I can't login.
what i do is login (from samples) than do my stuff. than I logoff (from sample) when i directly want to go to de page that i have secured, and try to login afterwards i get AuthenticationCredentialsNotFoundException and i can't login no more!!



2004-10-21 17:30:54,321 DEBUG acegisecurity.ui.AbstractIntegrationFilter:164 -> Authentication not added to ContextHolder (could not extract an authentication object from the container which is an instance of Authentication)
2004-10-21 17:30:54,321 DEBUG acegisecurity.ui.AbstractProcessingFilter:290 -> Request is to process authentication
2004-10-21 17:30:54,321 DEBUG acegisecurity.providers.ProviderManager:125 -> Authentication attempt using net.sf.acegisecurity.providers.dao.DaoAuthenticati onProvider
2004-10-21 17:30:54,361 DEBUG dao.cache.EhCacheBasedUserCache:86 -> Cache hit: true; username: quentin
2004-10-21 17:30:54,361 DEBUG acegisecurity.ui.AbstractProcessingFilter:343 -> Authentication success: net.sf.acegisecurity.providers.UsernamePasswordAut henticationToken@eabd2f: Username: quentin; Password: [PROTECTED]; Authenticated: false; Details: 127.0.0.1; Granted Authorities: ROLE_TELLER, ROLE_SUPERVISOR
2004-10-21 17:30:54,361 DEBUG acegisecurity.ui.AbstractProcessingFilter:358 -> Redirecting to target URL from HTTP Session (or default): http://localhost:8084/acegi/itemSummery.do
2004-10-21 17:30:54,381 DEBUG acegisecurity.ui.AbstractIntegrationFilter:176 -> Updating container with new Authentication object, and then removing Authentication from ContextHolder
2004-10-21 17:30:54,501 DEBUG acegisecurity.ui.AbstractIntegrationFilter:164 -> Authentication not added to ContextHolder (could not extract an authentication object from the container which is an instance of Authentication)
2004-10-21 17:30:54,501 DEBUG intercept.web.PathBasedFilterInvocationDefinitionM ap:112 -> Converted URL to lowercase, from: 'uri: /acegi/itemSummery.do
method: GET
QueryString: null
Parameters:
Headers:
Name: accept Value: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash, */*
Name: referer Value: http://localhost:8084/acegi/acegilogin.jsp
Name: accept-language Value: en-us
Name: accept-encoding Value: gzip, deflate
Name: user-agent Value: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Crazy Browser 1.0.5)
Name: host Value: localhost:8084
Name: connection Value: Keep-Alive
Name: cache-control Value: no-cache
Name: cookie Value: JSESSIONID=67A521C246B9D10401E7F2488C24B52F
'; to: '/itemsummery.do'
2004-10-21 17:30:54,601 DEBUG intercept.web.PathBasedFilterInvocationDefinitionM ap:123 -> Candidate is: '/itemsummery.do'; pattern is /secure/**; matched=false
2004-10-21 17:30:54,601 DEBUG intercept.web.PathBasedFilterInvocationDefinitionM ap:123 -> Candidate is: '/itemsummery.do'; pattern is /test/**; matched=false
2004-10-21 17:30:54,601 DEBUG intercept.web.PathBasedFilterInvocationDefinitionM ap:123 -> Candidate is: '/itemsummery.do'; pattern is /*.do; matched=true
2004-10-21 17:30:54,601 DEBUG acegisecurity.intercept.AbstractSecurityIntercepto r:273 -> Secure object: FilterInvocation: URL: /itemSummery.do; ConfigAttributes: [ROLE_SUPERVISOR]
2004-10-21 17:30:54,611 DEBUG intercept.web.SecurityEnforcementFilter:191 -> Authentication failed - adding target URL to Session: http://localhost:8084/acegi/itemSummery.do
net.sf.acegisecurity.AuthenticationCredentialsNotF oundException: Authentication credentials were not found in the SecureContext
at net.sf.acegisecurity.intercept.AbstractSecurityInt erceptor.interceptor(AbstractSecurityInterceptor.j ava:289)
at net.sf.acegisecurity.intercept.web.FilterSecurityI nterceptor.invoke(FilterSecurityInterceptor.java:7 8)
at net.sf.acegisecurity.intercept.web.SecurityEnforce mentFilter.doFilter(SecurityEnforcementFilter.java :165)
at net.sf.acegisecurity.util.FilterToBeanProxy.doFilt er(FilterToBeanProxy.java:105)
at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:233)
at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:204)
at net.sf.acegisecurity.ui.AbstractProcessingFilter.d oFilter(AbstractProcessingFilter.java:368)
at net.sf.acegisecurity.util.FilterToBeanProxy.doFilt er(FilterToBeanProxy.java:105)
at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:233)
at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:204)
at net.sf.acegisecurity.ui.AbstractIntegrationFilter. doFilter(AbstractIntegrationFilter.java:170)
at net.sf.acegisecurity.util.FilterToBeanProxy.doFilt er(FilterToBeanProxy.java:105)
at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:233)
at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:204)
at org.netbeans.modules.web.monitor.server.MonitorFil ter.doFilter(MonitorFilter.java:305)
at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:233)
at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:204)
at org.apache.catalina.core.StandardWrapperValve.invo ke(StandardWrapperValve.java:257)
at org.apache.catalina.core.StandardValveContext.invo keNext(StandardValveContext.java:151)
at org.apache.catalina.core.StandardPipeline.invoke(S tandardPipeline.java:567)
at org.apache.catalina.core.StandardContextValve.invo keInternal(StandardContextValve.java:245)
at org.apache.catalina.core.StandardContextValve.invo ke(StandardContextValve.java:199)
at org.apache.catalina.core.StandardValveContext.invo keNext(StandardValveContext.java:151)
at org.apache.catalina.core.StandardPipeline.invoke(S tandardPipeline.java:567)
at org.apache.catalina.core.StandardHostValve.invoke( StandardHostValve.java:184)
at org.apache.catalina.core.StandardValveContext.invo keNext(StandardValveContext.java:151)
at org.apache.catalina.valves.ErrorReportValve.invoke (ErrorReportValve.java:164)
at org.apache.catalina.core.StandardValveContext.invo keNext(StandardValveContext.java:149)
at org.apache.catalina.core.StandardPipeline.invoke(S tandardPipeline.java:567)
at org.apache.catalina.core.StandardEngineValve.invok e(StandardEngineValve.java:156)
at org.apache.catalina.core.StandardValveContext.invo keNext(StandardValveContext.java:151)
at org.apache.catalina.core.StandardPipeline.invoke(S tandardPipeline.java:567)
at org.apache.catalina.core.ContainerBase.invoke(Cont ainerBase.java:972)
at org.apache.coyote.tomcat5.CoyoteAdapter.service(Co yoteAdapter.java:206)
at org.apache.coyote.http11.Http11Processor.process(H ttp11Processor.java:833)
at org.apache.coyote.http11.Http11Protocol$Http11Conn ectionHandler.processConnection(Http11Protocol.jav a:732)
at org.apache.tomcat.util.net.TcpWorkerThread.runIt(P oolTcpEndpoint.java:619)
at org.apache.tomcat.util.threads.ThreadPool$ControlR unnable.run(ThreadPool.java:688)
at java.lang.Thread.run(Thread.java:534)
2004-10-21 17:30:54,621 DEBUG ui.webapp.AuthenticationProcessingFilterEntryPoint :176 -> Redirecting to: http://localhost:8084/acegi/acegilogin.jsp
2004-10-21 17:30:54,621 DEBUG acegisecurity.ui.AbstractIntegrationFilter:176 -> Updating container with new Authentication object, and then removing Authentication from ContextHolder
2004-10-21 17:30:54,771 DEBUG acegisecurity.ui.AbstractIntegrationFilter:164 -> Authentication not added to ContextHolder (could not extract an authentication object from the container which is an instance of Authentication)
2004-10-21 17:30:54,771 DEBUG intercept.web.PathBasedFilterInvocationDefinitionM ap:112 -> Converted URL to lowercase, from: 'uri: /acegi/acegilogin.jsp
method: GET
QueryString: null
Parameters:
Headers:
Name: accept Value: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash, */*
Name: referer Value: http://localhost:8084/acegi/acegilogin.jsp
Name: accept-language Value: en-us
Name: accept-encoding Value: gzip, deflate
Name: user-agent Value: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Crazy Browser 1.0.5)
Name: host Value: localhost:8084
Name: connection Value: Keep-Alive
Name: cache-control Value: no-cache
Name: cookie Value: JSESSIONID=67A521C246B9D10401E7F2488C24B52F
'; to: '/acegilogin.jsp'
2004-10-21 17:30:54,771 DEBUG intercept.web.PathBasedFilterInvocationDefinitionM ap:123 -> Candidate is: '/acegilogin.jsp'; pattern is /secure/**; matched=false
2004-10-21 17:30:54,781 DEBUG intercept.web.PathBasedFilterInvocationDefinitionM ap:123 -> Candidate is: '/acegilogin.jsp'; pattern is /test/**; matched=false
2004-10-21 17:30:54,781 DEBUG intercept.web.PathBasedFilterInvocationDefinitionM ap:123 -> Candidate is: '/acegilogin.jsp'; pattern is /*.do; matched=false
2004-10-21 17:30:54,781 DEBUG acegisecurity.intercept.AbstractSecurityIntercepto r:346 -> Public object - authentication not attempted
2004-10-21 17:30:54,811 DEBUG intercept.web.SecurityEnforcementFilter:168 -> Chain processed normally
2004-10-21 17:30:54,811 DEBUG acegisecurity.ui.AbstractIntegrationFilter:176 -> Updating container with new Authentication object, and then removing Authentication from ContextHolder

It's a filter ordering issue. See my post at http://forum.springframework.org/showthread.php?t=10989.

Basically your AbstractIntegrationFilter is running, then you're logging on via the AbstractProcessingFilter. AbstractProcessingFilter updates the HttpSession with the correct Authentication request object and sends the redirect. Then AbstractIntegrationFilter finishes running by copying from the ContextHolder a null object, overwriting the HttpSession (which needs to be there for your redirected request to http://localhost:8084/acegi/itemSummery.do).

Partial solved the problem! After the logoff (session.invalidate()) I can't login again! It wil produce a net.sf.acegisecurity.AuthenticationCredentialsNotF oundException: Authentication credentials were not found in the SecureContext
again. Still don't know what it is?

Order is now:

AuthenticationProcessingFilter
AutoIntegrationFilter
SecurityEnforcementFilter


Another question: do i need th BasicProcessingFilter?

:evil: I can't get it right :evil:

:D I took the xml (web, applicationContext) from Sample :D

Just modified it and it works just GREAT.

If just got another question? Don't wont to bother you to must, but I've got a Domain Model Bussiness Objects (Beans) which are used in three layers. Now I got my services(get, update, delete, etc) secured see above. I want to secure my Domain Objects, so I can "simulate" tabel\row level security. Do I have to do this in the same way as Method security or is there another way.

My Layers
(Struts - Spring - Hibernate)

The net.sf.acegisecurity.acl.basic package provides a simple integer-mask based approach to ACL-level permissions. It is discussed in the reference guide.

If you always pass your domain objects to a services layer, you can write a custom AccessDecisionVoter which ensures sufficient permissions are assigned for a domain object.

If you aren't using a services layer, you need to get more creative. I recently added to CVS AspectJ support which would enable you to define pointcuts for your domain objects, thus automatically applying a method security interceptor in front of domain object method invocations. Or, you can use the autowiring support in Spring sandbox to autowire the AclManager into the domain object instance and then code within the domain object instance a check for necessary permissions for each method invocation.

Personally I found the AspectJ IDE support not mature enough to support working on a real application, and coding security checks into your domain objects is bad form.

On our current project we've setup our domain objects as follows:

- Provide public setters and getters (which perform no validation)
- Provide a Validator for the domain object
- Autowire the Validator when retriving the domain object from Hibernate (if creating a new instance, just autowire it from AutowireCapableBeanFactory)
- Have a bindSupport() method which configures domain object-wide properties (eg a Person object with a firstName and lastName, upon bindSupport() it updates the displayName)
- Have a validate() method which calls the Validator, throwing BindException if any problems
- Have a bindAndValidate() method which calls bindSupport() then validate()
- A BindAndValidateInterceptor and BindAndValidateAdvisor wires against all DAO implementations to call the domain object's bindAndValidate()
- All "business methods" are package protected, so they can only be called by a services layer object in the same package
- All "business methods" needing a valid object state call bindAndValidate() before they run their business-specific logic
- Services layers method interception enforces ACL security
- Spring MVC controllers use the normal Validator approach and call bindSupport() in the onBind() method
- Failures during the BindAndValidateInterceptor are considered programming faults, as the UI layer should have called the Validator as part of its workflow
- By implementing BindAndValidateInterceptor as an AOP Alliance interceptor rather than a Hibernate Interceptor, the bindSupport() method can successfully change the domain object properties and the Validator can perform queries again the Hibernate Session

The result of all this is domain objects can be reused for Hibernate, MVC, and search forms. Business behaviour is also located in the business objects. ACL security is also enforced.

Ben, you have provided some great writeups about validation in this forum. One question I still have about validation is context:

I can see how a validator can be used as you described to validate all of the required fields in a domain object, but what if you wanted your validator to enforce some constraints. For example, my UserValidator may want to check to make sure the username property is not blank. In addition, before I persist a new user object to the database, I may also want to check to see if that username already exists (and raise an error if it does).

Since there is only one validator for user, how can it be used in the insert case, as well as update?

Hope that makes sense