Does Ageci check session is user is logged in?

[Rexxe]

Hello,

I have installed Ageci on my web app, and everything is working beautifully except that if you specifically type in a URL which is supposed to be protected (the person must be logged in), I am still permitted to go to that page. I want it to force the user back to the login page. Do I have to create my own filter to check for the session object or is there something I need to set in one of the Ageci filters which will do this for me?

--Rexxe

[Ben Alex]

Acegi Security should protect your URLs. Is your web.xml and application context properly configured? You'll need a SecurityEnforcementFilter to protect web URLs. If you can't find the configuration issue, please post these two XML files to the forum.

[Rexxe]

Ben,

I have the SecurityEnforcementFilter in place but the docs only show it dealing with roles. I want to reject users based on whether they have logged in or not and then check the role. Is this necessary? Does the security filter check for the existence of the Authentication obj in the context and if it is not there forward the user to the login page? Here is the filter part of my web.xml file:

Code:

<filter> 
      	<filter-name>HibernateSpringFilter</filter-name> 
      	<filter-class>org.springframework.orm.hibernate.support.OpenSessionInViewFilter</filter-class> 
      	<init-param>
      		<param-name>sessionFactoryBeanName</param-name>
      		<param-value>mySessionFactory</param-value>
      	</init-param>
      	<init-param>
      		<param-name>singleSession</param-name>
      		<param-value>false</param-value>
      	</init-param>
   	</filter> 
   	
    <filter>
        <filter-name>Acegi Channel Processing Filter</filter-name>
        <filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
        <init-param>
            <param-name>targetClass</param-name>
            <param-value>net.sf.acegisecurity.securechannel.ChannelProcessingFilter</param-value>
        </init-param>
    </filter>

    <filter>
        <filter-name>Acegi Authentication Processing Filter</filter-name>
        <filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
        <init-param>
            <param-name>targetClass</param-name>
            <param-value>net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilter</param-value>
        </init-param>
    </filter>

    <filter>
        <filter-name>Acegi HTTP BASIC Authorization Filter</filter-name>
        <filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
        <init-param>
            <param-name>targetClass</param-name>
            <param-value>net.sf.acegisecurity.ui.basicauth.BasicProcessingFilter</param-value>
        </init-param>
    </filter>

    <filter>
        <filter-name>Acegi Security System for Spring Auto Integration Filter</filter-name>
        <filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
        <init-param>
            <param-name>targetClass</param-name>
            <param-value>net.sf.acegisecurity.ui.AutoIntegrationFilter</param-value>
        </init-param>
    </filter>

    <filter>
        <filter-name>Acegi HTTP Request Security Filter</filter-name>
        <filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
        <init-param>
            <param-name>targetClass</param-name>
            <param-value>net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter</param-value>
        </init-param>
    </filter>	
	
	<filter-mapping> 
      	<filter-name>HibernateSpringFilter</filter-name> 
      	<url-pattern>*.htm</url-pattern> 
   	</filter-mapping> 
   	
	<!-- Remove the comments from the following <filter-mapping> if you'd
	     like to ensure secure URLs are only available over HTTPS -->
    <!--
    <filter-mapping>
      <filter-name>Acegi Channel Processing Filter</filter-name>
      <url-pattern>/*</url-pattern>
    </filter-mapping>
    -->
	
    <filter-mapping>
      <filter-name>Acegi Authentication Processing Filter</filter-name>
      <url-pattern>/*</url-pattern>
    </filter-mapping>

    <filter-mapping>
      <filter-name>Acegi HTTP BASIC Authorization Filter</filter-name>
      <url-pattern>/*</url-pattern>
    </filter-mapping>

    <filter-mapping>
      <filter-name>Acegi Security System for Spring Auto Integration Filter</filter-name>
      <url-pattern>/*</url-pattern>
    </filter-mapping>
    
    <filter-mapping>
      <filter-name>Acegi HTTP Request Security Filter</filter-name>
      <url-pattern>/*</url-pattern>
    </filter-mapping>

And my securityContext.xml file (copied from the docs for now):

Code:

<bean id="filterInvocationInterceptor" class="net.sf.acegisecurity.intercept.web.FilterSecurityInterceptor">
      <property name="authenticationManager"><ref local="authenticationManager"/></property>
      <property name="accessDecisionManager"><ref local="httpRequestAccessDecisionManager"/></property>
      <property name="runAsManager"><ref local="runAsManager"/></property>
      <property name="objectDefinitionSource">
         <value>
			    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
				\A/secure/super.*\Z=ROLE_WE_DONT_HAVE
				\A/.*\Z=ROLE_SUPERVISOR,ROLE_TELLER
         </value>
      </property>
   </bean>

Thanks for your help!

Rexxe

[Ben Alex]

Your config looks pretty good except for the line;

\A/.*\Z=ROLE_SUPERVISOR,ROLE_TELLER

This would match everything, including your login form. You can't do that!

Best practice is to leave the root non-secured, and put your webapp under a subdirectory. As such your login forms have a location they can be placed where they will not be affected by security.

In relation to detecting if a user is logged in as well, this is not necessary. Take a look at the JavaDocs for AbstractSecurityInterceptor to see how it works. As you can see, it will throw an AuthenticationException if the user is not logged in. Your SecurityEnforcementFilter's function is to catch such exceptions and redirect to a suitable page. In addition, SecurityEnforcementFilter will send back an access denied response if AbstractSecurityInterceptor threw an AccessDeniedException (which would indicate the user has been authenticated, but simply doesn't have permission).