Endless loop in web authentication

**gmansoor** · Mar 31st, 2005, 03:21 PM

I am trying to use form based authentication and getting in to this wiered problem of getting into endless loop.
When I try to access any page, it redirects it to login page (which is login.jsp in my case), and than it tries to redirect again and again to login page.

I have pasted my web.xml and Spring bean entries below. Please let me know what I am missing here thats causing this.
Please note that if I do change the url-pattern and use only *.do, it works because login page is .jsp file and filter is not recalled, but then another wiered problem happens, it would not understand j_acegi_security_check, so had to append .do at the end of j_acegi_scurity_check also. So to work with *.do url-pattern, I had to use j_acegi_security_check.do at both places (in bean and login form).

Here are my web.xml entries
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
classpath:applicationContext.xml
classpath:security.xml
</param-value>
</context-param>
<context-param>
<param-name>log4jConfigLocation</param-name>
<param-value>/WEB-INF/log4j.xml</param-value>
</context-param>

<filter>
<filter-name>Acegi Filter Chain Proxy</filter-name>
<filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
<init-param>
<param-name>targetClass</param-name>
<param-value>net.sf.acegisecurity.util.FilterChainProxy</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>Acegi Filter Chain Proxy</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

<servlet>
<servlet-name>context</servlet-name>
<servlet-class>org.springframework.web.context.ContextLoade rServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>

Here are my Spring beans entries
<bean id="filterChainProxy" class="net.sf.acegisecurity.util.FilterChainProxy" >
<property name="filterInvocationDefinitionSource">
<value> CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT /**=httpSessionContextIntegrationFilter, authenticationProcessingFilter, securityEnforcementFilter
</value>
</property>
</bean>
<bean id="authenticationProcessingFilter"
class="net.sf.acegisecurity.ui.webapp.Authenticati onProcessingFilter">
<property name="filterProcessesUrl">
<value>j_acegi_security_check</value>
</property>
<property name="authenticationFailureUrl">
<value>/login.jsp?failed=true</value>
</property>
<property name="defaultTargetUrl">
<value>/admin/search.display.do</value>
</property>
<property name="authenticationManager">
<ref bean="authenticationManager"/>
</property>
</bean>
<bean id="securityEnforcementFilter"
class="net.sf.acegisecurity.intercept.web.Security EnforcementFilter">
<property name="filterSecurityInterceptor">
<ref local="filterInvocationInterceptor"/>
</property>
<property name="authenticationEntryPoint">
<ref local="authenticationProcessingFilterEntryPoint"/>
</property>
</bean>
<bean id="authenticationProcessingFilterEntryPoint"
class="net.sf.acegisecurity.ui.webapp.Authenticati onProcessingFilterEntryPoint">
<property name="loginFormUrl">
<value>/login.jsp</value>
</property>
<property name="forceHttps">
<value>false</value>
</property>
</bean>
<bean id="filterInvocationInterceptor"
class="net.sf.acegisecurity.intercept.web.FilterSe curityInterceptor">
<property name="authenticationManager">
<ref bean="authenticationManager"/>
</property>
<property name="accessDecisionManager">
<ref local="httpRequestAccessDecisionManager"/>
</property>
<property name="objectDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/**=ROLE_ANONYMOUS
</value>
</property>
</bean>
<bean id="httpSessionContextIntegrationFilter" class="net.sf.acegisecurity.context.HttpSessionCon textIntegrationFilter">
<property name="context">
<value>
net.sf.acegisecurity.context.security.SecureContex tImpl
</value>
</property>
</bean>

<bean id="authenticationManager"
class="net.sf.acegisecurity.providers.ProviderMana ger">
<property name="providers">
<list>
<ref bean="jaasAuthenticationProvider"/>
</list>
</property>
</bean>
<bean id="jaasAuthenticationProvider"
class="net.sf.acegisecurity.providers.jaas.JaasAut henticationProvider">
<property name="loginConfig">
<value>classpath:jaas.login.conf</value>
</property>
<property name="loginContextName">
<value>myLoginContext</value>
</property>
<property name="callbackHandlers">
<list>
<bean class="net.sf.acegisecurity.providers.jaas.JaasNam eCallbackHandler"/>
<bean class="net.sf.acegisecurity.providers.jaas.JaasPas swordCallbackHandler"/>
</list>
</property>
<property name="authorityGranters">
<list>
<bean class="gov.vha.edb.ui.util.JaasAuthorityGranter"/>
</list>
</property>
</bean>
<bean id="httpRequestAccessDecisionManager"
class="net.sf.acegisecurity.vote.AffirmativeBased" >
<property name="allowIfAllAbstainDecisions">
<value>false</value>
</property>
<property name="decisionVoters">
<list>
<ref bean="roleVoter"/>
</list>
</property>
</bean>
<bean id="roleVoter" class="net.sf.acegisecurity.vote.RoleVoter"/>

**Luke Taylor** · Mar 31st, 2005, 05:05 PM

http://forum.springframework.org/viewtopic.php?t=3522

**jvargas** · Mar 31st, 2005, 05:09 PM

Originally Posted by Luke

http://forum.springframework.org/viewtopic.php?t=3522

I am experiencing the same problem with an infinite loop but only happens when a user changes their password and try to move on to another page or the application gets reloaded (development server obviously).

Is anonymous access not enough access for a login page?
http://forum.springframework.org/viewtopic.php?t=4399

**Luke Taylor** · Mar 31st, 2005, 05:21 PM

I don't think there's anything weird going on. If you change the URL to *.do then the acegi filters will only be applied to these URLs, so the /j_acegi_security_check URL won't be intercepted and processed. Adding the ".do" to the login URL means the AuthenticationProcessingFilter kicks in to process the logon request:

http://acegisecurity.sourceforge.net...ingFilter.html

Look at how the filter is set up in the Contacts sample application for an example of how to allow anonymous access to specific URLs but protect everything else.

Luke.

**gmansoor** · Apr 1st, 2005, 09:32 AM

I followed the Sample Contact Apps to add the anonymous authentication but still same problem.
Here is what I added.

<bean id="anonymousProcessingFilter" class="net.sf.acegisecurity.providers.anonymous.An onymousProcessingFilter">
<property name="key"><value>foobar</value></property>
<property name="userAttribute">
<value>anonymousUser,ROLE_ANONYMOUS</value>
</property>
</bean>

<bean id="anonymousAuthenticationProvider"
class="net.sf.acegisecurity.providers.anonymous.An onymousAuthenticationProvider">
<property name="key"><value>foobar</value></property>
</bean>

Added the anonymousProcessingFilter entry in my filterChainProxy bean.

<bean id="filterChainProxy"
class="net.sf.acegisecurity.util.FilterChainProxy" >
<property name="filterInvocationDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/**=httpSessionContextIntegrationFilter, authenticationProcessingFilter, anonymousProcessingFilter, securityEnforcementFilter
</value>
</property>
</bean>

Added the anonymousAuthenticationProvider entry in provides list.

<bean id="authenticationManager"
class="net.sf.acegisecurity.providers.ProviderMana ger">
<property name="providers">
<list>
<ref bean="jaasAuthenticationProvider"/>
<ref local="anonymousAuthenticationProvider"/> </list>
</property>
</bean>

<bean id="filterInvocationInterceptor"
class="net.sf.acegisecurity.intercept.web.FilterSe curityInterceptor">
<property name="authenticationManager">
<ref bean="authenticationManager"/>
</property>
<property name="accessDecisionManager">
<ref local="httpRequestAccessDecisionManager"/>
</property>
<property name="objectDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/login.jsp*=ROLE_ANONYMOUS,ROLE_USER
/**=ROLE_USER </value>
</property>
</bean>

**gmansoor** · Apr 1st, 2005, 02:49 PM

When I use anonymous provider, it never goes to JaasAuthenticationProvider as it always sets the AnonymousAuthenticationToken that does not work with JAAS.

**Luke Taylor** · Apr 2nd, 2005, 09:36 AM

Can you clear up whether you have the same problem? i.e. an infinite loop where you can't access the login page?

**RayKrueger** · Apr 4th, 2005, 09:33 AM

I am looking at this thread and another AnonymousAuthenticationProvider/JaasAuthenticationProvider issue to see if there is a problem in the code.

Right now I'm a little confused though, and maybe Ben and Luke can help me out.

Wouldn't requiring ROLE_USER on the authenticationFailureUrl (login.jsp in this case) cause the infinite looping?

**Luke Taylor** · Apr 5th, 2005, 11:23 AM

Originally Posted by RayKrueger

I am looking at this thread and another AnonymousAuthenticationProvider/JaasAuthenticationProvider issue to see if there is a problem in the code.

Right now I'm a little confused though, and maybe Ben and Luke can help me out.

Wouldn't requiring ROLE_USER on the authenticationFailureUrl (login.jsp in this case) cause the infinite looping?

Hi Ray,

Yes. I think so. That's why I posted the link to the other thread above.
I believe it should allow anonymous access too. That's why the /login.jsp* URL has a separate access rule in the filter security interceptor.

Luke.

**RayKrueger** · Apr 5th, 2005, 07:41 PM

Hmm, we need to look at the sample then, it is configured the same way.

Thread: Endless loop in web authentication

Thread Tools

Display

Endless loop in web authentication

Similar Threads

Problem: SecureContextImpl reused in subsequent session

Loosing my SecureContext

Method call why not be intercepted by MethodSecurityIntercep

Endless Loop in JdbcTemplate class with Oracle stored proc

Posting Permissions