Announcement Announcement Module
Collapse
No announcement yet.
authentication successful but browser displays login page Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • authentication successful but browser displays login page

    Hi,

    I'm making my first steps to integrate Acegi as a weblogic replacement.

    I use the following definition in web.xml:

    Code:
    <welcome-file-list>
            <welcome-file>secured/redirect.jsp</welcome-file>
        </welcome-file-list>
    
        <filter>
          <filter-name>Acegi-Integration</filter-name>
          <filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
          <init-param>
             <param-name>targetClass</param-name>
             <param-value>net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter</param-value>
          </init-param>
       </filter>
    
       <filter>
          <filter-name>Acegi-Authentication</filter-name>
          <filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
          <init-param>
             <param-name>targetClass</param-name>
                <param-value>net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilter</param-value>
          </init-param>
       </filter>
    
       <filter-mapping>
          <filter-name>Acegi-Integration</filter-name>
             <url-pattern>/*</url-pattern>
       </filter-mapping>
    
    
       <filter-mapping>
          <filter-name>Acegi-Authentication</filter-name>
             <url-pattern>/*</url-pattern>
       </filter-mapping>
    and the following beans:

    Code:
    <bean id="httpSessionIntegrationFilter" class="net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter">
              <property name="context" value="net.sf.acegisecurity.context.security.SecureContextImpl"/>
        </bean>
    
        <bean id="authenticationProcessingFilter" class="net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
            <property name="authenticationManager">
                <ref bean="authenticationManager"/>
            </property>
            <property name="authenticationFailureUrl">
                <value>/login_error.jsp</value>
            </property>
            <property  name="defaultTargetUrl">
                <value>/</value>
            </property>
            <property name="filterProcessesUrl">
                <value>/j_acegi_security_check</value>
            </property>
        </bean>
    
        <bean id="authenticationManager" class="net.sf.acegisecurity.providers.ProviderManager">
            <property name="providers">
                <list>
                    <ref bean="safewordAuthenticationProvider"/>
                </list>
            </property>
        </bean>
    
        <bean id="safewordAuthenticationProvider" class="com.itp.gt.security.acegi.providers.SafewordAuthenticationProvider">
    
        </bean>

    the safewordAuthenticationProvider implementation looks like:


    Code:
    public Authentication authenticate&#40;Authentication authentication&#41;throws AuthenticationException
        &#123;
            Authentication auth = null;
    
            String loginName = &#40;String&#41;authentication.getPrincipal&#40;&#41;;
            String password = &#40;String&#41;authentication.getCredentials&#40;&#41;;
            
            try&#123;
                User user = UserDAO.getUser&#40;loginName&#41;;
            &#125;
            catch&#40;Exception e&#41;&#123;
                throw new AuthenticationServiceException&#40;"Exceprion getting user from database&#58; ", e&#41;;
            &#125;
            
            if&#40;user == null&#41;&#123;
                throw new BadCredentialsException&#40;"User "+loginName+" Not Found!"&#41;;
            &#125;
            //check password&#58;
            if&#40;user.getPassword&#40;&#41;.equals&#40;password&#41;&#41;&#123;
                try&#123;
                    // load permissions&#58;
                    UserPermissions perms = UserDAO.loadPermissionsForUser&#40;user&#41;;
                    auth = new UsernamePasswordAuthenticationToken&#40;user, perms&#41;;
                    auth.setAuthenticated&#40;true&#41;;
                &#125;
                catch&#40;Exception e&#41;&#123;
                    throw new AuthenticationServiceException&#40;"Exceprion logging in user&#58; ", e&#41;;
                &#125;
            &#125;
            else&#123;
                throw new BadCredentialsException&#40;"Password for User "+loginName+" Did Not Match!"&#41;;
            &#125;
            return auth;
        &#125;
    
        public boolean supports&#40;Class authentication&#41;
        &#123;
            if &#40;authentication.equals&#40;UsernamePasswordAuthenticationToken.class&#41;&#41;&#123;return true;&#125;
    
            return false;
        &#125;
    and using debug logging (not in the code above) I see that when the user+password combination is correct login is successful.

    however there is something I'm probably missing here as a successful login results only in a refresh to the login screen

    can anyone point me to what am I doing wrong?

    Thanks

    naor

  • #2
    From the documentation:
    Once the ContextHolder has been updated, the browser will need to be redirected to the target URL. The target URL is usually indicated by the HttpSession attribute specified by AbstractProcessingFilter.ACEGI_SECURITY_TARGET_URL _KEY. This attribute is automatically set by the SecurityEnforcementFilter when an AuthenticationException occurs, so that after login is completed the user can return to what they were trying to access. If for some reason the HttpSession does not indicate the target URL, the browser will be redirected to the defaultTargetUrl property.
    But perhaps you are using jsf or something different and need to populate the direction you want to on your own?
    Do you use a different view technologie than plain jsp?

    Regards Johannes

    Comment


    • #3
      thanks for your help,

      I do use a homegrown MVC framework but the target url for a successful login is allways /secured/redirect.jsp

      where should i specify this ACEGI_SECURITY_TARGET_URL_KEY?

      naor

      Comment


      • #4
        i've fixed the bean definition to be:

        Code:
        <bean id="authenticationProcessingFilter" class="net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
                <property name="authenticationManager">
                    <ref bean="authenticationManager"/>
                </property>
                <property name="authenticationFailureUrl">
                    <value>/login_error.jsp</value>
                </property>
                <property  name="defaultTargetUrl">
                    <value>/secured/redirect.jsp</value>
                </property>
                <property name="filterProcessesUrl">
                    <value>/j_acegi_security_check</value>
                </property>
            </bean>
        but still get the login screen again after log in

        any idea?

        Comment


        • #5
          this is the trail of debug i currently get:

          Code:
          Token@5b0c7e&#58; Username&#58; naor; Password&#58; &#91;PROTECTED&#93;; Authenticated&#58; true; Details&#58; null; Not granted any authorities
          Oct-09-2005 18&#58;02&#58;45 DEBUG &#40;AbstractProcessingFilter.java&#58;372&#41; - Updated ContextHolder to contain the following Authentication&#58; 'net.sf.acegisecurity.
          providers.UsernamePasswordAuthenticationToken@5b0c7e&#58; Username&#58; naor; Password&#58; &#91;PROTECTED&#93;; Authenticated&#58; true; Details&#58; null; Not granted any autho
          rities'
          Oct-09-2005 18&#58;02&#58;45 DEBUG &#40;AbstractProcessingFilter.java&#58;389&#41; - Redirecting to target URL from HTTP Session &#40;or default&#41;&#58; /myapp/secured/redirect.
          jsp
          Oct-09-2005 18&#58;02&#58;45 DEBUG &#40;HttpSessionContextIntegrationFilter.java&#58;278&#41; - Context stored to HttpSession&#58; 'net.sf.acegisecurity.context.security.Secu
          reContextImpl@3a1b6e&#58; Authentication&#58; net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken@5b0c7e&#58; Username&#58; naor; Password&#58; &#91;PROTECTED&#93;
          ; Authenticated&#58; true; Details&#58; null; Not granted any authorities'
          Oct-09-2005 18&#58;02&#58;45 DEBUG &#40;HttpSessionContextIntegrationFilter.java&#58;287&#41; - ContextHolder set to null as request processing completed
          Oct-09-2005 18&#58;02&#58;45 DEBUG &#40;HttpSessionContextIntegrationFilter.java&#58;183&#41; - Obtained from ACEGI_SECURITY_CONTEXT a valid Context and set to ContextHol
          der&#58; 'net.sf.acegisecurity.context.security.SecureContextImpl@3a1b6e&#58; Authentication&#58; net.sf.acegisecurity.providers.UsernamePasswordAuthenticationTok
          en@5b0c7e&#58; Username&#58; naor; Password&#58; &#91;PROTECTED&#93;; Authenticated&#58; true; Details&#58; null; Not granted any authorities'
          Oct-09-2005 18&#58;02&#58;46 DEBUG &#40;__login.java&#58;154&#41; - Session ID&#58; DJbBm2S918LG7RppyqT1JflrpG1zmGrS7Pfd09t1dcllLLmtCFHQ!792637006!1128880961625
          Oct-09-2005 18&#58;02&#58;46 DEBUG &#40;__login.java&#58;155&#41; - request.getRemoteUser&#40;&#41;&#58; null
          Oct-09-2005 18&#58;02&#58;46 DEBUG &#40;__login.java&#58;156&#41; - Security.getCurrentUser&#40;&#41;&#58; null
          Oct-09-2005 18&#58;02&#58;46 DEBUG &#40;HttpSessionContextIntegrationFilter.java&#58;278&#41; - Context stored to HttpSession&#58; 'net.sf.acegisecurity.context.security.Secu
          reContextImpl@3a1b6e&#58; Authentication&#58; net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken@5b0c7e&#58; Username&#58; naor; Password&#58; &#91;PROTECTED&#93;
          ; Authenticated&#58; true; Details&#58; null; Not granted any authorities'
          Oct-09-2005 18&#58;02&#58;46 DEBUG &#40;HttpSessionContextIntegrationFilter.java&#58;287&#41; - ContextHolder set to null as request processing completed

          naor

          Comment


          • #6
            Hi,
            I am not sure, till yet I am not really an expert regarding acegi but what doesn't seem to be okay is that you don't get any authorities granted.
            As I can see in your log:
            Oct-09-2005 18:02:46 DEBUG (HttpSessionContextIntegrationFilter.java:278) - Context stored to HttpSession: 'net.sf.acegisecurity.context.security.Secu
            reContextImpl@3a1b6e: Authentication: net.sf.acegisecurity.providers.UsernamePasswordAut henticationToken@5b0c7e: Username: naor; Password: [PROTECTED]
            ; Authenticated: true; Details: null; Not granted any authorities'
            Oct-09-2005 18:02:46 DEBUG (HttpSessionContextIntegrationFilter.java:287) - ContextHolder set to null as request processing completed

            Not granted any authorities'


            How do you retrieve your authorities?

            Regards Johannes

            Comment


            • #7
              I've modified the code to set a JaasGrantedAuthority:

              Code:
              auth = new UsernamePasswordAuthenticationToken&#40;user, perms, new GrantedAuthority&#91;&#93;&#123;new JaasGrantedAuthority&#40;"user_role", user&#41;&#125;&#41;;
              and now the debug shows:

              Code:
              Oct-09-2005 18&#58;17&#58;56 DEBUG &#40;AbstractProcessingFilter.java&#58;365&#41; - Authentication success&#58; net.sf.acegisecurity.providers.UsernamePasswordAuthentication
              Token@4bd0ca&#58; Username&#58; naor; Password&#58; &#91;PROTECTED&#93;; Authenticated&#58; true; Details&#58; null; Granted Authorities&#58; user_role
              Oct-09-2005 18&#58;17&#58;56 DEBUG &#40;AbstractProcessingFilter.java&#58;372&#41; - Updated ContextHolder to contain the following Authentication&#58; 'net.sf.acegisecurity.
              providers.UsernamePasswordAuthenticationToken@4bd0ca&#58; Username&#58; naor; Password&#58; &#91;PROTECTED&#93;; Authenticated&#58; true; Details&#58; null; Granted Authorities&#58;
              user_role'
              Oct-09-2005 18&#58;17&#58;56 DEBUG &#40;AbstractProcessingFilter.java&#58;389&#41; - Redirecting to target URL from HTTP Session &#40;or default&#41;&#58; /myapp/secured/redirect.
              jsp
              Oct-09-2005 18&#58;17&#58;57 DEBUG &#40;HttpSessionContextIntegrationFilter.java&#58;278&#41; - Context stored to HttpSession&#58; 'net.sf.acegisecurity.context.security.Secu
              reContextImpl@292be3&#58; Authentication&#58; net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken@4bd0ca&#58; Username&#58; naor; Password&#58; &#91;PROTECTED&#93;
              ; Authenticated&#58; true; Details&#58; null; Granted Authorities&#58; user_role'
              Oct-09-2005 18&#58;17&#58;57 DEBUG &#40;HttpSessionContextIntegrationFilter.java&#58;287&#41; - ContextHolder set to null as request processing completed
              Oct-09-2005 18&#58;17&#58;57 DEBUG &#40;HttpSessionContextIntegrationFilter.java&#58;183&#41; - Obtained from ACEGI_SECURITY_CONTEXT a valid Context and set to ContextHol
              der&#58; 'net.sf.acegisecurity.context.security.SecureContextImpl@292be3&#58; Authentication&#58; net.sf.acegisecurity.providers.UsernamePasswordAuthenticationTok
              en@4bd0ca&#58; Username&#58; naor; Password&#58; &#91;PROTECTED&#93;; Authenticated&#58; true; Details&#58; null; Granted Authorities&#58; user_role'
              Oct-09-2005 18&#58;18&#58;00 DEBUG &#40;__login.java&#58;154&#41; - Session ID&#58; DJpQhHCBs38h1NjpN2G7Mxr1ps4bhN4lNJ2PXWg7CzNW40LQfvLF!1805436806!1128881872906
              Oct-09-2005 18&#58;18&#58;00 DEBUG &#40;__login.java&#58;155&#41; - request.getRemoteUser&#40;&#41;&#58; null
              Oct-09-2005 18&#58;18&#58;00 DEBUG &#40;__login.java&#58;156&#41; - Security.getCurrentUser&#40;&#41;&#58; null
              Oct-09-2005 18&#58;18&#58;00 DEBUG &#40;HttpSessionContextIntegrationFilter.java&#58;278&#41; - Context stored to HttpSession&#58; 'net.sf.acegisecurity.context.security.Secu
              reContextImpl@292be3&#58; Authentication&#58; net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken@4bd0ca&#58; Username&#58; naor; Password&#58; &#91;PROTECTED&#93;
              ; Authenticated&#58; true; Details&#58; null; Granted Authorities&#58; user_role'
              Oct-09-2005 18&#58;18&#58;00 DEBUG &#40;HttpSessionContextIntegrationFilter.java&#58;287&#41; - ContextHolder set to null as request processing completed
              but i still get the login screen and /secured/redirect.jsp is not being called.



              naor

              Comment


              • #8
                Hm okay next idea, you said you are using a homegrown MVC framework, could you tell me how you handle redirects in your framework?
                In JSF for example I had the issue that the redirection didn't work either, because JSF overrides the redirection with it's own navigationhandler.

                Regards Johannes

                Comment


                • #9
                  I've looked into that and enabled debug on our MVC control servlet and related code but i don't see that it is being called at all

                  naor

                  Comment


                  • #10
                    figured it out.

                    it turned out that I had to comment out my existing weblogic security in config.xml.
                    once this was done redirect works fine and i hit the next issue.

                    when done using weblogic/JAAS provider the authorization is settin the UserPrinciple in the http request. this is later being used by various pages that call request.getUserPrinciple() to get the user object.
                    however with the Acegi authorization this call returns null.

                    can anyone please advise? and i missing something here?

                    naor

                    Comment


                    • #11
                      Originally posted by naor
                      when done using weblogic/JAAS provider the authorization is settin the UserPrinciple in the http request. this is later being used by various pages that call request.getUserPrinciple() to get the user object.
                      however with the Acegi authorization this call returns null
                      Have you added ContextHolderAwareRequestWrapper into your FilterChainProxy?

                      Comment

                      Working...
                      X