveContext.java:104)
    at org.apache.catalina.valves.ErrorReportValve.invoke (ErrorReportValve.java:118)
    at org.apache.catalina.core.StandardValveContext.invo keNext(StandardValveContext.java:102)
    at org.apache.catalina.core.StandardPipeline.invoke(S tandardPipeline.java:520)
    at org.apache.catalina.core.StandardEngineValve.invok e(StandardEngineValve.java:109)
    at org.apache.catalina.core.StandardValveContext.invo keNext(StandardValveContext.java:104)
    at org.apache.catalina.core.StandardPipeline.invoke(S tandardPipeline.java:520)
    at org.apache.catalina.core.ContainerBase.invoke(Cont ainerBase.java:929)
    at org.apache.coyote.tomcat5.CoyoteAdapter.service(Co yoteAdapter.java:160)
    at org.apache.coyote.http11.Http11Processor.process(H ttp11Processor.java:799)
    at org.apache.coyote.http11.Http11Protocol$Http11Conn ectionHandler.processConnection(Http11Protocol.jav a:705)
    at org.apache.tomcat.util.net.TcpWorkerThread.runIt(P oolTcpEndpoint.java:577)
    at org.apache.tomcat.util.threads.ThreadPool$ControlR unnable.run(ThreadPool.java:683)
    at java.lang.Thread.run(Thread.java:534)
    17:29:15,578 DEBUG SecurityEnforcementFilter:249 - Authentication entry point being called; target URL added to Session: http://localhost:8080/projectven/admin/login.do

    It does this forever to the point where I have to stop Tomcat. As I said above, I'd like users to be able to access my webapp at any point before /admin. I want to secure anything that contains /admin. The way I did it in my object definition is as follows:

    <property name="objectDefinitionSource">
    <value>
    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
    PATTERN_TYPE_APACHE_ANT
    /admin/**=ROLE_ADMIN
    </value>
    </property>

    Maybe this is the incorrect way, but if I take just do /admin**, whenever I try to access /admin/loginSucces.do, Acegi lets me access that action.

    I appreciate any help anybody can lend with this issue.

    Thanks in advance.

  • #2
    You have your logon page "secured"... meaning it requires authentication.

    Code:
    <bean id="authenticationProcessingFilter" 
    class="net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilter"> 
    <property name="authenticationManager"> 
    <ref local="authenticationManager"/> 
    </property> 
    <property name="filterProcessesUrl"> 
    <value>/admin/j_acegi_security_check</value> 
    </property> 
    <property name="authenticationFailureUrl"> 
    <value>/admin/loginFail.do</value> 
    </property> 
    <property name="defaultTargetUrl"> 
    <value>/admin/loginSuccess.do</value> 
    </property> 
    </bean>

    /admin/* requires ROLE_ADMIN
    So if you access some resource under it.. (according to your config)... it will redirect to /admin/loginFail.do.... which then keeps looping.. (because you havent logged in yet)

    Can you move your logon page to somewhere else other than /admin/

    Comment


    • #3
      Sure I can try that. But the way I understood this to work is that if you try to access a resource that is secured and you are not authenticated, you should then be redirected to the login form and not the login fail.

      I will try your suggestion anyways.

      Thanks

      Comment


      • #4
        Yes, if you access a secured resource and you are not yet authenticated you will be redirected to 'authenticationFailureUrl' . However that URL is generally your main login.jsp page (i.e. the entry point to the system).

        You just need to be cautious about getting into a Catch22 situation where you access a secured resource and you are not authenticated.. so redirecting to page that is itself is "secured".. hence the infinite loop.

        Trust me, we have all done it at some point in time

        Comment


        • #5
          Yes, after moving my login outside my secured area, I seem to have finally gotten my login process to work.

          Thanks to everyone who helped me out.

          Comment

          Working...
          X