Can't access 'secured' resources - redirected to login page

[owenrh]

Hi guys,

I'm using the setup described in the following configuration files, with Acegi v0.6.1 (inside of WebSphere). I'm using the security filter to redirect to my login.jsp. At the moment I am just running with the example in memory authentication DAO.

This seems to work in that I don't get any error when I supply the correct username/password combination. However, I don't get redirected to the originally requested URL, after authentication. Instead, I end up back at the login.jsp, with no error message.

I followed it through in the debugger and have noticed that the the authenticated attribute on the Authentication object is not set to true despite successful authentication. Not sure why this should be so. Have I got my filters out of order in the configuration? Does it matter? (I've just tried it with the authentication filter before the auto-integration filter - still no joy.)

Thanks, Owen

Here's my web.xml excerpt:

Code:

    <filter>
        <filter-name>Acegi Security System for Spring Auto Integration Filter</filter-name>
        <filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
        <init-param>
            <param-name>targetClass</param-name>
            <param-value>net.sf.acegisecurity.ui.AutoIntegrationFilter</param-value>
        </init-param>
    </filter>
    
    <filter>
        <filter-name>Acegi Authentication Processing Filter</filter-name>
        <filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
        <init-param>
            <param-name>targetClass</param-name>
            <param-value>net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilter</param-value>
        </init-param>
    </filter>

    <filter>
        <filter-name>Acegi HTTP Request Security Filter</filter-name>
        <filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
        <init-param>
            <param-name>targetClass</param-name>
            <param-value>net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter</param-value>
        </init-param>
    </filter>
    
    <filter-mapping>
      <filter-name>Acegi HTTP Request Security Filter</filter-name>
      <url-pattern>/*</url-pattern>
    </filter-mapping>
	
    <filter-mapping>
      <filter-name>Acegi Authentication Processing Filter</filter-name>
      <url-pattern>/*</url-pattern>
    </filter-mapping>

    <filter-mapping>
      <filter-name>Acegi Security System for Spring Auto Integration Filter</filter-name>
      <url-pattern>/*</url-pattern>
    </filter-mapping>

and here's my applicationContext.xml excerpt:

Code:

	<bean id="autoIntegrationFilter" class="net.sf.acegisecurity.ui.AutoIntegrationFilter" />
    
    	<!-- If you replace this bean with say JdbcDaoImpl, just ensure your replacement
	     has the same bean id &#40;authenticationDao&#41; -->
	<bean id="authenticationDao" class="net.sf.acegisecurity.providers.dao.memory.InMemoryDaoImpl">
  		<property name="userMap">
			<value>
				marissa=koala,ROLE_SUPERVISOR
				dianne=emu,ROLE_TELLER
				scott=wombat,ROLE_TELLER
				peter=opal,disabled,ROLE_TELLER
			</value>
		</property>
	</bean>

	<!-- Note the order that entries are placed against the objectDefinitionSource is critical.
	     The FilterSecurityInterceptor will work from the top of the list down to the FIRST pattern that matches the request URL.
	     Accordingly, you should place MOST SPECIFIC &#40;ie a/b/c/d.*&#41; expressions first, with LEAST SPECIFIC &#40;ie a/.*&#41; expressions last -->
	<bean id="filterInvocationInterceptor" class="net.sf.acegisecurity.intercept.web.FilterSecurityInterceptor">
    	<property name="authenticationManager"><ref local="authenticationManager"/></property>
    	<property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
 		<property name="objectDefinitionSource">
			<value>
			    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
			    PATTERN_TYPE_APACHE_ANT
				/secure/**=ROLE_SUPERVISOR
			</value>
		</property>
	</bean>
    
    <!-- probably don't need to change the following ever -->
    
    <bean id="daoAuthenticationProvider" class="net.sf.acegisecurity.providers.dao.DaoAuthenticationProvider">
     	<property name="authenticationDao"><ref local="authenticationDao"/></property>
     	<property name="userCache"><ref local="userCache"/></property>
	</bean>
	
	<bean id="userCache" class="net.sf.acegisecurity.providers.dao.cache.EhCacheBasedUserCache">
		<property name="minutesToIdle"><value>5</value></property>
	</bean>

	<bean id="authenticationManager" class="net.sf.acegisecurity.providers.ProviderManager">
		<property name="providers">
		  <list>
		    <ref local="daoAuthenticationProvider"/>
		  </list>
		</property>
	</bean>

	<bean id="roleVoter" class="net.sf.acegisecurity.vote.RoleVoter"/>

	<bean id="accessDecisionManager" class="net.sf.acegisecurity.vote.AffirmativeBased">
   		<property name="allowIfAllAbstainDecisions"><value>false</value></property>
		<property name="decisionVoters">
		  <list>
		    <ref local="roleVoter"/>
		  </list>
		</property>
	</bean>

	<bean id="authenticationProcessingFilter" class="net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
		<property name="authenticationManager"><ref local="authenticationManager"/></property>
		<property name="authenticationFailureUrl"><value>/login.jsp?login_error=1</value></property>
		<property name="defaultTargetUrl"><value>/</value></property>
		<property name="filterProcessesUrl"><value>/j_acegi_security_check</value></property>
	</bean>

	<bean id="securityEnforcementFilter" class="net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter">
		<property name="filterSecurityInterceptor"><ref local="filterInvocationInterceptor"/></property>
		<property name="authenticationEntryPoint"><ref local="authenticationProcessingFilterEntryPoint"/></property>
	</bean>

	<bean id="authenticationProcessingFilterEntryPoint" class="net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
		<property name="loginFormUrl"><value>/login.jsp</value></property>
		<property name="forceHttps"><value>false</value></property>
	</bean>

[Ben Alex]

Yes, your filter-mappings are in the wrong order. They should be:

ChannelProcessingFilter
AuthenticationProcessingFilter
CasProcessingFilter
BasicProcessingFilter
AutoIntegrationFilter
SecurityEnforcementFilter

I've listed all of them for the benefit of the archives. They're also listed in hte reference guide toward the end.

The reason this order is required is because you ChannelProcessingFilter, if used, redirects to the correct channel (eg HTTPS). The various *ProcessingFilters then actually login the user if the HTTP request related to a login (eg a login form or a BASIC authentication header or a CAS redirect etc). The result of these *ProcessingFilters is to put the known-to-be-valid username and password into an Authentication object and put it into a "well-known location" - typically HttpSession. AutoIntegrationFilter "reads" this well-known location and puts it onto the ContextHolder. SecurityEnforcementFilter refers solely to the ContextHolder and will use the username and password to re-authenticate the user as part of AbstractSecurityInterceptor processing. When the request ends, the AutoIntegrationFilter reads the ContextHolder and copies the Authentication off it and back into the well-known location, ready for next request.

HTH

[phonglt]

I can't access too. It's always an anonymous. Please help me! I'm beginner, sorry and thanks so much.

applicationContext.xml

Code:

<beans>

	<bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">
		<property name="filterInvocationDefinitionSource">
			<value><![CDATA[
				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
				PATTERN_TYPE_APACHE_ANT
				/**=httpSessionContextIntegrationFilter,logoutFilter,authenticationProcessingFilter,securityContextHolderAwareRequestFilter,rememberMeProcessingFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor
			]]></value>
		</property>
	</bean>

	<bean id="httpSessionContextIntegrationFilter" class="org.acegisecurity.context.HttpSessionContextIntegrationFilter"/>

	<bean id="logoutFilter" class="org.acegisecurity.ui.logout.LogoutFilter">
		<constructor-arg value="/template/default/template.jsf"/> <!-- URL redirected to after logout -->
		<constructor-arg>
			<list>
				<ref bean="rememberMeServices"/>
				<bean class="org.acegisecurity.ui.logout.SecurityContextLogoutHandler"/>
			</list>
		</constructor-arg>
	</bean>

	<bean id="authenticationProcessingFilter" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
		<property name="authenticationManager" ref="authenticationManager"/>
		<property name="authenticationFailureUrl" value="/login/login.jsf"/>
		<property name="defaultTargetUrl" value="/template/default/template.jsf"/>
		<property name="filterProcessesUrl" value="/j_acegi_security_check"/>
		<property name="rememberMeServices" ref="rememberMeServices"/>
	</bean>

	<bean id="securityContextHolderAwareRequestFilter" class="org.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter"/>

	<bean id="rememberMeProcessingFilter" class="org.acegisecurity.ui.rememberme.RememberMeProcessingFilter">
		<property name="authenticationManager" ref="authenticationManager"/>
		<property name="rememberMeServices" ref="rememberMeServices"/>
	</bean>

	<bean id="anonymousProcessingFilter" class="org.acegisecurity.providers.anonymous.AnonymousProcessingFilter">
		<property name="key" value="changeThis"/>
		<property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS"/>
	</bean>
	<bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter">
		<property name="authenticationEntryPoint">
			<bean class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
				<property name="loginFormUrl" value="/login/login.jsf"/>
				<property name="forceHttps" value="false"/>
			</bean>
		</property>
		<property name="accessDeniedHandler">
			<bean class="org.acegisecurity.ui.AccessDeniedHandlerImpl">
				<property name="errorPage" value="/login/error.jsf"/>
			</bean>
		</property>
	</bean>

	<bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
		<property name="authenticationManager" ref="authenticationManager"/>
		<property name="accessDecisionManager">
			<bean class="org.acegisecurity.vote.AffirmativeBased">
				<property name="allowIfAllAbstainDecisions" value="false"/>
				<property name="decisionVoters">
					<list>
						<bean class="org.acegisecurity.vote.RoleVoter"/>
						<bean class="org.acegisecurity.vote.AuthenticatedVoter"/>
					</list>
				</property>
			</bean>
		</property>
		<property name="objectDefinitionSource">
			<value>
				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
				PATTERN_TYPE_APACHE_ANT
				/qlhochieu/**=ROLE_MANAGER
				/qldoanra/**=ROLE_MANAGER
				/qldoanvao/**=ROLE_MANAGER
			</value>
		</property>
	</bean>

	<bean id="rememberMeServices" class="org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices">
		<property name="userDetailsService" ref="userDetailsService"/>
		<property name="key" value="changeThis"/>
	</bean>

	<bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">
		<property name="providers">
			<list>
				<ref local="daoAuthenticationProvider"/>
				<bean class="org.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider">
					<property name="key" value="changeThis"/>
				</bean>
				<bean class="org.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider">
					<property name="key" value="changeThis"/>
				</bean>
			</list>
		</property>
	</bean>

	<bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
		<property name="userDetailsService" ref="userDetailsService"/>
	</bean>

	<!-- UserDetailsService is the most commonly frequently Acegi Security interface implemented by end users -->
	<bean id="userDetailsService" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl">
		<property name="userProperties">
			<bean class="org.springframework.beans.factory.config.PropertiesFactoryBean">
				<property name="location" value="/WEB-INF/users.properties"/>
			</bean>
		</property>
	</bean>

	<!-- This bean is optional; it isn't used by any other bean as it only listens and logs -->
	<bean id="loggerListener" class="org.acegisecurity.event.authentication.LoggerListener"/>

</beans>

My configs in web.xml

Code:

	<context-param>
		<param-name>contextConfigLocation</param-name>
		<param-value>
			/WEB-INF/applicationContext-acegi-security.xml
		</param-value>
	</context-param>

	<filter>
		<filter-name>Acegi Filter Chain Proxy</filter-name>
		<filter-class>
			org.acegisecurity.util.FilterToBeanProxy
		</filter-class>
		<init-param>
			<param-name>targetClass</param-name>
			<param-value>
				org.acegisecurity.util.FilterChainProxy
			</param-value>
		</init-param>
	</filter>
	<listener>
		<listener-class>
			org.springframework.web.context.ContextLoaderListener
		</listener-class>
	</listener>

	<filter-mapping>
		<filter-name>Acegi Filter Chain Proxy</filter-name>
		<url-pattern>/*</url-pattern>
		<dispatcher>FORWARD</dispatcher>
		<dispatcher>REQUEST</dispatcher>

	</filter-mapping>

I can't find any reason for this error. If i use SSL to access via HTTPS, how i must configure them?
どうも、ありがとう　ございます。