Question regarding BasicProcessingFilter

**robmoore** · Jan 26th, 2005, 12:49 PM

I have a need for http basic authentication for one of my controllers (it generates a rss feed and basic authentication is the only commonly supported option). The BasicProcessingFilter seems to assume that the user agent will always supply the "Authorization" header without prompting. However, I believe that user agents typically will not supply the "Authorization" header unless prompted by a "HTTP/1.x 401 Unauthorized" response to a request. The code as written only provides this response if it is unable to process the provided authorization header data.

This seems a pretty typical flow (request, challenge, response) in a web application, so I'm wondering if there is a rationale for not supporting it. It seems as simple as calling

Code:

authenticationEntryPoint.commence&#40;request, response&#41;

if the authentication header doesn't exist just as is the case if authentication fails, but perhaps there is a complication I'm not taking into account.

Please enlighten me...

Thanks,

Rob

**robmoore** · Jan 26th, 2005, 03:09 PM

After reading http://forum.springframework.org/showthread.php?t=9937, I came to the conclusion that the problem is that the SecurityEnforcementFilter is pointing to a AuthenticationProcessingFilterEntryPoint rather than independently defined BasicProcessingFilterEntryPoint. I really want to support both models -- usually I want the AuthenticationProcessingFilterEntryPoint or form-based login -- so I'm curious if it's possible to have two SecurityEnforcementFilters defined. I tried it and it works for the controller that needs Basic authentication, but not for the ones that use form-based authentication. It looks like the user is not set up in session but at the same time I'm not presented with a form to log in so I suspect that something is amiss.

So does anybody know if this approach is supported?

Thanks,

Rob

**Ben Alex** · Jan 27th, 2005, 07:12 AM

You could make two separate SecurityEnforcementFilter instances with different AuthenticationEntryPoints. One could map (at a web.xml filter mapping level) to your RSS URIs, and the other to the remainder of your webapp.

Alternatively, you could write a new AuthenticationEntryPoint that proxies the AuthenticationProcessingFilterEntryPoint and BasicProcessingFilterEntryPoint. It woudl determine which to delegate to based on the ServletRequest passed as an argument to the commence(request, response) method.

**robmoore** · Jan 27th, 2005, 04:12 PM

Thanks, Ben.

I tried using two separate SecurityEnforcementFilters but the second one -- using the basic auth entry point -- doesn't seem to work. Looking at the log, it looks like the filter interceptor is never getting triggered.

Perhaps my configuration is incorrect, so please find the relevant parts below:

web.xml:

Code:

<filter>
        <filter-name>Acegi HTTP BASIC Authorization Filter</filter-name>
        <filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
        <init-param>
            <param-name>targetClass</param-name>
           <param-value>net.sf.acegisecurity.ui.basicauth.BasicProcessingFilter</param-value>
        </init-param>
    </filter>
    <filter-mapping>
        <filter-name>Acegi HTTP BASIC Authorization Filter</filter-name>
        <url-pattern>*.rss</url-pattern>
    </filter-mapping>
    <servlet-mapping>
        <servlet-name>spring</servlet-name>
        <url-pattern>*.rss</url-pattern>
    </servlet-mapping>

applicationContext.xml:

Code:

<bean id="rssFilterSecurityInterceptor"
        class="net.sf.acegisecurity.intercept.web.FilterSecurityInterceptor">
        <property name="authenticationManager">
            <ref bean="authenticationManager"/>
        </property>
        <property name="accessDecisionManager">
            <ref bean="accessDecisionManager"/>
        </property>
        <property name="objectDefinitionSource">
            <value><!&#91;CDATA&#91;
				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
			    PATTERN_TYPE_APACHE_ANT
			    /feeds/*.rss=ROLE_USER
				&#93;&#93;></value>
        </property>
    </bean>
    <bean id="basicSecurityEnforcementFilter"
        class="net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter">
        <property name="filterSecurityInterceptor">
            <ref bean="rssFilterSecurityInterceptor"/>
        </property>
        <property name="authenticationEntryPoint">
            <ref bean="basicAuthenticationEntryPoint"/>
        </property>
    </bean>
    <bean id="basicProcessingFilter"
        class="net.sf.acegisecurity.ui.basicauth.BasicProcessingFilter">
        <property name="authenticationManager">
            <ref bean="authenticationManager"/>
        </property>
        <property name="authenticationEntryPoint">
            <ref bean="basicAuthenticationEntryPoint"/>
        </property>
    </bean>
    <bean id="basicAuthenticationEntryPoint"
        class="net.sf.acegisecurity.ui.basicauth.BasicProcessingFilterEntryPoint">
        <property name="realmName">
            <value>My Domain</value>
        </property>
    </bean>

And my log file:

Code:

2005-01-27 16&#58;04&#58;24,906 DEBUG &#91;net.sf.acegisecurity.ui.AbstractIntegrationFilter&#93; - <Authentication added to ContextHolder from container>
2005-01-27 16&#58;04&#58;24,908 DEBUG &#91;net.sf.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap&#93; - <Converted URL to lowercase, from&#58; 'org.apache.catalina.connector.RequestFacade@1ed957d'; to&#58; '/feeds/alerts.rss'>
2005-01-27 16&#58;04&#58;24,908 DEBUG &#91;net.sf.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap&#93; - <Candidate is&#58; '/feeds/alerts.rss'; pattern is /app/**; matched=false>
2005-01-27 16&#58;04&#58;24,908 DEBUG &#91;net.sf.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap&#93; - <Candidate is&#58; '/feeds/alerts.rss'; pattern is /admin/**; matched=false>
2005-01-27 16&#58;04&#58;24,908 DEBUG &#91;net.sf.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap&#93; - <Candidate is&#58; '/feeds/alerts.rss'; pattern is /servlet/**; matched=false>
2005-01-27 16&#58;04&#58;24,909 DEBUG &#91;net.sf.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap&#93; - <Candidate is&#58; '/feeds/alerts.rss'; pattern is /errors/**; matched=false>
2005-01-27 16&#58;04&#58;24,909 DEBUG &#91;net.sf.acegisecurity.intercept.AbstractSecurityInterceptor&#93; - <Public object - authentication not attempted>
2005-01-27 16&#58;04&#58;24,909 DEBUG &#91;net.sf.acegisecurity.intercept.AbstractSecurityInterceptor&#93; - <Authentication object detected and tagged as unauthenticated>
2005-01-27 16&#58;04&#58;24,909 DEBUG &#91;net.sf.acegisecurity.ui.basicauth.BasicProcessingFilter&#93; - <Authorization header&#58; null

**Ben Alex** · Jan 28th, 2005, 12:20 AM

Looks OK to me, but where is your filter mapping that aims to load basicSecurityEnforcementFilter? It needs to only fire basicSecurityEnforcementFilter when *.rss is detected. Similarly, the other SecurityEnforcementFilter shouldn't get fired unless the path is not *.rss.

Thinking a bit more about the application context and web.xml duplication this approach would cause, I think it would be more elegant to use the delegating AuthenticationEntryPoint, just checking the request URL for whether it ends in rss and delegating accordingly. I just whipped one up for you (but didn't test it):

Code:

/* Copyright 2004 Acegi Technology Pty Limited
 *
 * Licensed under the Apache License, Version 2.0 &#40;the "License"&#41;;
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http&#58;//www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package net.sf.acegisecurity.intercept.web;

import net.sf.acegisecurity.ui.basicauth.BasicProcessingFilterEntryPoint;
import net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint;

import java.io.IOException;

import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;


/**
 * Demonstrates how to write a "delegating" entry point that dynamically
 * adjusts itself based on the URL.
 * 
 * @author Ben Alex
 */
public class DelegatingAuthenticationEntryPoint
    implements AuthenticationEntryPoint &#123;
    //~ Instance fields ========================================================

    AuthenticationEntryPoint rssEntryPoint = new BasicProcessingFilterEntryPoint&#40;&#41;;
    AuthenticationEntryPoint webuserEntryPoint = new AuthenticationProcessingFilterEntryPoint&#40;&#41;;

    //~ Methods ================================================================

    public void commence&#40;ServletRequest request, ServletResponse response&#41;
        throws IOException, ServletException &#123;
        if &#40;!&#40;request instanceof HttpServletRequest&#41;&#41; &#123;
            throw new ServletException&#40;"only supports HttpServletRequest"&#41;;
        &#125;

        HttpServletRequest httpRequest = &#40;HttpServletRequest&#41; request;

        if &#40;httpRequest.getServletPath&#40;&#41;.endsWith&#40;".rss"&#41;&#41; &#123;
            rssEntryPoint.commence&#40;request, response&#41;;
        &#125; else &#123;
            webuserEntryPoint.commence&#40;request, response&#41;;
        &#125;
    &#125;
&#125;

**robmoore** · Jan 28th, 2005, 11:28 AM

Thanks for the code, Ben.

Regarding your question about the filter mapping -- the *.rss mapping was provided in the snippet I posted before. Here is the corresponding bean definitions for the non-rss URLs:

Code:

 <bean id="filterInvocationInterceptor"
        class="net.sf.acegisecurity.intercept.web.FilterSecurityInterceptor">
        <property name="authenticationManager">
            <ref bean="authenticationManager"/>
        </property>
        <property name="accessDecisionManager">
            <ref bean="accessDecisionManager"/>
        </property>
        <property name="objectDefinitionSource">
            <value><!&#91;CDATA&#91;
			CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
			    PATTERN_TYPE_APACHE_ANT
				/app/**=ROLE_USER
				/admin/**=ROLE_PRI_ADMIN
				/servlet/**=ROLE_USER
				/errors/**=ROLE_USER
				&#93;&#93;></value>
        </property>
    </bean>
    <bean id="authenticationProcessingFilter"
class="net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
        <property name="authenticationManager">
            <ref bean="authenticationManager"/>
        </property>
        <property name="authenticationFailureUrl">
            <value>/login/login.htm?login_error=1</value>
        </property>
        <property name="defaultTargetUrl">
            <value>/</value>
        </property>
        <property name="filterProcessesUrl">
            <value>/login/j_acegi_security_check</value>
        </property>
    </bean>
    <bean id="securityEnforcementFilter"
        class="net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter">
        <property name="filterSecurityInterceptor">
            <ref bean="filterInvocationInterceptor"/>
        </property>
        <property name="authenticationEntryPoint">
            <ref bean="authenticationProcessingFilterEntryPoint"/>
        </property>
    </bean>
    <bean id="authenticationProcessingFilterEntryPoint"
class="net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
        <property name="loginFormUrl">
            <value>/login/login.htm</value>
        </property>
        <property name="forceHttps">
            <value>false</value>
        </property>
    </bean>

With regards to the delegation approach -- I don't think it really saves anything in terms of configuration (if I understand correctly) because I still have to define the authentication entry points in the applicationContext.xml (I altered your code and made the entry points properties so I could configure them in the bean definition -- for example, setting the realmName property for the BasicProcessingFilterEntryPoint).

I'd prefer to use the dual definition approach. I think it would work if I could get the second filter to process the request. It appears as if the first filter correctly decides it isn't interested in the *.rss URL but the second filter is never asked (from what I can see in the logs). Is there something I need to do to chain the filters perhaps?

Thanks,

Rob

**Ben Alex** · Jan 30th, 2005, 04:11 PM

The only Acegi Security filter that will only execute once per request is AbstractIntegrationFilter.

I am uncertain why the second SecurityEnforcementFilter is never being called. I can only guess it's a web.xml configuration issue. Would you mind posting your entire web.xml, so I can see the order of and configuration of both the Filters themselves as well as their mappings?

**robmoore** · Jan 31st, 2005, 12:36 PM

Thanks, Ben. Please find the web.xml below:

Code:

<?xml version="1.0"?>
<web-app xmlns="http&#58;//java.sun.com/xml/ns/j2ee"
    xmlns&#58;xsi="http&#58;//www.w3.org/2001/XMLSchema-instance"
    xsi&#58;schemaLocation="http&#58;//java.sun.com/xml/ns/j2ee http&#58;//java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
    version="2.4">
    <display-name>Lorem</display-name>
    <description>Lorem ipsem UI</description>
    <filter>
        <filter-name>Acegi Authentication Processing Filter</filter-name>
        <filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
        <init-param>
            <param-name>targetClass</param-name>
            <param-value>net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilter</param-value>
        </init-param>
    </filter>
    <filter>
        <filter-name>Acegi Security System for Spring Auto Integration Filter</filter-name>
        <filter-class>net.sf.acegisecurity.ui.AutoIntegrationFilter</filter-class>
    </filter>
    <filter>
        <filter-name>Acegi HTTP Request Security Filter</filter-name>
        <filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
        <init-param>
            <param-name>targetClass</param-name>
            <param-value>net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter</param-value>
        </init-param>
    </filter>
    <filter-mapping>
        <filter-name>Acegi Authentication Processing Filter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    <filter-mapping>
        <filter-name>Acegi Security System for Spring Auto Integration Filter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    <filter-mapping>
        <filter-name>Acegi HTTP Request Security Filter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>/WEB-INF/applicationContext.xml,/WEB-INF/applicationContext-datasource.xml,/WEB-INF/applicationContext-hibernate.xml,/WEB-INF/applicationContext-tracker.xml,/WEB-INF/applicationContext-director.xml,/WEB-INF/applicationContext-security.xml,/WEB-INF/applicationContext-scheduler.xml,/WEB-INF/applicationContext-page.xml,/WEB-INF/applicationContext-controller.xml,/WEB-INF/applicationContext-cache.xml</param-value>
    </context-param>
    <context-param>
        <param-name>log4jConfigLocation</param-name>
        <param-value>/WEB-INF/classes/log4j.xml</param-value>
    </context-param>
    <!-- This value MUST match the value in applicationContext-directory.xml for director bean property "contextRootKey" -->
    <context-param>
        <param-name>webAppRootKey</param-name>
        <param-value>lorem.root</param-value>
    </context-param>
    <context-param>
        <param-name>defaultHtmlEscape</param-name>
        <param-value>true</param-value>
    </context-param>
    <listener>
        <listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>
    </listener>
    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>
    <servlet>
        <servlet-name>lorem</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet>
        <servlet-name>DisplayChart</servlet-name>
        <servlet-class>org.jfree.chart.servlet.DisplayChart</servlet-class>
    </servlet>
    <servlet-mapping>
        <servlet-name>lorem</servlet-name>
        <url-pattern>*.htm</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>lorem</servlet-name>
        <url-pattern>*.xls</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>lorem</servlet-name>
        <url-pattern>*.pdf</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>lorem</servlet-name>
        <url-pattern>*.jsx</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>DisplayChart</servlet-name>
        <url-pattern>/servlet/DisplayChart</url-pattern>
    </servlet-mapping>
    <mime-mapping>
        <extension>ico</extension>
        <mime-type>image/x-icon</mime-type>
    </mime-mapping>
    <mime-mapping>
        <extension>jsx</extension>
        <mime-type>text/javascript</mime-type>
    </mime-mapping>
    <mime-mapping>
        <extension>ser</extension>
        <mime-type>application/java-serialized-object</mime-type>
    </mime-mapping>
    <welcome-file-list>
        <welcome-file>index.jsp</welcome-file>
    </welcome-file-list>
    <!-- Rss -->
    <filter>
        <filter-name>Acegi HTTP BASIC Authorization Filter</filter-name>
        <filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
        <init-param>
            <param-name>targetClass</param-name>
            <param-value>net.sf.acegisecurity.ui.basicauth.BasicProcessingFilter</param-value>
        </init-param>
    </filter>
    <filter-mapping>
        <filter-name>Acegi HTTP BASIC Authorization Filter</filter-name>
        <url-pattern>*.rss</url-pattern>
    </filter-mapping>
    <servlet-mapping>
        <servlet-name>lorem</servlet-name>
        <url-pattern>*.rss</url-pattern>
    </servlet-mapping>
    <!-- AXIS WS DEFINITION -->
    <servlet>
        <servlet-name>axis</servlet-name>
        <servlet-class> org.apache.axis.transport.http.AxisServlet
        </servlet-class>
    </servlet>
    <servlet-mapping>
        <servlet-name>axis</servlet-name>
        <url-pattern>/ws/*</url-pattern>
    </servlet-mapping>
    <mime-mapping>
        <extension>wsdl</extension>
        <mime-type>text/xml</mime-type>
    </mime-mapping>
    <mime-mapping>
        <extension>xsd</extension>
        <mime-type>text/xml</mime-type>
    </mime-mapping>
</web-app>

**Ben Alex** · Feb 4th, 2005, 12:57 AM

Replace:

Code:

    <filter>
        <filter-name>Acegi HTTP Request Security Filter</filter-name>
        <filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
        <init-param>
            <param-name>targetClass</param-name>
            <param-value>net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter</param-value>
        </init-param>
    </filter>

with

Code:

    <filter>
        <filter-name>Acegi HTTP Request Security Filter Number 1</filter-name>
        <filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
        <init-param>
            <param-name>targetBean</param-name>
            <param-value>basicSecurityEnforcementFitler</param-value>
        </init-param>
    </filter>
    <filter>
        <filter-name>Acegi HTTP Request Security Filter</filter-name>
        <filter-class>net.sf.acegisecurity.util.FilterToBeanProxy Number 2</filter-class>
        <init-param>
            <param-name>targetBean</param-name>
            <param-value>securityEnforcementFitler</param-value>
        </init-param>
    </filter>

You need to explicitly specifiy the two instances to call.

Just curious, what did you find wrong with the delegation approach? It would only mean you need one SecurityEnforcementFilter in web.xml and applicationContext.xml, and your "controller" logic that determines the appropriate entry point is within an obvious and configurable Java class. You'd also have only one location to setup your Ant or Regular Expression paths with secure URLs, meaning it's more flexible in the future.

Just thinking some more about the model, we probably could probably put inside the AuthenticationException the ConfigAttributeDefinition that caused the failure. As such, controller logic could be triggered on the presence of a declarative configuration attribute, such as COMMENCE_BASIC...

**robmoore** · Mar 4th, 2005, 05:28 PM

Sorry to return to this so late. I just returned to this issue after being called away on something else and I have upgraded to 0.8.0. I'm trying to use the delegation approach that was put forward by Ben as well as the new filter chain proxy feature in 0.8.0 and have been running into an issue. The authentication processing filter entry point results in a NPE. It looks like the issue is that the authException parameter in the commence method is null. I'm unsure where this should be populated. Anybody have an idea?

Thanks,

Rob

Thread: Question regarding BasicProcessingFilter

Thread Tools

Display

Question regarding BasicProcessingFilter

Similar Threads

Forgot password (e.g. secret question) using Acegi

design question: passing context

Let's say I want to build a blog (Newbie question on roles?)

Design question - Spring service with different user groups

Question regarding code in UI classes

Posting Permissions