Question regarding BasicProcessingFilter

[Ben Alex]

That's a bit odd, as we only added AuthenticationException (authException) to the AuthenticationEntryPoint signature for release 0.8.0:

Code:

    public void commence(ServletRequest request, ServletResponse response,
        AuthenticationException authException)
        throws IOException, ServletException;

It is most often called by the SecurityEnforcementFilter.sendStartAuthentication( FilterInvocation, AuthenticationException) method. I'd suggest you look at the stack trace for clues.

[robmoore]

Hi, Ben,

The auth exception object is referenced in the last line of the commence method:

Code:

public void commence(ServletRequest request, ServletResponse response,
        AuthenticationException authException)
        throws IOException, ServletException {
        HttpServletResponse httpResponse = (HttpServletResponse) response;
        httpResponse.addHeader("WWW-Authenticate",
            "Basic realm=\"" + realmName + "\"");
        httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED,
            authException.getMessage());
}

Here's the stack trace:

Code:

java.lang.NullPointerException
	net.sf.acegisecurity.ui.basicauth.BasicProcessingFilterEntryPoint.commence(BasicProcessingFilterEntryPoint.java:75)
	com.perfretail.k2v1.webapp1.web.acegi.DelegatingAuthenticationEntryPoint.commence(DelegatingAuthenticationEntryPoint.java:84)
	net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter.sendStartAuthentication(SecurityEnforcementFilter.java:253)
	net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter.doFilter(SecurityEnforcementFilter.java:201)
	net.sf.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:311)
	net.sf.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:153)
	net.sf.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:311)
	net.sf.acegisecurity.ui.basicauth.BasicProcessingFilter.doFilter(BasicProcessingFilter.java:212)
	net.sf.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:311)
	net.sf.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:372)
	net.sf.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:311)
	net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:217)
	net.sf.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:311)
	net.sf.acegisecurity.util.FilterChainProxy.doFilter(FilterChainProxy.java:179)
	net.sf.acegisecurity.util.FilterToBeanProxy.doFilter(FilterToBeanProxy.java:125)

And here's my delegating auth entry point (based on what your initial input):

Code:

import org.apache.log4j.Logger;

import java.io.IOException;
import java.util.Map;

import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;

import net.sf.acegisecurity.AuthenticationException;
import net.sf.acegisecurity.intercept.web.AuthenticationEntryPoint;

import org.springframework.util.Assert;

public class DelegatingAuthenticationEntryPoint implements
		AuthenticationEntryPoint {
	/**
	 * Logger for this class
	 */
	private static final Logger logger = Logger
			.getLogger(DelegatingAuthenticationEntryPoint.class);

	// ~ Instance fields
	// ========================================================

	Map authenticationEntryPointMap;

	// ~ Methods
	// ================================================================

	public void commence(ServletRequest request, ServletResponse response,
			AuthenticationException authException) throws IOException,
			ServletException {
		if (logger.isDebugEnabled()) {
			logger
					.debug("commence(ServletRequest, ServletResponse, AuthenticationException) - start");
		}

		if (!(request instanceof HttpServletRequest)) {
			throw new ServletException("only supports HttpServletRequest");
		}
		Assert.notNull(authenticationEntryPointMap,
				"Required property authenticationEntryPointMap is null");

		HttpServletRequest httpRequest = (HttpServletRequest) request;

		String servletPath = httpRequest.getServletPath();
		String extension = servletPath.substring(servletPath.lastIndexOf('.') + 1);

		AuthenticationEntryPoint entryPoint = (AuthenticationEntryPoint) authenticationEntryPointMap
				.get(extension);

		// attempt to get wildcard entry point
		if (entryPoint == null) {
			entryPoint = (AuthenticationEntryPoint) authenticationEntryPointMap
					.get("*");
		}

		if (entryPoint != null) {
			entryPoint.commence(request, response, authException);
		}

		if (logger.isDebugEnabled()) {
			logger
					.debug("commence(ServletRequest, ServletResponse, AuthenticationException) - end");
		}
	}

	public Map getAuthenticationEntryPointMap() {
		return authenticationEntryPointMap;
	}

	public void setAuthenticationEntryPointMap(Map authenticationEntryPointMap) {
		this.authenticationEntryPointMap = authenticationEntryPointMap;
	}

}

[robmoore]

I was just looking at the CVS commit message for BasicProcessingFilterEntryPoint and noticed the following:

Added AuthenticationException to the commence method signature of the AutenticationEntryPoint. The best example of this
is the BasicProcessingFilterEntryPoint where the authException.getMessage() is used to send back an informative 401,
instead of just the error code.

In the event that credentials were provided but rejected, this makes sense and follows the spec (From http://www.w3.org/Protocols/rfc2616/...html#sec10.4.2):

If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity might include relevant diagnostic information.

However, the problem seems to be that the case where the user has not provided credentials (ie, the 'Authorization' header has not been provided) is not taken into account. In that case, I believe no exception exists because the filter chain processor assumes that's a valid case and moves on to the next filter.

I'll admit this is a shot in the dark, but I see an AuthenticationCredentialsNotFoundException and a corresponding event, so perhaps I need to set up my delegating auth entry point to be a listener to this event somehow?

[Ben Alex]

The problem was SecurityEnforcementFilter.java line 201.

I was sending null to the SecurityEnforcementFilter.sendStartAuthentication method, which in turn lead to null in the BasicProcessingFilterEntryPoint.

I've just checked a fix into CVS. The new code is:

Code:

        } catch (AccessDeniedException accessDenied) {
            if (authenticationTrustResolver.isAnonymous(
                    SecureContextUtils.getSecureContext().getAuthentication())) {
                if (logger.isDebugEnabled()) {
                    logger.debug("Access is denied (user is anonymous); redirecting to authentication entry point",
                        accessDenied);
                }

                sendStartAuthentication(fi,
                    new InsufficientAuthenticationException(
                        "Full authentication is required to access this resource"));
        }....

[robmoore]

Thanks, Ben. I'll give it a go later today.

I appreciate your looking at this.

Rob