Why anonymous denied exception occured? Can somebody help me

[rubbin]

I am tring acegi0.8, and I deploy my own system as contact sample.But there is 'anonymous denied exception' occurs.
Here is Exception statck:
[DEBUG,SecurityEnforcementFilter,http-8080-Processor5] Access is denied (user is anonymous); redirecting to authentication entry point
net.sf.acegisecurity.AccessDeniedException: Access is denied.
at net.sf.acegisecurity.vote.AffirmativeBased.decide( AffirmativeBased.java:86)
at net.sf.acegisecurity.intercept.AbstractSecurityInt erceptor.beforeInvocation(AbstractSecurityIntercep tor.java:419)
at net.sf.acegisecurity.intercept.web.FilterSecurityI nterceptor.invoke(FilterSecurityInterceptor.java:8 1)
at net.sf.acegisecurity.intercept.web.SecurityEnforce mentFilter.doFilter(SecurityEnforcementFilter.java :182)
at net.sf.acegisecurity.util.FilterChainProxy$Virtual FilterChain.doFilter(FilterChainProxy.java:311)
at net.sf.acegisecurity.providers.anonymous.Anonymous ProcessingFilter.doFilter(AnonymousProcessingFilte r.java:153)
at net.sf.acegisecurity.util.FilterChainProxy$Virtual FilterChain.doFilter(FilterChainProxy.java:311)
at net.sf.acegisecurity.ui.rememberme.RememberMeProce ssingFilter.doFilter(RememberMeProcessingFilter.ja va:114)
at net.sf.acegisecurity.util.FilterChainProxy$Virtual FilterChain.doFilter(FilterChainProxy.java:311)
at net.sf.acegisecurity.ui.AbstractProcessingFilter.d oFilter(AbstractProcessingFilter.java:374)
at net.sf.acegisecurity.util.FilterChainProxy$Virtual FilterChain.doFilter(FilterChainProxy.java:311)
at net.sf.acegisecurity.context.HttpSessionContextInt egrationFilter.doFilter(HttpSessionContextIntegrat ionFilter.java:225)
at net.sf.acegisecurity.util.FilterChainProxy$Virtual FilterChain.doFilter(FilterChainProxy.java:311)
at net.sf.acegisecurity.util.FilterChainProxy.doFilte r(FilterChainProxy.java:179)
at net.sf.acegisecurity.util.FilterToBeanProxy.doFilt er(FilterToBeanProxy.java:125)
at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:146)
at org.apache.catalina.core.StandardWrapperValve.invo ke(StandardWrapperValve.java:209)
at org.apache.catalina.core.StandardPipeline$Standard PipelineValveContext.invokeNext(StandardPipeline.j ava:596)
at org.apache.catalina.core.StandardPipeline.invoke(S tandardPipeline.java:433)
at org.apache.catalina.core.ContainerBase.invoke(Cont ainerBase.java:948)
at org.apache.catalina.core.StandardContextValve.invo ke(StandardContextValve.java:144)
at org.apache.catalina.core.StandardPipeline$Standard PipelineValveContext.invokeNext(StandardPipeline.j ava:596)
at org.apache.catalina.core.StandardPipeline.invoke(S tandardPipeline.java:433)
at org.apache.catalina.core.ContainerBase.invoke(Cont ainerBase.java:948)
at org.apache.catalina.core.StandardContext.invoke(St andardContext.java:2358)
at org.apache.catalina.core.StandardHostValve.invoke( StandardHostValve.java:133)
at org.apache.catalina.core.StandardPipeline$Standard PipelineValveContext.invokeNext(StandardPipeline.j ava:596)
at org.apache.catalina.valves.ErrorDispatcherValve.in voke(ErrorDispatcherValve.java:118)
at org.apache.catalina.core.StandardPipeline$Standard PipelineValveContext.invokeNext(StandardPipeline.j ava:594)
at org.apache.catalina.valves.ErrorReportValve.invoke (ErrorReportValve.java:116)
at org.apache.catalina.core.StandardPipeline$Standard PipelineValveContext.invokeNext(StandardPipeline.j ava:594)
at org.apache.catalina.core.StandardPipeline.invoke(S tandardPipeline.java:433)
at org.apache.catalina.core.ContainerBase.invoke(Cont ainerBase.java:948)
at org.apache.catalina.core.StandardEngineValve.invok e(StandardEngineValve.java:127)
at org.apache.catalina.core.StandardPipeline$Standard PipelineValveContext.invokeNext(StandardPipeline.j ava:596)
at org.apache.catalina.core.StandardPipeline.invoke(S tandardPipeline.java:433)
at org.apache.catalina.core.ContainerBase.invoke(Cont ainerBase.java:948)
at org.apache.coyote.tomcat4.CoyoteAdapter.service(Co yoteAdapter.java:152)
at org.apache.coyote.http11.Http11Processor.process(H ttp11Processor.java:799)
at org.apache.coyote.http11.Http11Protocol$Http11Conn ectionHandler.processConnection(Http11Protocol.jav a:705)
at org.apache.tomcat.util.net.TcpWorkerThread.runIt(P oolTcpEndpoint.java:577)
at org.apache.tomcat.util.threads.ThreadPool$ControlR unnable.run(ThreadPool.java:683)
at java.lang.Thread.run(Thread.java:534)


Here is the web.xml

<web-app>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/classes/applicationContext-action.xml
/WEB-INF/classes/applicationContext-hibernate.xml
/WEB-INF/classes/applicationContext-sevice.xml
/WEB-INF/classes/applicationContext-security.xml
</param-value>
</context-param>
<context-param>
<param-name>log4jConfigLocation</param-name>
<param-value>/WEB-INF/classes/log4j.properties</param-value>
</context-param>

<filter>
<filter-name>Acegi Filter Chain Proxy</filter-name>
<filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
<init-param>
<param-name>targetClass</param-name>
<param-value>net.sf.acegisecurity.util.FilterChainProxy</param-value>
</init-param>
</filter>

<filter>
<filter-name>sitemesh</filter-name>
<filter-class>com.opensymphony.module.sitemesh.filter.Page Filter</filter-class>
</filter>

<filter-mapping>
<filter-name>Acegi Filter Chain Proxy</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>sitemesh</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

<!-- Inspect context param "contextConfigLocation".If none exists use default "applicationContext.xml" -->
<listener>
<listener-class>org.springframework.web.context.ContextLoade rListener</listener-class>
</listener>

<!-- This listeners is configured for XWork-spring integration -->
<listener>
<listener-class>com.opensymphony.xwork.spring.SpringObjectFa ctoryListener</listener-class>
</listener>

<listener>
<listener-class>org.springframework.web.util.Log4jConfigList ener</listener-class>
</listener>
<!--
The HttpSessionEventPublisher will publish
HttpSessionCreatedEvent and HttpSessionDestroyedEvent
to the WebApplicationContext
-->
<listener>
<listener-class>net.sf.acegisecurity.ui.session.HttpSessionE ventPublisher</listener-class>
</listener>

<!-- Webwork dispatch -->
<servlet>
<servlet-name>webworkDispatcher</servlet-name>
<servlet-class>com.opensymphony.webwork.dispatcher.ServletD ispatcher</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>webworkDispatcher</servlet-name>
<url-pattern>*.action</url-pattern>
</servlet-mapping>

<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>

<error-page>
<error-code>404</error-code>
<location>/error.jsp</location>
</error-page>
<!-- Tag lib for sitemesh -->
<taglib>
<taglib-uri>sitemesh-decorator</taglib-uri>
<taglib-location>/WEB-INF/sitemesh-decorator.tld</taglib-location>
</taglib>
<taglib>
<taglib-uri>sitemesh-page</taglib-uri>
<taglib-location>/WEB-INF/sitemesh-page.tld</taglib-location>
</taglib>
<!-- Tag lib for WebWork -->
<taglib>
<taglib-uri>webwork</taglib-uri>
<taglib-location>/WEB-INF/lib/webwork-2.1.7.jar</taglib-location>
</taglib>
</web-app>


Here is application-security.xml
<beans>
<!-- ************************************************** *********** -->
<!-- ******************* Acege Security Configure ************ -->
<!-- ************************************************** *********** -->
<!-- ======================== FILTER CHAIN ======================= -->


<!-- if you wish to use channel security, add "channelProcessingFilter,"
in front of "httpSessionContextIntegrationFilter" in the list
below
-->
<bean id="filterChainProxy" class="net.sf.acegisecurity.util.FilterChainProxy" >
<property name="filterInvocationDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/**=httpSessionContextIntegrationFilter,authenticat ionProcessingFilter,rememberMeProcessingFilter,ano nymousProcessingFilter,securityEnforcementFilter
</value>
</property>
</bean>
<!--
A Context can be setup in the ContextHolder at the beginning of a web request,
and any changes to the Context can be copied to the HttpSession when the web
request ends (ready for use with the next web request)
-->
<bean id="httpSessionContextIntegrationFilter" class="net.sf.acegisecurity.context.HttpSessionCon textIntegrationFilter">
<property name="context"><value>net.sf.acegisecurity.context .security.SecureContextImpl</value></property>
</bean>
<!--
Authentication processing mechanisms-AuthenticationProcessingFilter,BasicProcessingFilt er.
so that the ContextHolder can be modified to contain a valid Authentication request token
-->
<bean id="authenticationProcessingFilter" class="net.sf.acegisecurity.ui.webapp.Authenticati onProcessingFilter">
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
<property name="authenticationFailureUrl"><value>/login.jsp?login_error=1</value></property>
<property name="defaultTargetUrl"><value>/</value></property>
<property name="filterProcessesUrl"><value>/j_acegi_security_check</value></property>
<property name="rememberMeServices"><ref local="rememberMeServices"/></property>
</bean>

<!-- ======================== AUTHENTICATION ======================= -->
<!--
authenticationManager bean definition
-->
<bean id="authenticationManager" class="net.sf.acegisecurity.providers.ProviderMana ger">
<property name="providers">
<list>
<ref local="daoAuthenticationProvider"/>
<ref local="anonymousAuthenticationProvider"/>
<ref local="rememberMeAuthenticationProvider"/>
</list>
</property>
</bean>
<bean id="daoAuthenticationProvider" class="net.sf.acegisecurity.providers.dao.DaoAuthe nticationProvider">
<property name="authenticationDao"><ref local="inMemoryDaoImpl"/></property>
<property name="userCache"><ref local="userCache"/></property>
</bean>
<bean id="anonymousAuthenticationProvider" class="net.sf.acegisecurity.providers.anonymous.An onymousAuthenticationProvider">
<property name="key"><value>foobar</value></property>
</bean>
<bean id="rememberMeAuthenticationProvider" class="net.sf.acegisecurity.providers.rememberme.R ememberMeAuthenticationProvider">
<property name="key"><value>springRocks</value></property>
</bean>
<bean id="jdbcDaoImpl" class="net.sf.acegisecurity.providers.dao.jdbc.Jdb cDaoImpl">
<property name="dataSource"><ref bean="c3p0DataSource"/></property>
</bean>
<bean id="inMemoryDaoImpl" class="net.sf.acegisecurity.providers.dao.memory.I nMemoryDaoImpl">
<property name="userMap">
<value>
mary=mary,ROLE_USER,ROLE_SUPERVISOR
dinner=dinner,ROLE_USER
scott=scott,ROLE_USER
peter=peter,disabled,ROLE_USER
</value>
</property>
</bean>
<bean id="userCache" class="net.sf.acegisecurity.providers.dao.cache.Eh CacheBasedUserCache">
<property name="cache"><ref local="userCacheBackend"/></property>
</bean>
<bean id="userCacheBackend" class="org.springframework.cache.ehcache.EhCacheFa ctoryBean">
<property name="cacheManager">
<ref local="cacheManager"/>
</property>
<property name="cacheName">
<value>userCache</value>
</property>
</bean>
<bean id="cacheManager" class="org.springframework.cache.ehcache.EhCacheMa nagerFactoryBean"/>
<bean id="passwordEncoder" class="net.sf.acegisecurity.providers.encoding.Md5 PasswordEncoder"/>

<!-- authenticationManager bean definition end -->
<!-- rememberMeServices bean definition end -->
<bean id="rememberMeServices" class="net.sf.acegisecurity.ui.rememberme.TokenBas edRememberMeServices">
<property name="authenticationDao"><ref local="jdbcDaoImpl"/></property>
<property name="key"><value>springRocks</value></property>
</bean>
<!-- rememberMeServices bean definition end -->

<bean id="basicProcessingFilter" class="net.sf.acegisecurity.ui.basicauth.BasicProc essingFilter">
<property name="authenticationManager"><ref local="authenticationManager"/></property>
<property name="authenticationEntryPoint"><ref local="basicProcessingFilterEntryPoint"/></property>
</bean>
<bean id="basicProcessingFilterEntryPoint" class="net.sf.acegisecurity.ui.basicauth.BasicProc essingFilterEntryPoint">
<property name="realmName"><value>Contacts Realm</value></property>
</bean>

<!--
If no earlier authentication processing mechanism updated the ContextHolder, and the
request presents a cookie that enables remember-me services to take place, a suitable
remembered Authentication object will be put there.
-->
<bean id="rememberMeProcessingFilter" class="net.sf.acegisecurity.ui.rememberme.Remember MeProcessingFilter">
<property name="rememberMeServices"><ref local="rememberMeServices"/></property>
</bean>
<!--
If no earlier authentication processing mechanism updated the ContextHolder, an anonymous
Authentication object will be put there.
-->
<bean id="anonymousProcessingFilter" class="net.sf.acegisecurity.providers.anonymous.An onymousProcessingFilter">
<property name="key"><value>foobar</value></property>
<property name="userAttribute"><value>anonymousUser,ROLE_ANO NYMOUS</value></property>
</bean>
<!--
To protect web URIs and catch any Acegi Security exceptions so that an appropriate
AuthenticationEntryPoint can be launched
-->
<bean id="securityEnforcementFilter" class="net.sf.acegisecurity.intercept.web.Security EnforcementFilter">
<property name="filterSecurityInterceptor"><ref local="filterInvocationInterceptor"/></property>
<property name="authenticationEntryPoint"><ref local="authenticationProcessingFilterEntryPoint"/></property>
</bean>
<bean id="authenticationProcessingFilterEntryPoint" class="net.sf.acegisecurity.ui.webapp.Authenticati onProcessingFilterEntryPoint">
<property name="loginFormUrl"><value>/login.jsp</value></property>
<property name="forceHttps"><value>false</value></property>
</bean>

<!-- Note the order that entries are placed against the objectDefinitionSource is critical.
The FilterSecurityInterceptor will work from the top of the list down to the FIRST
pattern that matches the request URL.
Accordingly, you should place MOST SPECIFIC (ie a/b/c/d.*) expressions first,
with LEAST SPECIFIC (ie a/.*) expressions last
-->
<bean id="filterInvocationInterceptor" class="net.sf.acegisecurity.intercept.web.FilterSe curityInterceptor">
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref local="httpRequestAccessDecisionManager"/></property>
<property name="objectDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/index.jsp=ROLE_USER
/login.jsp*=ROLE_ANONYMOUS,ROLE_USER
/**=ROLE_USER
</value>
</property>
</bean>
<bean id="httpRequestAccessDecisionManager" class="net.sf.acegisecurity.vote.AffirmativeBased" >
<property name="allowIfAllAbstainDecisions"><value>false</value></property>
<property name="decisionVoters">
<list>
<ref bean="roleVoter"/>
</list>
</property>
</bean>
<!-- An access decision voter that reads ROLE_* configuration settings -->
<bean id="roleVoter" class="net.sf.acegisecurity.vote.RoleVoter"/>
<!-- Automatically receives AuthenticationEvent messages from DaoAuthenticationProvider -->
<bean id="loggerListener" class="net.sf.acegisecurity.providers.dao.event.Lo ggerListener" />

</beans>

In fact, when I navigate to http://localhost:8080/myapp/, the login.jsp page appears and no error on this page, but occures at console.After I login successfully(Login by correct username/password),there is no exception. Can somebody help me?? :cry:

[Ben Alex]

Sounds like you're receiving the correct behaviour. The DEBUG of the exception is just so you know why you were directed to the AuthenticationEntryPoint. It is by design. You can reduce logging levels for the SecurityEnforcementFilter if seeing the errors is a concern/issue.

[rubbin]

Hi, Ben Thanks a lot for your answer.But I have another question,will you pls help me?
The question is how to control the hyper link whether the link is visible or not.
For example as the Reference Documentation said:
<authz:authorize ifAllGranted="ROLE_SUPERVISOR">
<td>
<A HREF="del.htm?id=<c:out value="${contact.id}"/>">Del</A>
</td>
</authz:authorize>

That's to say, I should use the user's role to decide whether the link is visible,right? But in fact, the role in production system is always variable, for example, user can add or remove a role.So acegi can deal with this situation? and how to?

Thanks in advance.

[Ben Alex]

The taglibs all assume the base roles will remain static at application deployment time. However, membership of each role can vary at runtime. If you need to modify the base roles at runtime, you'll need to write your own taglib. Although, I assume that means the JSPs themselves can also have their content modified at runtime for this to be beneficial.

In many situations, needing to add and remove roles are runtime generally points to a better fit with ACL security instead of role security. There are ACL-related taglibs that might suit you better.

[rubbin]

Good idea! using ALC controll instead of role based controll.and in fact I refine my domain model..... Trying...

Thanks a lot Ben.