Announcement Announcement Module
Collapse
No announcement yet.
Acegi Security System in Spring WebFlow Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    hi,

    its up and semi-running (users.properties file)

    when i try and access a more secured page with a less privliged user Acegi throws an access denied exception, and i get the ugly tomcat death page...should i be catching this with an on-exception transition? or is there a accessdenied page that i need to define somewhere?

    when i try and login with a user that is not authorized before the flow starts i do get redirected to the accessdenied.jsp page.

    so...to sum up
    supervisor->secure_page->works
    user->secure_page->ugly arse tomcat exception
    evil_user->login.jsp->accessdenied.jsp

    thanks

    Comment


    • #17
      If you have setup your filter chain correctly Acegi should convert the AccessDenied exception and redirect to a AccessDenied page.

      Configure a AccessDeniedHandler and inject that into the ExceptionTranslationFilter.

      Comment


      • #18
        this is the filterchain
        Code:
        /**=httpSessionContextIntegrationFilter,logoutFilter,authenticationProcessingFilter,securityContextHolderAwareRequestFilter,rememberMeProcessingFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor
        the exceptionTranslationFilter
        Code:
        	<bean id="exceptionTranslationFilter"
        		class="org.acegisecurity.ui.ExceptionTranslationFilter">
        		<property name="authenticationEntryPoint">
        			<bean
        				class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
        				<property name="loginFormUrl" value="/rfslogin.jsp" />
        				<property name="forceHttps" value="false" />
        			</bean>
        		</property>
        		<property name="accessDeniedHandler">
        			<bean
        				class="org.acegisecurity.ui.AccessDeniedHandlerImpl">
        				<property name="errorPage" value="/accessDenied.jsp" />
        			</bean>
        		</property>
        	</bean>
        and the exception
        Code:
        o rg.springframework.web.util.NestedServletException: Request processing failed; nested exception is o rg.springframework.webflow.execution.FlowExecutionException: Exception thrown in state 'startRFSPortal' of flow 'rfsportal-flow'; nested exception is o rg.acegisecurity.AccessDeniedException: Access is denied
        any suggestions?

        Comment


        • #19
          Hmm just looked at the source code and it looks at the nested exception and checks if that is of the type AccessDeniedException. If not it simply ignores the message.

          So it is probably needed to check the whole exception chain and see if one of the nested exceptions is an instance of AccessDeniedException. I recommend posting a JIRA for this issue.

          Comment


          • #20
            ok... for the moment a quick workaround is

            Code:
                        <transition on-exception="org.acegisecurity.AccessDeniedException" to="accessDenied" />
             		
            </global-transitions>
            just to verify...the jira issue is for swf-93?

            Comment


            • #21
              I would say another/better implementation of the ExceptionTranslationFilter in case of using SpringWebFlow. SWF nests the exception in an extra layer.

              Comment


              • #22
                I bet you thought you were done with me...



                i have a documents directory that i have restricted as such
                Code:
                /resources/**=ROLE_SUPERVISOR,ROLE_USER,IS_AUTHENTICATED_ANONYMOUSLY
                /docs/**=ROLE_USER
                when someone access' that folder with a role such as ROLE_SUPERVISOR they get to see the accessDenied page...but any of the images/styles in /resources dont show...it appears almost as if the view they are in the /docs/ folder instead of / which would allow them to see the resources ...

                ie there is no /docs/resources

                the funny thing is that this ...just worked before

                Comment


                • #23
                  Hi again,

                  I just have a quick couple of questions... I am assuming that the FlowSecurityIntertceptor should be placed in the **-servlet.xml file. Do I need to import the acegi-security.xml file into the servlet file, or vice versa?

                  it seems as if the flow security interceptor isnt doing anything. as it currently is.

                  Comment


                  • #24
                    If you configured ACEGI correctly and configured the filter accordingly it should work. You don't need to import anything...

                    Comment


                    • #25
                      Spring Webflow Acegi SecurityContext

                      I have followed the instructions and information given on how to get spring webflow and acegi to work together but keep getting the authentication exception:
                      org.acegisecurity.AuthenticationCredentialsNotFoun dException: An Authentication object was not found in the SecurityContext

                      Can anyone shed some light on this?

                      Comment


                      • #26
                        Looks like an ACEGI setup misstake. Have you setup the correct ACEGI filter-chain? Are you filtering the flow URL's?

                        Comment


                        • #27
                          Code:
                          /**=httpSessionContextIntegrationFilter,logoutFilter,authenticationProcessingFilter,securityContextHolderAwareRequestFilter,rememberMeProcessingFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor
                          thats my filter chain...do i need to specifically add anything for swf-93?

                          Comment


                          • #28
                            do i need to specifically add anything for swf-93?
                            No... Just make sure that the SecurityContextHolder is filled (which is normally done by the HttpSessionContextIntegrationFilter). To make this happen make sure that your filters get applied to each url...

                            Judging by your error it appears as if your webflow url(s) aren't processed by acegi.

                            Comment


                            • #29
                              all of my flows are handled by the same url...right now that is http://localhost:8080/rfsportal/rfsportal.rfs

                              Code:
                              /rfsportal.rfs=ROLE_USER,IS_AUTHENTICATED_ANONYMOUSLY
                              is the acegi url pattern

                              and the flow security listener...

                              Code:
                              	<bean id="flowSecurityListener" class="org.springframework.webflow.security.FlowSecurityInterceptor">
                                  	<property name="rejectPublicInvocations" value="false"/>
                                  	<property name="authenticationManager" ref="authenticationManager"/>
                                  	<property name="accessDecisionManager" ref="accessDecisionManager"/>
                              	    <property name="flowDefinitionSource">
                              	    <value>
                              	    	secure-flow=ROLE_USER
                              	    	service-flow=ROLE_SERVICE_REQUEST,ROLE_CLIENT_REQUEST,ROLE_ENHANCEMENT_REQUEST,ROLE_INTEGRITY_REQUEST,ROLE_IVR_REQUEST,ROLE_REPORT_REQUEST,ROLE_RTD_REQUEST,ROLE_STATEMENT_REQUEST,ROLE_TICKET_REQUEST
                              	    	service-flow.state.enterIntegrityFix=ROLE_SERVICE_REQUEST,ROLE_INTEGRITY_REQUEST
                              	    	service-flow.state.enterRTDRequest=ROLE_SERVICE_REQUEST,ROLE_RTD_REQUEST
                              	    	service-flow.state.enterClientRequest=ROLE_SERVICE_REQUEST,ROLE_CLIENT_REQUEST
                              	    	service-flow.state.enterEnhancementRequest=ROLE_SERVICE_REQUEST,ROLE_ENHANCEMENT_REQUEST
                              	    	service-flow.state.enterCreateTicket=ROLE_SERVICE_REQUEST,ROLE_TICKET_REQUEST
                              	    	service-flow.state.enterRequestReport=ROLE_SERVICE_REQUEST,ROLE_REPORT_REQUEST
                              	    	service-flow.state.enterStatementReprint=ROLE_SERVICE_REQUEST,ROLE_STATEMENT_REQUEST
                              	    	category-flow=ROLE_USER
                              	    	admin-flow=ROLE_ADMIN
                              	    	admin-flow.state.users=ROLE_ADMIN_USER
                              	    	admin-flow.state.issues=ROLE_ADMIN_ISSUES
                              	    	admin-flow.state.events=ROLE_ADMIN_EVENT
                              	    </value>
                                  	</property>
                              	</bean>

                              Comment


                              • #30
                                all right...my bad.

                                turns out that i used to have all of the flows in one cluster-flow :-) After refactoring into multiple flows i forgot to add the additional flows to the criteria for the flow listener. That would seem to explain why nothing was working.

                                Comment

                                Working...
                                X