different ROLEs with Basic authentication?
I'm trying to get a simple setup working with Acegi. I decided to start with Basic authentication. It sort of works; I have 3 pages with page1.xyz requiring ROLE_USER and page2.xyz requiring ROLE_ADMIN and page3.xyz not requiring anything.
When I go to page1.xyz the browser pops up the login box and I login and then it shows me page1.xyz. At the bottom of page1.xyz is a link to page2.xyz; if I click that then I get an "access is denied" message from tomcat. Similarly, if I start with page2.xyz and type the name and password that part works, but then when I click the link to go to page1.xyz I get the "access is denied" message.
I'm wondering if there is something wrong with my configuration. I've included my applicationContext.xml and my web.xml.
Thanks for taking the time to help.
Code:<beans> <!-- BEGIN SPRING STUFF --> <bean id="urlMapping" class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping"> <property name="mappings"> <props> <prop key="/page1.xyz"> pvc1 </prop> <prop key="/page2.xyz"> pvc2 </prop> <prop key="/page3.xyz"> pvc3 </prop> </props> </property> </bean> <bean id="pvc1" class="org.springframework.web.servlet.mvc.ParameterizableViewController"> <property name="viewName" value="view1" /> </bean> <bean id="pvc2" class="org.springframework.web.servlet.mvc.ParameterizableViewController"> <property name="viewName" value="view2" /> </bean> <bean id="pvc3" class="org.springframework.web.servlet.mvc.ParameterizableViewController"> <property name="viewName" value="view3" /> </bean> <bean id="internalResourceViewResolver" class="org.springframework.web.servlet.view.InternalResourceViewResolver"> <property name="viewClass" value="org.springframework.web.servlet.view.JstlView" /> <property name="prefix" value="/WEB-INF/views/" /> <property name="suffix" value=".jsp" /> </bean> <!-- END SPRING STUFF --> <!-- BEGIN ACEGI STUFF --> <!-- =- filterChainProxy is called from web.xml =- =- recommended filter order: ChannelProcessingFilter, =- ConcurrentSessionFilter, HttpSessionContextIntegrationFilter, =- auth processing mechanisms; <AuthenticationProcessingFilter, =- CasProcessingFilter, BasicProcessingFilter, =- HttpRequestIntegrationFilter, JbossIntegrationFilter, etc.>, =- ContextHolderAwarenessRequestFilter, =- RememberMeProcessingFilter, AnonymousProcessingFilter, =- SecurityEnforcementFilter --> <bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy"> <property name="filterInvocationDefinitionSource"> <value> CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON PATTERN_TYPE_APACHE_ANT /**=httpSessionContextIntegrationFilter,basicProcessingFilter,securityEnforcementFilter </value> </property> </bean> <bean id="httpSessionContextIntegrationFilter" class="org.acegisecurity.context.HttpSessionContextIntegrationFilter" /> <bean id="basicProcessingFilter" class="org.acegisecurity.ui.basicauth.BasicProcessingFilter"> <property name="authenticationManager"> <ref local="providerManager"/> </property> <property name="authenticationEntryPoint"> <ref local="authenticationEntryPoint"/> </property> </bean> <bean id="authenticationEntryPoint" class="org.acegisecurity.ui.basicauth.BasicProcessingFilterEntryPoint"> <property name="realmName"> <value>Name Of Your Realm</value> </property> </bean> <bean id="securityEnforcementFilter" class="org.acegisecurity.intercept.web.SecurityEnforcementFilter"> <property name="filterSecurityInterceptor"> <ref local="filterSecurityInterceptor" /> </property> <property name="authenticationEntryPoint"> <ref local="authenticationEntryPoint" /> </property> </bean> <bean id="filterSecurityInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor"> <property name="authenticationManager"> <ref local="providerManager" /> </property> <property name="accessDecisionManager"> <ref local="httpRequestAccessDecisionManager" /> </property> <property name="objectDefinitionSource"> <value> CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON PATTERN_TYPE_APACHE_ANT /page1.xyz=ROLE_USER /page2.xyz=ROLE_ADMIN </value> </property> </bean> <bean id="providerManager" class="org.acegisecurity.providers.ProviderManager"> <property name="providers"> <list> <ref local="daoAuthenticationProvider" /> </list> </property> </bean> <bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider"> <property name="userDetailsService"> <ref local="inMemoryDaoImpl" /> </property> </bean> <bean id="inMemoryDaoImpl" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl"> <property name="userMap"> <value> rusty=password,ROLE_USER lumpy=password,ROLE_ADMIN </value> </property> </bean> <bean id="httpRequestAccessDecisionManager" class="org.acegisecurity.vote.AffirmativeBased"> <property name="allowIfAllAbstainDecisions"> <value>false</value> </property> <property name="decisionVoters"> <list> <ref local="roleVoter" /> </list> </property> </bean> <!-- =- An access decision voter that reads ROLE_* configuration =- settings. --> <bean id="roleVoter" class="org.acegisecurity.vote.RoleVoter" /> <!-- END ACEGI STUFF --> </beans>Code:<web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version="2.4"> <description> acegi_test version 01 </description> <display-name> acegi-test version 01 </display-name> <!-- =- Location of the Log4J config file, for initialization and =- refresh checks. Applied by Log4jConfigListener. --> <context-param> <param-name> log4jConfigLocation </param-name> <param-value> /WEB-INF/log4j.xml </param-value> </context-param> <filter> <filter-name> AcegiFilter </filter-name> <filter-class> org.acegisecurity.util.FilterToBeanProxy </filter-class> <init-param> <param-name> targetBean </param-name> <param-value> filterChainProxy </param-value> </init-param> </filter> <filter-mapping> <filter-name> AcegiFilter </filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- =- Configures Log4J for this web app. As this context specifies =- a context-param "log4jConfigLocation", its file path is used =- to load the Log4J configuration, including periodic refresh =- checks. =- =- Would fall back to default Log4J initialization =- (non-refreshing) if no special context-params are given. --> <!-- Leave the listener commented-out if using JBoss --> <listener> <listener-class> org.springframework.web.util.Log4jConfigListener </listener-class> </listener> <!-- =- Loads the root application context of this web app at =- startup, by default from "/WEB-INF/applicationContext.xml". =- =- Note that you need to fall back to Spring's =- ContextLoaderServlet for J2EE servers that do not follow the =- Servlet 2.4 initialization order. =- Use =- WebApplicationContextUtils.getWebApplicationContext(servletContext) =- to access it anywhere in the web application, outside of the =- framework. =- =- The root context is the parent of all servlet-specific =- contexts. This means that its beans are automatically =- available in these child contexts, both for getBean(name) =- calls and (external) bean references. --> <listener> <listener-class> org.springframework.web.context.ContextLoaderListener </listener-class> </listener> <!-- =- The HttpSessionEventPublisher will publish =- HttpSessionCreatedEvent and HttpSessionDestroyedEvent =- to the WebApplicationContext --> <listener> <listener-class> org.acegisecurity.ui.session.HttpSessionEventPublisher </listener-class> </listener> <servlet> <servlet-name> springapp </servlet-name> <servlet-class> org.springframework.web.servlet.DispatcherServlet </servlet-class> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name> springapp </servlet-name> <url-pattern>*.xyz</url-pattern> </servlet-mapping> <welcome-file-list> <welcome-file>index.html</welcome-file> </welcome-file-list> </web-app>
