Problem with AuthenticationProcessingFilter

[jkwon]

Hey all,

I'm pretty new to Acegi, and I was more or less following the tutorial in the Javalobby article here:

http://www.javalobby.org/articles/ac...rity/part1.jsp

However, the problem I'm running into is that after an authentication attempt on a login form, regardless of authentication success or failure, I'm being sent to the root context of my webapp instead of the login failure URL or the defaultTargetUrl. Does anyone know why this might be happening?

[jkwon]

Basically, the login.jsp I'm using just takes two text inputs, j_password and j_username, like the docs suggest. The form on login.jsp posts to "j_acegi_security_check".

[Ben Alex]

Are you using Acegi Security 0.7.0 official release? Could you please post your web.xml and security-related IoC XML declarations?

[jkwon]

web.xml:


<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/applicationContext.xml</param-value>
</context-param>

<listener>
<listener-class>org.springframework.web.context.ContextLoade rListener</listener-class>
</listener>


<!-- ### Filters -->

<!-- This is for Acegi Only Security -->

<filter>
<filter-name>Acegi Authentication Processing Filter</filter-name>
<filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
<init-param>
<param-name>targetClass</param-name>
<param-value>net.sf.acegisecurity.ui.webapp.Authenticatio nProcessingFilter</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>Acegi Authentication Processing Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>


<!-- Ensures that the Authentication object is bound to ContextHolder for duration of request -->

<filter>
<filter-name>Acegi Session Integration Filter</filter-name>
<filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
<init-param>
<param-name>targetClass</param-name>
<param-value>net.sf.acegisecurity.ui.webapp.HttpSessionIn tegrationFilter</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>Acegi Session Integration Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>


<!-- This filter is responsible for securing all protected URLs from requests. If user not authenticated, redirects to login -->

<filter>
<filter-name>Acegi HTTP Request Security Filter</filter-name>>
<filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
<init-param>
<param-name>targetClass</param-name>
<param-value>net.sf.acegisecurity.intercept.web.SecurityE nforcementFilter</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>Acegi HTTP Request Security Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>



applicationContext.xml:


<beans default-lazy-init="false" default-dependency-check="none" default-autowire="no">

<bean id="memoryAuthenticationDao" class="net.sf.acegisecurity.providers.dao.memory.I nMemoryDaoImpl">
<property name="userMap">
<value>
user=password,ROLE_ADMIN
</value>
</property>
</bean>

<bean id="daoAuthenticationProvider" class="net.sf.acegisecurity.providers.dao.DaoAuthe nticationProvider">
<property name="authenticationDao">
<ref local="memoryAuthenticationDao"/>
</property>
</bean>

<bean id="authenticationManager" class="net.sf.acegisecurity.providers.ProviderMana ger">
<property name="providers">
<list>
<ref bean="daoAuthenticationProvider"/>
</list>
</property>
</bean>

<bean id="authenticationProcessingFilter" class="net.sf.acegisecurity.ui.webapp.Authenticati onProcessingFilter">
<property name="authenticationManager">
<ref bean="authenticationManager"/>
</property>
<property name="authenticationFailureUrl">
<value>/login.jsp?error=1</value>
</property>
<property name="defaultTargetUrl">
<value>/home.jsp</value>
</property>
<property name="filterProcessesUrl">
<value>/j_acegi_security_check</value>
</property>
</bean>

<bean id="roleVoter" class="net.sf.acegisecurity.vote.RoleVoter"/>

<bean id="accessDecisionManager" class="net.sf.acegisecurity.vote.UnanimousBased">
<property name="allowIfAllAbstainDecisions">
<value>false</value>
</property>
<property name="decisionVoters">
<list>
<ref local="roleVoter"/>
</list>
</property>
</bean>

<bean id="securityEnforcementFilter" class="net.sf.acegisecurity.intercept.web.Security EnforcementFilter">
<property name="filterSecurityInterceptor">
<ref bean="filterInvocationInterceptor"/>
</property>
<property name="authenticationEntryPoint">
<ref bean="authenticationEntryPoint"/>
</property>
</bean>

<bean id="authenticationEntryPoint" class="net.sf.acegisecurity.ui.webapp.Authenticati onProcessingFilterEntryPoint">
<property name="loginFormUrl">
<value>/login.jsp</value>
</property>
</bean>

<bean id="filterInvocationInterceptor" class="net.sf.acegisecurity.intercept.web.FilterSe curityInterceptor">
<property name="authenticationManager">
<ref bean="authenticationManager"/></property>
<property name="accessDecisionManager">
<ref bean="accessDecisionManager"/></property>
<property name="objectDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/secure/super/**=ROLE_SUPERVISOR
/secure/.* =ROLE_USER,ROLE_SUPERVISOR
</value>
</property>
</bean>

<bean id="sessionIntegrationFilter" class="net.sf.acegisecurity.ui.webapp.HttpSessionI ntegrationFilter" abstract="false" singleton="true" lazy-init="default" autowire="default" dependency-check="default"/>


</beans>

[jkwon]

I'm using the Acegi 0.7 release

[Ben Alex]

It's interesting. Your configuration looks OK. Few questions:

1. Does the contacts sample application work properly?

2. Which web server and version?

3. Can you please provide debug-level logging on an attempt to login, so I can see whether it is retrieving the redirection URL correctly out of the HttpSession?

Thanks

[jkwon]

It's interesting. Your configuration looks OK. Few questions:

1. Does the contacts sample application work properly?

2. Which web server and version?

3. Can you please provide debug-level logging on an attempt to login, so I can see whether it is retrieving the redirection URL correctly out of the HttpSession?

Thanks

1. I tried running the contacts sample application, but the hypersonic database keeps giving me a "The database is already in use by another process" SQLException.

2. I'm using JBoss-3.2.5, which comes bundled with Tomcat 5.0.

3. Here is the debug level logging. It begins from when the login page is loaded up until I enter in a bad password (on purpose) and am redirected to the root context (instead of the login failure URL).

2005-02-07 14:57:26,282 DEBUG [net.sf.acegisecurity.intercept.web.PathBasedFilter InvocationDefinitionMap] Converted URL to lowercase, from: '/login.jsp'; to: '/login.jsp'
2005-02-07 14:57:26,282 DEBUG [net.sf.acegisecurity.intercept.web.PathBasedFilter InvocationDefinitionMap] Candidate is: '/login.jsp'; pattern is /secure/super/**; matched=false
2005-02-07 14:57:26,282 DEBUG [net.sf.acegisecurity.intercept.web.PathBasedFilter InvocationDefinitionMap] Candidate is: '/login.jsp'; pattern is /secure/.* ; matched=false
2005-02-07 14:57:26,282 DEBUG [net.sf.acegisecurity.intercept.AbstractSecurityInt erceptor] Public object - authentication not attempted
2005-02-07 14:57:26,282 DEBUG [org.springframework.web.context.support.XmlWebAppl icationContext] Publishing event in context [org.springframework.web.context.support.XmlWebAppl icationContext;hashCode=1069246]: net.sf.acegisecurity.intercept.event.PublicInvocat ionEvent[source=FilterInvocation: URL: /login.jsp]
2005-02-07 14:57:26,298 DEBUG [net.sf.acegisecurity.ui.AbstractIntegrationFilter] Authentication not added to ContextHolder (could not extract an authentication object from the container which is an instance of Authentication)
2005-02-07 14:57:26,423 DEBUG [net.sf.acegisecurity.ui.AbstractIntegrationFilter] ContextHolder does not contain any authentication information
2005-02-07 14:57:26,423 DEBUG [net.sf.acegisecurity.intercept.web.SecurityEnforce mentFilter] Chain processed normally
2005-02-07 14:57:29,670 DEBUG [net.sf.acegisecurity.ui.AbstractProcessingFilter] Request is to process authentication
2005-02-07 14:57:29,670 DEBUG [net.sf.acegisecurity.providers.ProviderManager] Authentication attempt using net.sf.acegisecurity.providers.dao.DaoAuthenticati onProvider
2005-02-07 14:57:29,670 DEBUG [org.springframework.web.context.support.XmlWebAppl icationContext] Publishing event in context [org.springframework.web.context.support.XmlWebAppl icationContext;hashCode=1069246]: net.sf.acegisecurity.providers.dao.event.Authentic ationFailureUsernameNotFoundEvent[source=net.sf.acegisecurity.providers.UsernamePass wordAuthenticationToken@584be7: Username: asdfasdf; Password: [PROTECTED]; Authenticated: false; Details: 127.0.0.1; Not granted any authorities]
2005-02-07 14:57:29,670 DEBUG [net.sf.acegisecurity.ui.AbstractProcessingFilter] Authentication request failed: net.sf.acegisecurity.BadCredentialsException: Bad credentials presented
2005-02-07 14:57:29,717 DEBUG [net.sf.acegisecurity.intercept.web.PathBasedFilter InvocationDefinitionMap] Converted URL to lowercase, from: '/'; to: '/'
2005-02-07 14:57:29,717 DEBUG [net.sf.acegisecurity.intercept.web.PathBasedFilter InvocationDefinitionMap] Candidate is: '/'; pattern is /secure/super/**; matched=false
2005-02-07 14:57:29,717 DEBUG [net.sf.acegisecurity.intercept.web.PathBasedFilter InvocationDefinitionMap] Candidate is: '/'; pattern is /secure/.* ; matched=false
2005-02-07 14:57:29,717 DEBUG [net.sf.acegisecurity.intercept.AbstractSecurityInt erceptor] Public object - authentication not attempted
2005-02-07 14:57:29,717 DEBUG [org.springframework.web.context.support.XmlWebAppl icationContext] Publishing event in context [org.springframework.web.context.support.XmlWebAppl icationContext;hashCode=1069246]: net.sf.acegisecurity.intercept.event.PublicInvocat ionEvent[source=FilterInvocation: URL: /]
2005-02-07 14:57:29,717 DEBUG [net.sf.acegisecurity.ui.AbstractIntegrationFilter] Authentication not added to ContextHolder (could not extract an authentication object from the container which is an instance of Authentication)
2005-02-07 14:57:29,764 DEBUG [net.sf.acegisecurity.ui.AbstractIntegrationFilter] ContextHolder does not contain any authentication information
2005-02-07 14:57:29,764 DEBUG [net.sf.acegisecurity.intercept.web.SecurityEnforce mentFilter] Chain processed normally



Also, here's another funny thing. If I navigate directly to j-acegi-security-check, I get automatically directed to the login failure URL, which is correct since there is no j_password & j_username in the request. However, under all other circumstances (either via post or redirect with j_password & j_username as request params), I am directed to the root context.

[Ben Alex]

We need to rule out Acegi Security itself versus your configuration of Acegi Security in your particular webapp.

Can you try to get the Hypersonic SQL issue sorted out, so you can try the official Contacts sample?

[jkwon]

We need to rule out Acegi Security itself versus your configuration of Acegi Security in your particular webapp.

Can you try to get the Hypersonic SQL issue sorted out, so you can try the official Contacts sample?

Found the problem. There was a bug in my app in handling form submission. Basically, it was spawning off two separate requests, the latter of which ended up directing me to the root context. After resolving this, Acegi works like it should.

Thanks for taking the time to give this a look though. I appreciate it.