alwaysUseDefaultTargetUrl / Session Initiation

[JStewart]

I'm trying to configure some session attributes when the user logs in. I got this working by creating a LoginController class, which is the defaultTargetUrl for my AuthenticationProcessingFilter, as follows:

Code:

    <bean id="authenticationProcessingFilter" class="net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
        <property name="authenticationManager"><ref local="authenticationManager"/></property>
        <property name="authenticationFailureUrl"><value>/login.jsp?loginError=1</value></property>
        <property name="defaultTargetUrl"><value>/secure/loginHandler</value></property>
        <property name="filterProcessesUrl"><value>/securityCheck</value></property>
    </bean>

The LoginController referenced by /secure/loginHandler then sets the session attributes and returns a Spring ModelAndView for my welcome page. This works fine when the user accesses login.jsp directly (or from my index.jsp forward).

If the user tries to access a secure page directly, by navigating to http://myhost/myapp/secure/someSecurePage, Acegi intercepts and directs them to login.jsp as expected. However, following the login, they are sent to /secure/someSecurePage, thus bypassing my /secure/loginHandler and session attribute initialization.

I was going to use "alwaysUseDefaultTargetUrl" per http://forum.springframework.org/showthread.php?t=11614, but I can't figure out how to configure this. I tried adding this to my applicationContext.xml:

Code:

    <bean id="authenticationProcessingFilter" class="net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
        <property name="authenticationManager"><ref local="authenticationManager"/></property>
        <property name="authenticationFailureUrl"><value>/login.jsp?loginError=1</value></property>
        <property name="defaultTargetUrl"><value>/secure/loginHandler</value></property>
        <property name="alwaysUseDefaultTargetUrl"><value>true</value></property>
        <property name="filterProcessesUrl"><value>/securityCheck</value></property>
    </bean>

..but then I get the following error from Tomcat:

org.springframework.beans.NotWritablePropertyExcep tion: Invalid property 'alwaysUseDefaultTargetUrl' of bean class [net.sf.acegisecurity.ui.webapp.AuthenticationProce ssingFilter]: Property 'alwaysUseDefaultTargetUrl' is not writable

The same thing happens if I set the property in my authenticationProcessingFilterEntryPoint bean.

At this point I have two questions:

1) How/where does one set alwaysUseDefaultTargetUrl?

2) Is this really the right way to handle session initiation? I would like to allow users to navigate directly to any secure page, have them directed to the login page if they're not already authenticated, have my session initiation code run following authentication, and then have them directed to the destination they requested. I can live with forcing everyone to the welcome page following authentication, but it's not what I really want.

Thanks!

Jim

[Scott Battaglia]

Are you using the latest from head? I'm don't think version 0.7 has been released yet. Its not implemented in .6.x

I am using a snapshot that I made from the head.

[Scott Battaglia]

Try looking at this:

http://www.springframework.org/docs/...orAdapter.html

[JStewart]

Thanks! I installed the latest CVS snapshot and alwaysUseDefaultTargetUrl is working now. I'm going to look into your other suggestion now and see if I can achieve the full functionality that I want. It looks like it'll be totally outside the scope of Acegi, but if I figure something out I'll followup in this thread in case others are interested.

--Jim

[JStewart]

Please bear with me as I'm learning JSP, Spring, and Acegi all at once..

How can I intercept the Acegi security check? I wrote an interceptor and tested it out on a mock login handler, but now I need to apply it to the Acegi handler.

web.xml:

Code:

    <filter>
        <filter-name>Acegi Authentication Processing Filter</filter-name>
        <filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
        <init-param>
            <param-name>targetClass</param-name>
            <param-value>net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilter</param-value>
        </init-param>
    </filter>

applicationContext-acegi.xml:

Code:

  <bean id="authenticationProcessingFilter" class="net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
    <property name="authenticationManager"><ref bean="authenticationManager"/></property>
    <property name="authenticationFailureUrl"><value>/login?loginError=1</value></property>
    <property name="defaultTargetUrl"><value>/secure/welcome</value></property>
    <property name="filterProcessesUrl"><value>/j_acegi_security_check</value></property>
  </bean>

  <bean id="authenticationProcessingFilterEntryPoint" class="net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
    <property name="loginFormUrl"><value>/login</value></property>
    <property name="forceHttps"><value>false</value></property>
  </bean>

myapp-servlet.xml:

Code:

    <bean id="handlerMapping" class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">
        <property name="mappings">
            <props>
                <prop key="/j_acegi_security_check">What_Goes_Here</prop>
            </props>
        </property>
        <property name="interceptors">
            <list>
                <ref bean="loginInterceptor"/>
            </list>
        </property>
    </bean>

    <bean id="loginInterceptor" class="mypackage.myapp.web.interceptor.LoginInterceptor"/>

I'm not sure what to replace What_Goes_Here (above) with. To test the interceptor, I used a normal URL-to-Spring-controller mapping here, but I'm not sure how to apply this to the Acegi login form processor, since I never explicitly map /j_acegi_login_security_check to a Spring controller. I realize that the filter definition in web.xml is establishing the relationship, but I'm not sure where to fit my interceptor into the mix.

Should I be creating a custom filter instead?

Here's the relevent portion of my interceptor:

LoginInterceptor.java:

Code:

package mypackage.myapp.web.interceptor;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.web.servlet.ModelAndView;
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;

public class LoginInterceptor extends HandlerInterceptorAdapter {
    public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception {
        request.getSession().setAttribute("myAttribute", "myValue");
        // ...etc.
    }
}

I don't want to apply this interceptor to every request, although I suppose that's an option if that's the only solution. I'm not sure how to implement that either, however.

Thanks in advance.

--Jim

[JStewart]

I forgot to mention that along with my most recent post (above), my plan was to stop using alwaysUseDefaultTargetUrl and my LoginController, instead replacing that implementation with the login handler. I probably should have started a new thread for it, but I'll wait for a response here before spamming the group.

--Jim

[Scott Battaglia]

I was thinking more along the lines of using the preHandle method and attaching the HandlerInterceptorAdaptor to the URLs you want protected (and need the session data set up).

This way, Acegi can do its normal thing. Then when the page is processed, the preHandle method gets called. It checks to see if the required session stuff is set up and if not sets it up. By this point you're guaranteed to be authenticated/authorized.

By defining multiple handler mappings, you can limit which urls the handlerinterceptoradaptor is applied to.

Hope that helps.

[JStewart]

I was thinking more along the lines of using the preHandle method and attaching the HandlerInterceptorAdaptor to the URLs you want protected (and need the session data set up).

Aha, that makes sense. It's still more handling than I think is necessary, but I think I will employ your method until I can figure out how to do it as a one-time post-login task. With your suggestion I can just do a preHandle() on everything in my /secure directory and get what I need.

It seems like there would be a real benefit to being able to intercept/filter the post-authentication change for one-time session initialization (what I'm trying to do, or, say, logging a user authorization). I'm sure there's an easy way to do it that I'm just not seeing since I'm new to all of this.

Thanks for your suggestions.

--Jim

[Scott Battaglia]

If you only want it to execute once, you could grab the requested URL and put it in a session variable. Then your defaultTargetUrl is a page that can set up your session data. That page can then retrieve the requested URL and use a RedirectView to forward to that page.

The requested URL is put into the session by Acegi under the attribute AbstractProcessingFilter.ACEGI_SECURITY_TARGET_URL _KEY

I haven't read the Acegi code enough yet though to know if it would still be available to you (I am thinking that's a No). So you may need to either modify/extend Acegi to not remove it from the session or keep your own copy of it in session. There are probably many ways to keep your own copy.

Hope that helps!

[Ben Alex]

It seems like there would be a real benefit to being able to intercept/filter the post-authentication change for one-time session initialization (what I'm trying to do, or, say, logging a user authorization). I'm sure there's an easy way to do it that I'm just not seeing since I'm new to all of this.

Have you had a look at the net.sf.acegisecurity.providers.dao.event package? It was designed to support logging.

I've just added some hook methods to AbstractProcessingFilter. Hopefully they'll help with what you're trying to do.