Upgrading to 0.8.0

[mraible]

I'm trying to upgrade to 0.8.0 and have a couple of questions. With 0.7.0, I only mapped the filters to specific URLs, so they didn't always get processes when they didn't need to be. With 0.8.0, I've tried to do the same thing (see below), but it doesn't seem to work. Should this be possible?

Code:

    <bean id="filterChainProxy" class="net.sf.acegisecurity.util.FilterChainProxy">
        <property name="filterInvocationDefinitionSource">
            <value>
                CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
                PATTERN_TYPE_APACHE_ANT
                /**=httpSessionContextIntegrationFilter
                /j_security_check=authenticationProcessingFilter
                /*.html*=anonymousProcessingFilter,securityEnforcementFilter
            </value>
        </property>
    </bean>

Also, I noticed that ContextHolderAwareRequestFilter still needs to be added to my web.xml and it doesn't work if I add it as a mapping in the filterChainProxy bean. Is that as designed?

When I put all the filters following each other after /**, like in the contacts example, everything works, but I'm unable to logout b/c I keep getting logged in again. Logout used to work before, but I suspect the map-to-everything scenario logging me in again shortly after I hit /logout.jsp - where my session is invalidated.

Thanks,

Matt

[Rexxe]

Matt,

I had the same problem with logging out. The authentication obj is no longer stored in the session as per the new docs. As a result, you can only pull it out via the context. So in order to logout the user you have to do ContextHolder.setContext(null);

I'm not sure about your other questions, unfortunately.

--Rexxe

[mraible]

Hmmm, this definitely seems like it might be a better choice architecturally, but this means I have to add Acegi-specific code into my app - whereas I never had to before. So far, I've been able to integrate Acegi Security and provide a clean path to back it out and use CMA. Oh well, I guess it's only one line users will have to change.

[Rexxe]

I minimized my use of Ageci code by making a utility class. Then all I have to do is change one file.

[Ben Alex]

Hi Matt

I think your issue is the FilterChainProxy, like the FilterSecurityInterceptor, both use FilterInvocationDefinitionSource. The default implementation parses top-down, stopping at the first matching Ant Path. As such your earlier /** would match anything, and that might be the issue. Perhaps try the following re-ordering so more specific URLs are at the top:

Code:

    <bean id="filterChainProxy" class="net.sf.acegisecurity.util.FilterChainProxy">
        <property name="filterInvocationDefinitionSource">
            <value>
                CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
                PATTERN_TYPE_APACHE_ANT
                /j_security_check=authenticationProcessingFilter
                /*.html*=anonymousProcessingFilter,securityEnforcementFilter
                /**=httpSessionContextIntegrationFilter
            </value>
        </property>
    </bean>

[mraible]

Hi Matt

Perhaps try the following re-ordering so more specific URLs are at the top:

Code:

    <bean id="filterChainProxy" class="net.sf.acegisecurity.util.FilterChainProxy">
        <property name="filterInvocationDefinitionSource">
            <value>
                CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
                PATTERN_TYPE_APACHE_ANT
                /j_security_check=authenticationProcessingFilter
                /*.html*=anonymousProcessingFilter,securityEnforcementFilter
                /**=httpSessionContextIntegrationFilter
            </value>
        </property>
    </bean>

I tried this and it first resulted in the following error when I first try to hit the application.

Code:

java.lang.IllegalStateException: ContextHolder invalid: 'null': are your filters ordered correctly? HttpSessionContextIntegrationFilter should have already executed by this time (look for it in the stack dump below)
	at net.sf.acegisecurity.context.security.SecureContextUtils.getSecureContext(SecureContextUtils.java:38)
	at net.sf.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:136)

So I added httpSessionContextIntegrationFilter to the start of the /*.html* mapping and it resulted in a 404 when going to /j_security_check.

This seems to be the only thing that works:

Code:

    <bean id="filterChainProxy" class="net.sf.acegisecurity.util.FilterChainProxy">
        <property name="filterInvocationDefinitionSource">
            <value>
                CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
                PATTERN_TYPE_APACHE_ANT
                /**=httpSessionContextIntegrationFilter,authenticationProcessingFilter,remoteUserFilter,anonymousProcessingFilter,securityEnforcementFilter 
            </value>
        </property>
    </bean>

Matt

[liva]

I try try the following and it seem work fine, but I don't know the following is better or not?

Code:

<bean id="filterChainProxy" class="net.sf.acegisecurity.util.FilterChainProxy"> 
        <property name="filterInvocationDefinitionSource"> 
            <value> 
                CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON 
                PATTERN_TYPE_APACHE_ANT 
                /j_security_check=httpSessionContextIntegrationFilter,authenticationProcessingFilter
                /*.html*=ahttpSessionContextIntegrationFilter,nonymousProcessingFilter
                /**=httpSessionContextIntegrationFilter,securityEnforcementFilter 
            </value> 
        </property> 
    </bean>

[Ben Alex]

Yes, you need HttpSessionContextIntegrationFilter in every mapping where Acegi Security filters or AbstractSecurityInterceptor subclasses will be used.