Announcement Announcement Module
Collapse
No announcement yet.
sometimes FilterSecurityInterceptor lets a user access Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • sometimes FilterSecurityInterceptor lets a user access

    Hi,

    I'm a bit lost here. It's been some months since I have not touched my secuirty settings, now I had to add some acl stuff, and while testing I realized that a ROLE_USER user can sometimes get into a url that requires ROLE_ADMIN, just by clicking on it several times...

    In the first part of the log you can see that he is denied acces to /queryadmin.do, but he clicks agian, and at some point something I dont understand happens, goes throught the action, and then you can see the logs of getting the ressources the jsp needs (/inc, /style...), those are ok cause he could access those...


    10/11 18:55:53,328 (HttpSessionContextIntegrationFilter.java:271) DEBUG Context stored to HttpSession: 'net.sf.acegisecurity.context.security.SecureConte xtImpl@1d0bc85: Authentication: net.sf.acegisecurity.providers.UsernamePasswordAut henticationToken@9addef: Username: com.galeon.emailargs.common.gendb.mo...softwa re.com]; Password: [PROTECTED]; Authenticated: true; Details: net.sf.acegisecurity.ui.WebAuthenticationDetails@1 54145: RemoteIpAddress: 127.0.0.1; SessionId: 03338E3A8C2E92D2444FE6CC26FE2E21; Granted Authorities: ROLE_USER'
    10/11 18:55:53,328 (HttpSessionContextIntegrationFilter.java:280) DEBUG ContextHolder set to null as request processing completed
    10/11 18:55:56,437 (PathBasedFilterInvocationDefinitionMap.java:110) DEBUG Converted URL to lowercase, from: '/queryadmin.do?dispatch=viewstatus'; to: '/queryadmin.do?dispatch=viewstatus'
    10/11 18:55:56,437 (PathBasedFilterInvocationDefinitionMap.java:121) DEBUG Candidate is: '/queryadmin.do?dispatch=viewstatus'; pattern is /**; matched=true
    10/11 18:55:56,437 (FilterChainProxy.java:297) DEBUG /queryadmin.do?dispatch=viewStatus at position 1 of 3 in additional filter chain; firing Filter: 'net.sf.acegisecurity.context.HttpSessionContextIn tegrationFilter@35c41b'
    10/11 18:55:56,437 (HttpSessionContextIntegrationFilter.java:183) DEBUG Obtained from ACEGI_SECURITY_CONTEXT a valid Context and set to ContextHolder: 'net.sf.acegisecurity.context.security.SecureConte xtImpl@1d0bc85: Authentication: net.sf.acegisecurity.providers.UsernamePasswordAut henticationToken@9addef: Username: com.galeon.emailargs.common.gendb.mo...softwa re.com]; Password: [PROTECTED]; Authenticated: true; Details: net.sf.acegisecurity.ui.WebAuthenticationDetails@1 54145: RemoteIpAddress: 127.0.0.1; SessionId: 03338E3A8C2E92D2444FE6CC26FE2E21; Granted Authorities: ROLE_USER'
    10/11 18:55:56,437 (FilterChainProxy.java:297) DEBUG /queryadmin.do?dispatch=viewStatus at position 2 of 3 in additional filter chain; firing Filter: 'net.sf.acegisecurity.ui.webapp.AuthenticationProc essingFilter@1e61582'
    10/11 18:55:56,453 (FilterChainProxy.java:297) DEBUG /queryadmin.do?dispatch=viewStatus at position 3 of 3 in additional filter chain; firing Filter: 'net.sf.acegisecurity.intercept.web.SecurityEnforc ementFilter@402e11'
    10/11 18:55:56,453 (PathBasedFilterInvocationDefinitionMap.java:110) DEBUG Converted URL to lowercase, from: '/queryadmin.do?dispatch=viewstatus'; to: '/queryadmin.do?dispatch=viewstatus'
    10/11 18:55:56,453 (PathBasedFilterInvocationDefinitionMap.java:121) DEBUG Candidate is: '/queryadmin.do?dispatch=viewstatus'; pattern is /savedefault.do*; matched=false
    10/11 18:55:56,453 (PathBasedFilterInvocationDefinitionMap.java:121) DEBUG Candidate is: '/queryadmin.do?dispatch=viewstatus'; pattern is /queryadmin.do*; matched=true
    10/11 18:55:56,453 (AbstractSecurityInterceptor.java:348) DEBUG Secure object: FilterInvocation: URL: /queryadmin.do?dispatch=viewStatus; ConfigAttributes: [ROLE_ADMIN]
    10/11 18:55:56,453 (ProviderManager.java:156) DEBUG Authentication attempt using net.sf.acegisecurity.providers.dao.DaoAuthenticati onProvider
    10/11 18:55:56,468 (EhCacheBasedUserCache.java:71) DEBUG Cache hit: true; username: user
    10/11 18:55:56,468 (AbstractSecurityInterceptor.java:386) DEBUG Authenticated: net.sf.acegisecurity.providers.UsernamePasswordAut henticationToken@1609812: Username: com.galeon.emailargs.common.gendb.mo...softwa re.com]; Password: [PROTECTED]; Authenticated: true; Details: net.sf.acegisecurity.ui.WebAuthenticationDetails@1 54145: RemoteIpAddress: 127.0.0.1; SessionId: 03338E3A8C2E92D2444FE6CC26FE2E21; Granted Authorities: ROLE_USER
    10/11 18:55:56,484 (SecurityEnforcementFilter.java:207) DEBUG Access is denied (user is not anonymous); sending back forbidden response
    net.sf.acegisecurity.AccessDeniedException: Access is denied.
    at net.sf.acegisecurity.vote.AffirmativeBased.decide( AffirmativeBased.java:86)
    at net.sf.acegisecurity.intercept.AbstractSecurityInt erceptor.beforeInvocation(AbstractSecurityIntercep tor.java:394)
    at net.sf.acegisecurity.intercept.web.FilterSecurityI nterceptor.invoke(FilterSecurityInterceptor.java:8 1)
    at net.sf.acegisecurity.intercept.web.SecurityEnforce mentFilter.doFilter(SecurityEnforcementFilter.java :182)
    at net.sf.acegisecurity.util.FilterChainProxy$Virtual FilterChain.doFilter(FilterChainProxy.java:303)
    at net.sf.acegisecurity.ui.AbstractProcessingFilter.d oFilter(AbstractProcessingFilter.java:305)
    at net.sf.acegisecurity.util.FilterChainProxy$Virtual FilterChain.doFilter(FilterChainProxy.java:303)
    at net.sf.acegisecurity.context.HttpSessionContextInt egrationFilter.doFilter(HttpSessionContextIntegrat ionFilter.java:225)
    at net.sf.acegisecurity.util.FilterChainProxy$Virtual FilterChain.doFilter(FilterChainProxy.java:303)
    at net.sf.acegisecurity.util.FilterChainProxy.doFilte r(FilterChainProxy.java:173)
    at net.sf.acegisecurity.util.FilterToBeanProxy.doFilt er(FilterToBeanProxy.java:125)
    at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:202)
    at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:173)
    at org.apache.catalina.core.StandardWrapperValve.invo ke(StandardWrapperValve.java:213)
    at org.apache.catalina.core.StandardContextValve.invo ke(StandardContextValve.java:178)
    at org.apache.catalina.core.StandardHostValve.invoke( StandardHostValve.java:126)
    at org.apache.catalina.valves.ErrorReportValve.invoke (ErrorReportValve.java:105)
    at org.apache.catalina.core.StandardEngineValve.invok e(StandardEngineValve.java:107)
    at org.apache.catalina.connector.CoyoteAdapter.servic e(CoyoteAdapter.java:148)
    at org.apache.coyote.http11.Http11Processor.process(H ttp11Processor.java:857)
    at org.apache.coyote.http11.Http11Protocol$Http11Conn ectionHandler.processConnection(Http11Protocol.jav a:744)
    at org.apache.tomcat.util.net.PoolTcpEndpoint.process Socket(PoolTcpEndpoint.java:527)
    at org.apache.tomcat.util.net.LeaderFollowerWorkerThr ead.runIt(LeaderFollowerWorkerThread.java:80)
    at org.apache.tomcat.util.threads.ThreadPool$ControlR unnable.run(ThreadPool.java:684)
    at java.lang.Thread.run(Thread.java:595)
    10/11 18:55:56,484 (HttpSessionContextIntegrationFilter.java:271) DEBUG Context stored to HttpSession: 'net.sf.acegisecurity.context.security.SecureConte xtImpl@1d0bc85: Authentication: net.sf.acegisecurity.providers.UsernamePasswordAut henticationToken@1609812: Username: com.galeon.emailargs.common.gendb.mo...softwa re.com]; Password: [PROTECTED]; Authenticated: true; Details: net.sf.acegisecurity.ui.WebAuthenticationDetails@1 54145: RemoteIpAddress: 127.0.0.1; SessionId: 03338E3A8C2E92D2444FE6CC26FE2E21; Granted Authorities: ROLE_USER'
    10/11 18:55:56,484 (HttpSessionContextIntegrationFilter.java:280) DEBUG ContextHolder set to null as request processing completed
    10/11 18:55:57,281 (PathBasedFilterInvocationDefinitionMap.java:110) DEBUG Converted URL to lowercase, from: '/style.css'; to: '/style.css'
    10/11 18:55:57,281 (PathBasedFilterInvocationDefinitionMap.java:121) DEBUG Candidate is: '/style.css'; pattern is /**; matched=true
    10/11 18:55:57,281 (FilterChainProxy.java:297) DEBUG /style.css at position 1 of 3 in additional filter chain; firing Filter: 'net.sf.acegisecurity.context.HttpSessionContextIn tegrationFilter@35c41b'
    10/11 18:55:57,281 (HttpSessionContextIntegrationFilter.java:183) DEBUG Obtained from ACEGI_SECURITY_CONTEXT a valid Context and set to ContextHolder: 'net.sf.acegisecurity.context.security.SecureConte xtImpl@1d0bc85: Authentication: net.sf.acegisecurity.providers.UsernamePasswordAut henticationToken@1609812: Username: com.galeon.emailargs.common.gendb.mo...softwa re.com]; Password: [PROTECTED]; Authenticated: true; Details: net.sf.acegisecurity.ui.WebAuthenticationDetails@1 54145: RemoteIpAddress: 127.0.0.1; SessionId: 03338E3A8C2E92D2444FE6CC26FE2E21; Granted Authorities: ROLE_USER'
    10/11 18:55:57,281 (FilterChainProxy.java:297) DEBUG /style.css at position 2 of 3 in additional filter chain; firing Filter: 'net.sf.acegisecurity.ui.webapp.AuthenticationProc essingFilter@1e61582'
    10/11 18:55:57,281 (FilterChainProxy.java:297) DEBUG /style.css at position 3 of 3 in additional filter chain; firing Filter: 'net.sf.acegisecurity.intercept.web.SecurityEnforc ementFilter@402e11'
    10/11 18:55:57,296 (PathBasedFilterInvocationDefinitionMap.java:110) DEBUG Converted URL to lowercase, from: '/style.css'; to: '/style.css'
    10/11 18:55:57,296 (PathBasedFilterInvocationDefinitionMap.java:121) DEBUG Candidate is: '/style.css'; pattern is /savedefault.do*; matched=false
    10/11 18:55:57,296 (PathBasedFilterInvocationDefinitionMap.java:121) DEBUG Candidate is: '/style.css'; pattern is /queryadmin.do*; matched=false
    10/11 18:55:57,296 (PathBasedFilterInvocationDefinitionMap.java:121) DEBUG Candidate is: '/style.css'; pattern is /sysadmin.do*; matched=false
    10/11 18:55:57,296 (PathBasedFilterInvocationDefinitionMap.java:121) DEBUG Candidate is: '/style.css'; pattern is /audit.do*; matched=false
    10/11 18:55:57,296 (PathBasedFilterInvocationDefinitionMap.java:121) DEBUG Candidate is: '/style.css'; pattern is /alertsmanagement.do*; matched=false
    10/11 18:55:57,296 (PathBasedFilterInvocationDefinitionMap.java:121) DEBUG Candidate is: '/style.css'; pattern is /tablemaintenance.do*; matched=false
    10/11 18:55:57,296 (PathBasedFilterInvocationDefinitionMap.java:121) DEBUG Candidate is: '/style.css'; pattern is /jsp/main.jsp; matched=false
    10/11 18:55:57,312 (PathBasedFilterInvocationDefinitionMap.java:121) DEBUG Candidate is: '/style.css'; pattern is /search.do; matched=false
    10/11 18:55:57,312 (PathBasedFilterInvocationDefinitionMap.java:121) DEBUG Candidate is: '/style.css'; pattern is /newqueryscreen.do*; matched=false
    10/11 18:55:57,312 (PathBasedFilterInvocationDefinitionMap.java:121) DEBUG Candidate is: '/style.css'; pattern is /queryscreen.do*; matched=false
    10/11 18:55:57,312 (PathBasedFilterInvocationDefinitionMap.java:121) DEBUG Candidate is: '/style.css'; pattern is /jsp**; matched=false
    10/11 18:55:57,312 (PathBasedFilterInvocationDefinitionMap.java:121) DEBUG Candidate is: '/style.css'; pattern is /inc/**; matched=false
    10/11 18:55:57,312 (PathBasedFilterInvocationDefinitionMap.java:121) DEBUG Candidate is: '/style.css'; pattern is /img/**; matched=false
    10/11 18:55:57,312 (PathBasedFilterInvocationDefinitionMap.java:121) DEBUG Candidate is: '/style.css'; pattern is /style.css; matched=true
    10/11 18:55:57,312 (AbstractSecurityInterceptor.java:348) DEBUG Secure object: FilterInvocation: URL: /style.css; ConfigAttributes: [ROLE_RUNNER, ROLE_ADMIN, ROLE_USER]
    10/11 18:55:57,312 (ProviderManager.java:156) DEBUG Authentication attempt using net.sf.acegisecurity.providers.dao.DaoAuthenticati onProvider
    10/11 18:55:57,328 (EhCacheBasedUserCache.java:71) DEBUG Cache hit: true; username: user
    10/11 18:55:57,328 (AbstractSecurityInterceptor.java:386) DEBUG Authenticated: net.sf.acegisecurity.providers.UsernamePasswordAut henticationToken@9fe953: Username: com.galeon.emailargs.common.gendb.mo...softwa re.com]; Password: [PROTECTED]; Authenticated: true; Details: net.sf.acegisecurity.ui.WebAuthenticationDetails@1 54145: RemoteIpAddress: 127.0.0.1; SessionId: 03338E3A8C2E92D2444FE6CC26FE2E21; Granted Authorities: ROLE_USER
    10/11 18:55:57,328 (AbstractSecurityInterceptor.java:404) DEBUG Authorization successful
    10/11 18:55:57,328 (AbstractSecurityInterceptor.java:417) DEBUG RunAsManager did not change Authentication object
    10/11 18:55:57,328 (FilterChainProxy.java:288) DEBUG /style.css reached end of additional filter chain; proceeding with original chain
    10/11 18:55:57,343 (SecurityEnforcementFilter.java:185) DEBUG Chain processed normally
    10/11 18:55:57,343 (HttpSessionContextIntegrationFilter.java:271) DEBUG Context stored to HttpSession: 'net.sf.acegisecurity.context.security.SecureConte xtImpl@1d0bc85: Authentication: net.sf.acegisecurity.providers.UsernamePasswordAut henticationToken@9fe953: Username: com.galeon.emailargs.common.gendb.mo...softwa re.com]; Password: [PROTECTED]; Authenticated: true; Details: net.sf.acegisecurity.ui.WebAuthenticationDetails@1 54145: RemoteIpAddress: 127.0.0.1; SessionId: 03338E3A8C2E92D2444FE6CC26FE2E21; Granted Authorities: ROLE_USER'
    10/11 18:55:57,343 (HttpSessionContextIntegrationFilter.java:280) DEBUG ContextHolder set to null as request processing completed



    My xml looks like this:
    <!-- ======================== FILTER CHAIN ======================= -->

    <!-- if you wish to use channel security, add "channelProcessingFilter," in front
    of "httpSessionContextIntegrationFilter" in the list below -->
    <bean id="filterChainProxy" class="net.sf.acegisecurity.util.FilterChainProxy" >
    <property name="filterInvocationDefinitionSource">
    <value>
    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
    PATTERN_TYPE_APACHE_ANT
    /**=httpSessionContextIntegrationFilter,authenticat ionProcessingFilter,securityEnforcementFilter
    </value>
    </property>
    </bean>

    <!-- ======================== AUTHENTICATION ======================= -->
    <bean id="securityEnforcementFilter" class="net.sf.acegisecurity.intercept.web.Security EnforcementFilter">
    <property name="filterSecurityInterceptor"><ref local="filterInvocationInterceptor"/></property>
    <property name="authenticationEntryPoint"><ref local="authenticationProcessingFilterEntryPoint"/></property>
    </bean>

    <bean id="authenticationProcessingFilter" class="net.sf.acegisecurity.ui.webapp.Authenticati onProcessingFilter">
    <property name="authenticationManager"><ref bean="authenticationManager"/></property>
    <property name="authenticationFailureUrl"><value>/errorlogin.jsp</value></property>
    <property name="defaultTargetUrl"><value>/queryscreen.do?newuser=1</value></property>
    <property name="filterProcessesUrl"><value>/j_acegi_security_check</value></property>
    </bean>

    <bean id="authenticationProcessingFilterEntryPoint" class="net.sf.acegisecurity.ui.webapp.Authenticati onProcessingFilterEntryPoint">
    <property name="loginFormUrl"><value>/login.jsp</value></property>
    <property name="forceHttps"><value>false</value></property>
    </bean>

    <bean id="authenticationManager" class="net.sf.acegisecurity.providers.ProviderMana ger">
    <property name="providers">
    <list>
    <ref local="daoAuthenticationProvider"/>
    </list>
    </property>
    </bean>

    <bean id="daoAuthenticationProvider" class="net.sf.acegisecurity.providers.dao.DaoAuthe nticationProvider">
    <property name="authenticationDao">
    <!-- <ref local="memoryAuthenticationDao"/> -->
    <ref local="jdbcDaoImpl"/>
    </property>
    <property name="userCache"><ref local="userCache"/></property>
    <!-- <property name="passwordEncoder"><ref local="passwordEncoder"/></property> -->
    </bean>

    <!-- only used in initial testing - ->
    <bean id="memoryAuthenticationDao" class="net.sf.acegisecurity.providers.dao.memory.I nMemoryDaoImpl">
    <property name="userMap">
    <value>
    muguruza=muguruza,ROLE_ADMIN
    runner=runner,ROLE_RUNNER
    user=user,ROLE_USER
    </value>
    </property>
    </bean>
    <!- - -->

    <!-- <bean id="jdbcDaoImpl" class="net.sf.acegisecurity.providers.dao.jdbc.Jdb cDaoImpl"> -->
    <bean id="jdbcDaoImpl" class="com.galeon.emailargs.common.gendb.model.Cus tomJdbcDaoImpl">
    <property name="dataSource"><ref bean="dataSource"/></property>
    <property name="usersByUsernameQuery">
    <value>SELECT username,mpassword,enabled,email FROM users WHERE username = ?</value>
    </property>
    </bean>

    <bean id="cacheManager" class="org.springframework.cache.ehcache.EhCacheMa nagerFactoryBean"/>

    <bean id="userCacheBackend" class="org.springframework.cache.ehcache.EhCacheFa ctoryBean">
    <property name="cacheManager">
    <ref local="cacheManager"/>
    </property>
    <property name="cacheName">
    <value>userCache</value>
    </property>
    </bean>

    <bean id="userCache" class="net.sf.acegisecurity.providers.dao.cache.Eh CacheBasedUserCache">
    <property name="cache"><ref local="userCacheBackend"/></property>
    </bean>


    <bean id="httpSessionContextIntegrationFilter" class="net.sf.acegisecurity.context.HttpSessionCon textIntegrationFilter">
    <property name="context"><value>net.sf.acegisecurity.context .security.SecureContextImpl</value></property>
    </bean>

    <!-- ===================== HTTP CHANNEL REQUIREMENTS ==================== -->


    <!-- ===================== HTTP REQUEST SECURITY ==================== -->
    <bean id="httpRequestAccessDecisionManager" class="net.sf.acegisecurity.vote.AffirmativeBased" >
    <property name="allowIfAllAbstainDecisions"><value>false</value></property>
    <property name="decisionVoters">
    <list>
    <ref bean="roleVoter"/>
    </list>
    </property>
    </bean>

    <bean id="roleVoter" class="net.sf.acegisecurity.vote.RoleVoter"/>

    <!-- Note the order that entries are placed against the objectDefinitionSource is critical.
    The FilterSecurityInterceptor will work from the top of the list down to the FIRST pattern that matches the request URL.
    Accordingly, you should place MOST SPECIFIC (ie a/b/c/d.*) expressions first, with LEAST SPECIFIC (ie a/.*) expressions last -->
    <!-- ============JM: patterns are in LOWERCASE, beware ======= -->
    <bean id="filterInvocationInterceptor" class="net.sf.acegisecurity.intercept.web.FilterSe curityInterceptor">
    <property name="authenticationManager"><ref bean="authenticationManager"/></property>
    <property name="accessDecisionManager"><ref local="httpRequestAccessDecisionManager"/></property>
    <property name="objectDefinitionSource">
    <value>
    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
    PATTERN_TYPE_APACHE_ANT
    /savedefault.do*=ROLE_ADMIN
    /queryadmin.do*=ROLE_ADMIN
    /sysadmin.do*=ROLE_ADMIN
    /audit.do*=ROLE_ADMIN
    /alertsmanagement.do*=ROLE_ADMIN
    /tablemaintenance.do*=ROLE_ADMIN
    /jsp/main.jsp=ROLE_RUNNER,ROLE_ADMIN
    /search.do=ROLE_RUNNER,ROLE_ADMIN
    /newqueryscreen.do*=ROLE_RUNNER,ROLE_ADMIN
    /queryscreen.do*=ROLE_RUNNER,ROLE_ADMIN,ROLE_USER
    /jsp**=ROLE_RUNNER,ROLE_ADMIN,ROLE_USER
    /inc/**=ROLE_RUNNER,ROLE_ADMIN,ROLE_USER
    /img/**=ROLE_RUNNER,ROLE_ADMIN,ROLE_USER
    /style.css=ROLE_RUNNER,ROLE_ADMIN,ROLE_USER
    </value>
    </property>
    </bean>

    I have another acl xml, but I guess it's not relevant.
    Anyone any idea?

    Forgot to mention, using 0.8.2.

    thanks in advance,
    javi

  • #2
    Please try again with 0.8.3. It was a bug fix release, after all. :-)

    Comment


    • #3
      Thanks, Ben.
      Yeah, I already tried that, same result.

      Comment

      Working...
      X