Announcement Announcement Module
Collapse
No announcement yet.
ROLE Question Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • ROLE Question

    I have integrated Acegi into my application and am now trying to assign roles. I want two roles 1)Regular User 2)View only user. I was planning on using the ROLE_SUPERVISOR and ROLE_USER (for view). If I use one role everything works fine. When I add the other role I start getting access denied errors. I am using the net.sf.acegisecurity.vote.RoleVoter.

    Code:
    /*.htm*=ROLE_USER,ROLE_SUPERVISOR
    For now I am using in memory while I develop

    Code:
    <value>
      User=pass,ROLE_USER,ROLE_SUPERVISOR
      User2=pass2,ROLE_USER
    </value>
    Code:
    HTTP Status 403 - Access is denied.
    
    --------------------------------------------------------------------------------
    
    type Status report
    
    message Access is denied.
    
    description Access to the specified resource &#40;Access is denied.&#41; has been forbidden.
    
    
    --------------------------------------------------------------------------------
    
    Apache Tomcat/5.0.18
    User gets in fine. User2 does not get in (error above). I read and re-read the info in the reference document and it seems that this setup should work fine.

    Help please.....

    Thanks

  • #2
    I don't know but shouldn't that be:
    Code:
    /*.htm**=ROLE_USER,ROLE_SUPERVISOR
    and not
    Code:
    /*.htm*=ROLE_USER,ROLE_SUPERVISOR
    ?

    Comment


    • #3
      Can you post all of your config about FilterSecurityInterceptor?

      Comment


      • #4
        Which AccessDecisionManager are you using?

        Comment


        • #5
          Here is my application context and web.xml.

          accessDecisionManager = net.sf.acegisecurity.vote.UnanimousBased

          applicationContext.xml

          Code:
          <?xml version="1.0" encoding="UTF-8"?>
          <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http&#58;//webster/dtd/spring-beans.dtd">
          
          <beans>
              		
          	<!--  Security Section  -->
          	
          	<bean id="memoryAuthenticationDao" class="net.sf.acegisecurity.providers.dao.memory.InMemoryDaoImpl">
          		<property name="userMap">
          			<value>
          				rfulcher=rfulcher,ROLE_USER,ROLE_SUPERVISOR
          				rfulcher2=rfulcher2,ROLE_USER
          			</value>
          		</property>
          	</bean>
          	
          	<bean id="daoAuthenticationProvider" class="net.sf.acegisecurity.providers.dao.DaoAuthenticationProvider">
          		<property name="authenticationDao">
                  	<ref local="memoryAuthenticationDao"/>
               	</property>
          	</bean>
          	
          	<bean id="authenticationManager" class="net.sf.acegisecurity.providers.ProviderManager">
              	<property name="providers">
                  	<list>
                      	<ref bean="daoAuthenticationProvider"/>
                  	</list>
              	</property>
          	</bean>
              
            <!--  Filter Wiring  -->
            	<!-- HttpSessionContextIntegrationFilter -->
            	<bean id="httpSessionIntegrationFilter" class="net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter">
          		<property name="context">
          			<value>net.sf.acegisecurity.context.security.SecureContextImpl</value>
          		</property>
          	</bean>
          	
          	<!-- ********* AuthenticationProcessingFilter ********* -->
              <bean id="authenticationProcessingFilter" class="net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
          	    <property name="authenticationManager">
          	        <ref bean="authenticationManager"/>
          	    </property>
          	    <property name="authenticationFailureUrl">
          	        <value>/index.jsp?error=1</value>
          	    </property>
          	    <property  name="defaultTargetUrl">
          	        <value>/main.htm</value>
          	    </property>
          	    <property name="filterProcessesUrl">
          	        <value>/j_acegi_security_check</value>
          	    </property>
          	</bean>
          	
          	<!-- ******************************************************************************************************** -->
          	
          	<!-- ********* Security Enforcement area ********* -->
          	<bean id="securityEnforcementFilter" class="net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter">
          	    <property name="filterSecurityInterceptor">
          	        <ref bean="filterInvocationInterceptor"/>
          	    </property>
          	    <property name="authenticationEntryPoint">
          	        <ref bean="authenticationEntryPoint"/>
          	    </property>
          	</bean>
          	
          	<bean id="authenticationEntryPoint" class="net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
          	    <property name="loginFormUrl">
          	        <value>/index.jsp</value>
          	    </property>
          	    <property name="forceHttps">
          	    	<value>false</value>
          	    </property>
          	</bean>
          	
          	<bean id="filterInvocationInterceptor" class="net.sf.acegisecurity.intercept.web.FilterSecurityInterceptor">
          	    <property name="authenticationManager">
          	        <ref bean="authenticationManager"/></property>
          	    <property name="accessDecisionManager">
          	        <ref bean="accessDecisionManager"/></property>
          	    <property name="objectDefinitionSource">
          	        <value>
          	            CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
          	            PATTERN_TYPE_APACHE_ANT
          	            /*.htm*=ROLE_USER,ROLE_SUPERVISOR
          	        </value>
          	    </property>
          	</bean>
          	
          	<bean id="roleVoter" class="net.sf.acegisecurity.vote.RoleVoter"/>
          
          	<bean id="accessDecisionManager" class="net.sf.acegisecurity.vote.UnanimousBased">
          	    <property name="allowIfAllAbstainDecisions">
          	        <value>false</value>
          	    </property>
          	    <property name="decisionVoters">
          	        <list>
          	           <ref local="roleVoter"/>
          	        </list>
          	    </property>
          	</bean>
          	<!-- ******************************************************************************************************** -->
          	
              
          </beans>

          web.xml

          Code:
          <?xml version="1.0" encoding="UTF-8"?>
          <!DOCTYPE web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN' 'http&#58;//webster/dtd/web-app_2_3.dtd'>
          
          <web-app>
            <servlet>
              <servlet-name>bpt</servlet-name>
              <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
              <load-on-startup>1</load-on-startup>
            </servlet>
            
            
          <!-- *********  This is the filters for authentication and security ********* -->
            <listener>
              <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
            </listener> 
             
            <filter>
              <filter-name>Acegi Security System for Spring HttpSession Integration Filter</filter-name>
              <filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
              <init-param>
                <param-name>targetClass</param-name>
                <param-value>net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter</param-value>
              </init-param>
            </filter>
              
            <filter>
              <filter-name>Acegi-Authentication</filter-name>
              <filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
              <init-param>
                  <param-name>targetClass</param-name>
                  <param-value>net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilter</param-value>
              </init-param>
            </filter>
            
            <!-- this filter is added for secuirty enforcement &#40;locking down resources&#41; -->
            <filter>
              <filter-name>Acegi HTTP Request Security Filter</filter-name>
              <filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
              <init-param>
                  <param-name>targetClass</param-name>
                  <param-value>net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter</param-value>
              </init-param>
            </filter>
          
            <filter-mapping>
              <filter-name>Acegi Security System for Spring HttpSession Integration Filter</filter-name>
              <url-pattern>/*</url-pattern>
            </filter-mapping>
              
            <filter-mapping>
              <filter-name>Acegi-Authentication</filter-name>
              <url-pattern>/*</url-pattern>
            </filter-mapping>
            
            <!--  Coresponding filter mapping for security enforcement -->
            <filter-mapping>
              <filter-name>Acegi HTTP Request Security Filter</filter-name>
              <url-pattern>/*</url-pattern>
            </filter-mapping>	
          <!-- ************************************************************************************** -->
            
          
            <servlet-mapping>
              <servlet-name>bpt</servlet-name>
              <url-pattern>*.htm</url-pattern>
            </servlet-mapping>
            
            <welcome-file-list>
              <welcome-file>
                index.jsp
              </welcome-file>
            </welcome-file-list>
              
            <resource-ref>
              <res-ref-name>jdbc/bpt</res-ref-name>
              <res-type>javax.sql.DataSource</res-type>
              <res-auth>Container</res-auth>
            </resource-ref>
            
            <taglib>
            	<taglib-uri>/spring</taglib-uri>
            	<taglib-location>/WEB-INF/spring.tld</taglib-location>
            </taglib>
              
          </web-app>
          Thanks for any help. I really like Acegi and want to use it on a lot of projects.

          Thanks

          Comment


          • #6
            Ben,

            Thanks for asking that question. I took a look and re-read the setion in the reference document and changed the accessDecisionManager to net.sf.acegisecurity.vote.AffirmativeBased. I have to admit that I thought that I understood it but I really didn't. My only quetion now is are the classes that are listed under net.sf.acegisecurity.vote interchangeable with the accessDecisionManager and the roleVoter?

            Thanks so much for your help. I really appreciate it and really appreciate the great code that you have created.

            Comment


            • #7
              You can use any AccessDecisionManager implementation with any AccessDecisionVoter implementation.

              So, put differently, UnanimousBased, AffirmativeBased and ConsensusBased can each be used without an issue with RoleVoter and BasicAclEntryVoter.

              Comment

              Working...
              X