good basic example.

**Alarmnummer** · Feb 1st, 2005, 07:55 AM

I have been playing with Acegi for a few hours but I`m totally lost in all the filters (and I don`t like that).. Does anyone have a simple example of security for a webapplication?

It would be nice of those simple examples are posted on the website... start simple...

**Alarmnummer** · Feb 1st, 2005, 08:42 AM

I think I have a basic structure... the main problem was in the order of the filtermappings.

Code:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http&#58;//www.springframework.org/dtd/spring-beans.dtd">

<beans>

	<!-- ===============================================================================
                Security stuff
    ================================================================================ -->

    <!-- ======== Authenticatie =====================================================-->
	
    <!--
    	- http&#58;//acegisecurity.sourceforge.net/multiproject/acegi-security/apidocs/net/sf/acegisecurity/providers/dao/memory/InMemoryDaoImpl.html
    	-->
	<bean 	id="memoryAuthenticationDao"
			class="net.sf.acegisecurity.providers.dao.memory.InMemoryDaoImpl">

    	<property name="userMap">
        	<value>
            	peter=password,ROLE_ADMIN
        	</value>
    	</property>
	</bean>


	<!--
		- http&#58;//acegisecurity.sourceforge.net/multiproject/acegi-security/apidocs/net/sf/acegisecurity/providers/dao/DaoAuthenticationProvider.html
		-->
	<bean 	id="daoAuthenticationProvider"
			class="net.sf.acegisecurity.providers.dao.DaoAuthenticationProvider">

		<property name="authenticationDao">
         	<ref local="memoryAuthenticationDao"/>
     	</property>
	</bean>


	<!--
		- http&#58;//acegisecurity.sourceforge.net/multiproject/acegi-security/apidocs/net/sf/acegisecurity/providers/ProviderManager.html 
		-->
	<bean 	id="authenticationManager"
			class="net.sf.acegisecurity.providers.ProviderManager">

    	<property name="providers">
        	<list>
            	<ref bean="daoAuthenticationProvider"/>
        	</list>
    	</property>
	</bean>


	<!-- ======== Authenticatie =====================================================-->
	
	
	<!-- 
		- Processes an authentication form.
		- 
		- http&#58;//acegisecurity.sourceforge.net/multiproject/acegi-security/apidocs/net/sf/acegisecurity/ui/webapp/AuthenticationProcessingFilter.html
		-->
	<bean 	id="authenticationProcessingFilter"
			class="net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilter">

    	<property name="authenticationManager">
        	<ref bean="authenticationManager"/>
    	</property>

    	<property name="authenticationFailureUrl">
        	<value>/login.jsp?error=1</value>
    	</property>

    	<property name="defaultTargetUrl">
        	<value>/</value>
    	</property>

    	<property name="filterProcessesUrl">
        	<value>/j_acegi_security_check</value>
    	</property>
	</bean>

	<!-- ======== Authorisatie ======================================================-->

	<!--
		- http&#58;//acegisecurity.sourceforge.net/multiproject/acegi-security/apidocs/net/sf/acegisecurity/vote/UnanimousBased.html
		-->
	<bean 	id="accessDecisionManager"
			class="net.sf.acegisecurity.vote.UnanimousBased">

    	<property name="allowIfAllAbstainDecisions">
        	<value>false</value>
    	</property>

    	<property name="decisionVoters">
        	<list>
    			<bean class="net.sf.acegisecurity.vote.RoleVoter"/>
        	</list>
    	</property>
	</bean>


	<!-- 
		- This filter is necessary because it provides the bridge between incoming 
		- requests and the FilterSecurityInterceptor instance.
		-
		- http&#58;//acegisecurity.sourceforge.net/multiproject/acegi-security/apidocs/net/sf/acegisecurity/intercept/web/SecurityEnforcementFilter.html
		-->
	<bean 	id="securityEnforcementFilter"
			class="net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter">

		<property name="filterSecurityInterceptor">
        	<ref bean="filterInvocationInterceptor"/>
    	</property>

    	<property name="authenticationEntryPoint">
        	<ref bean="authenticationEntryPoint"/>
    	</property>
	</bean>

		
	<!-- 
	 	- Used by the SecurityEnforcementFilter to commence authentication via the 
	 	- AuthenticationProcessingFilter. This object holds the location of the login 
	 	- form, relative to the web app context path, and is used to commence a redirect
	 	- to that form.
	 	-
		- http&#58;//acegisecurity.sourceforge.net/multiproject/acegi-security/apidocs/net/sf/acegisecurity/ui/webapp/AuthenticationProcessingFilterEntryPoint.html
		-->
	<bean 	id="authenticationEntryPoint" 
			class="net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
		
		<property name="loginFormUrl">
			<value>/login.jsp</value>
		</property>
  		
		<property name="forceHttps">
			<value>false</value>
		</property>
	</bean>
	  	

	<!-- 
		- Performs security handling of HTTP resources via a filter implementation.
		-
		- http&#58;//acegisecurity.sourceforge.net/multiproject/acegi-security/apidocs/net/sf/acegisecurity/intercept/web/FilterSecurityInterceptor.html
		-->
	<bean 	id="filterInvocationInterceptor"
			class="net.sf.acegisecurity.intercept.web.FilterSecurityInterceptor">

		<property name="authenticationManager">
        	<ref bean="authenticationManager"/>
        </property>

    	<property name="accessDecisionManager">
        	<ref bean="accessDecisionManager"/>
        </property>

        <!-- hier kan je de patterns van de resources opgeven die gesecured moeten worden -->
    	<property name="objectDefinitionSource">
        	<value>
            	CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
           		PATTERN_TYPE_APACHE_ANT
            	/secured.html=ROLE_ADMIN
        	</value>
    	</property>
	</bean>

	<!--
		- Populates a SecureContext from the HttpSession.
		-
		- The filter will inspect the HttpSession for an attribute with the name 
		- indicated by ACEGI_SECURITY_AUTHENTICATION_KEY. If that attribute contains an 
		- instance of Authentication, it will be placed into the ContextHolder. 
		-
		- http&#58;//acegisecurity.sourceforge.net/multiproject/acegi-security/apidocs/net/sf/acegisecurity/ui/webapp/HttpSessionIntegrationFilter.html
		-->
	<bean 	id="httpSessionIntegrationFilter"
	  		class="net.sf.acegisecurity.ui.webapp.HttpSessionIntegrationFilter"/>


</beans>

Code:

<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http&#58;//java.sun.com/dtd/web-app_2_3.dtd">

<web-app>

	<display-name>Template</display-name>

	<description>Termplate Applicatie</description>

	<!--
	  - Location of the XML file that defines the root application context.
	  - Applied by ContextLoaderServlet.
	  -->
	<context-param>
		<param-name>contextConfigLocation</param-name>
		<param-value>
			/WEB-INF/applicationContext-database.xml
			/WEB-INF/applicationContext-business.xml
			/WEB-INF/applicationContext-acegi-security.xml
		</param-value>
	</context-param>

	<!-- context-param>
		<param-name>log4jConfigLocation</param-name>
		<param-value>/WEB-INF/classes/log4j.properties</param-value>
	</context-param -->

	<!-- Responds to HTTP POSTs to j_acegi_security_check URI -->	
	<!-- Processes an authentication form.
		- Login forms must present two parameters to this filter&#58; 
		- a username and password. The parameter names to use are contained 
		- in the static fields ACEGI_SECURITY_FORM_USERNAME_KEY and 
		- ACEGI_SECURITY_FORM_PASSWORD_KEY.  -->
	<filter>
    	<filter-name>Acegi Authentication Processing Filter</filter-name>
    	<filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
    	<init-param>
        	<param-name>targetClass</param-name>
        	<param-value>
        		net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilter
        	</param-value>
    	</init-param>
	</filter>
	
	<!-- Provides HTTP request URL security, and also catches
		 AcegiSecurityExceptions and sends 403 errors &#40;if access denied&#41;
		 or commences an authentication mechanism as appropriate --> 
	<filter>
    	<filter-name>Acegi HTTP Request Security Filter</filter-name>
    	<filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>

    	<init-param>
        	<param-name>targetClass</param-name>
        	<param-value>
        		net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter
        	</param-value>
    	</init-param>
	</filter>
	
	<!-- Obtains Authentication from HttpSession attribute, puts it into
		 ContextHolder for request duration, proceeds with request, then
		 copies Authentication from ContextHolder back into HttpSession -->
    <filter>
        <filter-name>Acegi Security System for Spring HttpSession Integration Filter</filter-name>
        <filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
        <init-param>
            <param-name>targetClass</param-name>
            <param-value>net.sf.acegisecurity.ui.webapp.HttpSessionIntegrationFilter</param-value>
        </init-param>
    </filter>

    <filter-mapping>
    	<filter-name>Acegi Authentication Processing Filter</filter-name>
    	<url-pattern>/*</url-pattern>
	</filter-mapping>

	<filter-mapping>
      	<filter-name>Acegi Security System for Spring HttpSession Integration Filter</filter-name>
      	<url-pattern>/*</url-pattern>
    </filter-mapping>

	<filter-mapping>
    	<filter-name>Acegi HTTP Request Security Filter</filter-name>
    	<url-pattern>/*</url-pattern>
	</filter-mapping>

	<!-- ============================================================
	Hierdoor heeft iedere servlet beschikking over de application context.
	Default wordt /WEB-INF/applicationContext.xml gebruikt voor het Spring
	framework om de applicationcontext op te zetten.
 	============================================================  -->
	<listener>
		<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
	</listener>


	<welcome-file-list>
		<welcome-file>index.htm</welcome-file>
		<welcome-file>index.html</welcome-file>
	</welcome-file-list>

	<taglib>
		<taglib-uri>http&#58;//java.sun.com/jstl/core</taglib-uri>
		<taglib-location>/WEB-INF/c.tld</taglib-location>
	</taglib>

</web-app>

**Ben Alex** · Feb 4th, 2005, 03:07 AM

Your implementation looks good.

We're working on a consolidate filter utility class that would mean web.xml is significantly simplified. Instead there would be just one bean that polls the needed filters, which should reduce complexity.

**Alarmnummer** · Feb 9th, 2005, 05:44 AM

Originally Posted by Ben Alex

Your implementation looks good.

We're working on a consolidate filter utility class that would mean web.xml is significantly simplified. Instead there would be just one bean that polls the needed filters, which should reduce complexity.

Nice.. but a good example would be helpfull too.. Acegi is powerfull but 'complex'. Everything makes sence after a while, but in the beginning it feels like an information overload.

**mlim** · Feb 9th, 2005, 06:50 PM

I totally agree! Acegi (to me at least) has a very steep learning curve.

Anyways, I still haven't gotten any response on how to redirect 403 response to a user friendly page. Also I've tried securing access to a particular URL and I am still able to access it. I probably (or definitely) missed out something.

I have the following defined in my application context:

<bean id="filterInvocationInterceptor" class="net.sf.acegisecurity.intercept.web.FilterSe curityInterceptor">
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref local="httpRequestAccessDecisionManager"/></property>
<property name="objectDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
\A/jsp/mainMenu.*\Z=ROLE_USER
\A/lead/.*\Z=ROLE_ADMIN
</value>
</property>
</bean>

when I try accessing http://localhost:8080/myApp/jsp/mainMenu.jsp without being authenticated, I still get the page. I assume that is shouldn't. It says in the documentation that it should redirect to AuthenticationProcessingFilterEntryPoint's loginFormUrl. Apparently it doesn't. I am missing something?

**Ben Alex** · Feb 10th, 2005, 01:37 AM

Originally Posted by mlim

Anyways, I still haven't gotten any response on how to redirect 403 response to a user friendly page.

Yes, sorry, I have been very busy with other things these past few days.

Originally Posted by mlim

CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
\A/jsp/mainMenu.*\Z=ROLE_USER

You are comparing with lowercase, but your mainMenu has an uppercase letter. Try "mainmenu".

**twicet** · Feb 17th, 2005, 02:11 AM

[quote]

Originally Posted by mlim

I totally agree! Acegi (to me at least) has a very steep learning curve.

I do agree as i had to read the manual about two times to really get it. But once you get it, everything start making sense.

So to avoid the steep learning curve i would seriously advice anyone to get themselves a copy of Spring in Action. Chapter 11 of this book covers Acegi really really well!! It really simplifies Acegi. Couple this with the reference manual and you would be rolling.

**rlbaldwin** · Feb 17th, 2005, 09:30 PM

Try this one:

http://www.fstxblog.com/completely-g...-possible.html

**Queeny** · Dec 16th, 2008, 07:49 AM

Hello

I am new to Acegi and Spring in general and I am trying to write a simple webapp that will authenticate using my own mechanism. In other words, I want to implement my own AuthenticationProvider.
So far I have configured this:

HTML Code:

    <bean id="authenticationProcessingFilter" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
        <property name="authenticationManager">
            <ref bean="authenticationManager"/>
        </property>
        <property name="authenticationFailureUrl">
            <value>/login.jsp?error=1</value>
        </property>
        <property  name="defaultTargetUrl">
            <value>/</value>
        </property>
        <property name="filterProcessesUrl">
            <value>/j_acegi_security_check</value>
        </property>
    </bean>

    <!-- The authentication Manager that forwards the handling to the provider manager -->
    <bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">
        <property name="providers">
            <list>
                <ref bean="myAuthenticationProvider"/>
            </list>
        </property>
    </bean>

And now I would like to have my authentication provider to be called so I can perform my own application's authentication.
Can someone please direct me how to do this? which interface do I need to implement? or which class do I need to extend?

**Luke Taylor** · Dec 16th, 2008, 08:59 AM

You need to implement AuthenticationProvider, as you said. The configuration you have shown looks OK.

Please start a new thread in preference to continuing old threads (unless your post is very specifically about the content of the existing thread).

Thread: good basic example.

Thread Tools

Display

good basic example.

Simple Acegi example

Basic example for custom authentication

Similar Threads

How to do authorization with basic authentication

Basic Authentication & HttpSessions

accessing protected resource from Excel via WinHTTP

Unable to set BASIC authentication header

Basic Questions Thread

Posting Permissions