Exclude login-page from security constraints

[-FoX-]

I'm having some problems with my security constraints that I have defined in my webapp. I'm using form-based authentication.

I put the following in my web.xml, to enable acegi security.

Code:

<filter>
    <filter-name>acegiSecurityFilter</filter-name>
    <filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>

    <init-param>
      <param-name>targetClass</param-name>
      <param-value>org.acegisecurity.util.FilterChainProxy</param-value>
    </init-param>
  </filter>

  <filter-mapping>
    <filter-name>acegiSecurityFilter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>

I'm not sure my applicationContext-security file is OK? Tips are welcome!!
My configured applicationContext-security.xml is as follows:

Code:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN"
    "http://www.springframework.org/dtd/spring-beans.dtd">
<beans>
  <!-- ********** FILTER CHAIN ********** -->
  <!-- Define all security filters in the same file, just 1 entry in web.xml -->
  <bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">
    <property name="filterInvocationDefinitionSource">
      <value>
        CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON PATTERN_TYPE_APACHE_ANT
        /**=httpSessionContextIntegrationFilter,authenticationProcessingFilter,anonymousProcessingFilter,securityEnforcementFilter
      </value>
    </property>
  </bean>

  <!-- ********** AUTHENTICATION ********** -->
  <bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">
    <property name="providers">
      <list>
        <ref local="daoAuthenticationProvider"/>
      </list>
    </property>
  </bean>

  <bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
    <property name="userDetailsService">
      <ref bean="memoryAuthenticationProvider"/>
    </property>
  </bean>

  <bean id="memoryAuthenticationProvider" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl">
    <property name="userMap">
      <value>
        test=test,ROLE_USER
        manager=manager,disabled,ROLE_MANAGER
      </value>
    </property>
  </bean>

  <!-- ********** HTTP REQUEST SECURITY ********** -->
  <!-- Standard Acegi security role voter implementation. -->
  <bean id="roleVoter" class="org.acegisecurity.vote.RoleVoter"/>

  <bean id="accessDecisionManager" class="org.acegisecurity.vote.UnanimousBased">
    <property name="allowIfAllAbstainDecisions">
      <value>false</value>
    </property>
    <property name="decisionVoters">
      <list>
        <ref local="roleVoter"/>
      </list>
    </property>
  </bean>

  <bean id="securityEnforcementFilter" class="org.acegisecurity.intercept.web.SecurityEnforcementFilter">
    <property name="filterSecurityInterceptor">
      <ref bean="filterInvocationInterceptor"/>
    </property>
    <property name="authenticationEntryPoint">
      <ref bean="authenticationEntryPoint"/>
    </property>
  </bean>

  <!-- Entrypoint for form-based authentication. -->
  <bean id="authenticationEntryPoint" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
    <property name="loginFormUrl">
      <value>/login.jsp</value>   <!-- url of the login page -->
    </property>
    <property name="forceHttps">  <!-- login over SSL -->
      <value>false</value>
    </property>
  </bean>

  <bean id="authenticationProcessingFilter" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
    <property name="authenticationManager" ref="authenticationManager"/>      
    <property name="authenticationFailureUrl" value="/login.jsp?error=true"/>
    <property name="defaultTargetUrl" value="/"/>
    <property name="filterProcessesUrl" value="/j_security_check"/>           <!-- default is /j_acegi_security_check -->
  </bean>

  <bean id="anonymousProcessingFilter" class="org.acegisecurity.providers.anonymous.AnonymousProcessingFilter">
    <property name="key">
      <value>anonymousKey</value>
    </property>
    <property name="userAttribute">
      <value>anonymousUser,ROLE_ANONYMOUS</value>
    </property>
  </bean>
  <bean id="anonymousAuthenticationProvider" class="org.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider">
    <property name="key">
      <value>anonymousKey</value>
    </property>
  </bean>

  <bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
    <property name="authenticationManager">
      <ref bean="authenticationManager"/>
    </property>
    <property name="accessDecisionManager">
      <ref bean="accessDecisionManager"/>
    </property>
    <property name="objectDefinitionSource">      <!-- authorities required for the requests -->
      <value>
        CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON PATTERN_TYPE_APACHE_ANT
        /login.jsp=ROLE_ANONYMOUS
        /admin/**=ROLE_ADMIN
        /**=ROLE_USER
      </value>
    </property>
  </bean>

  <!-- Security context -->
  <bean id="httpSessionContextIntegrationFilter" class="org.acegisecurity.context.HttpSessionContextIntegrationFilter">
    <property name="context">
      <value>org.acegisecurity.context.SecurityContextImpl</value>
    </property>
  </bean>
</beans>

The problem that occurs is that when I see my login page. None of my stylesheets/js/gifs or jpegs are being authorised. So i only see my no-style login.jsp. All these files are for example available in /resources/images/.
I tried the anonymousProcessingFilter, but apparently it isn't working as supposed.

What am I doing wrong??


Furthermore, I have another question.
Suppose I want to grant access to the user based on his 'role'.
Let's say the webapplication has several extra modules, that can be added dynamically:

* standard
* standard + invoice module
* standard + statistic module
* standard + cms module
* standard + cms + statistic
* standard + statistic + invoice
... and so on..

As you can see, a whole lot of combinations are possible. How should I deal with this kind of security concepts?? Should I enable a role for each combination?

[jettro]

actually I'dd think about only letting some resources be controller via acegi.

Code:

	<filter-mapping>
		<filter-name>securityFilter</filter-name>
		<url-pattern>*.html</url-pattern>
	</filter-mapping>

	<filter-mapping>
		<filter-name>securityFilter</filter-name>
		<url-pattern>*.jsp</url-pattern>
	</filter-mapping>

This way the images etc are not handled by acegi, you could even use .htm pages that do not get authenticated. (login.htm)

[-FoX-]

Hmmm, I don't like the idea behind that. I just want to have everything secured, except maybe some things I don't want to. So, when I add something, I can be sure that everything will be secured.

I do believe this must be possible?

[tsolak]

If you don't want use something like this

<filter-mapping>
<filter-name>securityFilter</filter-name>
<url-pattern>/secure/*</url-pattern>
</filter-mapping>

you can use ANONYMOUS ROLE as in the Contacts Sample Application
and add somthing like this to filterInvocationInterceptor
<property name="objectDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/index.jsp=ROLE_ANONYMOUS
/images/**=ROLE_ANONYMOUS
.............
</value>
</property>

[-FoX-]

I'm already using the ANONYMOUS role (as you can see in my config), but I'm having difficulties to configure it well.

[-FoX-]

Can someone provide me with some usefull tips?

[erikgu]

Hei i think i got something working on my app last night I've still not 100% happy with my login, but at least i can log in and out as i please

From web.xml

Code:

****

	<filter>
		<filter-name>Acegi Filter Chain Proxy</filter-name>
		<filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>
		<init-param>
			<param-name>targetClass</param-name>
			<param-value>org.acegisecurity.util.FilterChainProxy</param-value>
		</init-param>
	</filter>

	<filter-mapping>
		<filter-name>Acegi Filter Chain Proxy</filter-name>
		<url-pattern>*.htm</url-pattern>
	</filter-mapping>
	<filter-mapping>
		<filter-name>Acegi Filter Chain Proxy</filter-name>
		<url-pattern>*.jsp</url-pattern>
	</filter-mapping>

****

	<listener>
		<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
	</listener>

	<listener>
		<listener-class>org.acegisecurity.ui.session.HttpSessionEventPublisher</listener-class>
	</listener>

****

And here are my total spring def:
(It still got a lot of extra commented stuff, but it works. sorta

Code:

<beans>

   <!-- ======================== FILTER CHAIN ======================= -->
	<!--  if you wish to use channel security, add "channelProcessingFilter," in front
	      of "httpSessionContextIntegrationFilter" in the list below -->
	<bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">
      <property name="filterInvocationDefinitionSource">
         <value>
		    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
		    PATTERN_TYPE_APACHE_ANT
            /**=httpSessionContextIntegrationFilter,authenticationProcessingFilter,anonymousProcessingFilter,securityEnforcementFilter
         </value>
      </property>
    </bean>

   <!-- ======================== AUTHENTICATION ======================= -->
	<bean id="authenticationManager"
		class="org.acegisecurity.providers.ProviderManager">
		<property name="providers">
			<list>
				<ref local="daoAuthenticationProvider" />
				<ref local="anonymousAuthenticationProvider" />
			</list>
		</property>
	</bean>

	<bean id="jdbcDaoImpl"
		class="org.acegisecurity.userdetails.jdbc.JdbcDaoImpl">
		<property name="dataSource">
			<ref bean="dataSource" />
		</property>
		<property name="usersByUsernameQuery">
			<value>
				SELECT username, password, 'true' AS enabled FROM users WHERE username = ? AND user_status = '1'
			</value>
		</property>
		<property name="authoritiesByUsernameQuery">
			<value>
				SELECT u.username, a.role AS authority FROM authorities AS a, users AS u WHERE a.users_id=u.id AND username=?
			</value>
		</property>
	</bean>

	<!--bean id="passwordEncoder"
		class="org.acegisecurity.providers.encoding.Md5PasswordEncoder"/-->

	<bean id="daoAuthenticationProvider"
		class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
		<property name="userDetailsService">
			<ref local="jdbcDaoImpl" />
		</property>
		<property name="userCache">
			<ref local="userCache" />
		</property>
		<!--property name="passwordEncoder">
			<ref local="passwordEncoder" />
		</property-->
	</bean>

	<bean id="cacheManager"
		class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean" />

	<bean id="userCacheBackend"
		class="org.springframework.cache.ehcache.EhCacheFactoryBean">
		<property name="cacheManager">
			<ref local="cacheManager" />
		</property>
		<property name="cacheName">
			<value>userCache</value>
		</property>
	</bean>

	<bean id="userCache"
		class="org.acegisecurity.providers.dao.cache.EhCacheBasedUserCache">
		<property name="cache">
			<ref local="userCacheBackend" />
		</property>
	</bean>


   <!-- Automatically receives AuthenticationEvent messages -->
   <bean id="loggerListener" class="org.acegisecurity.event.authentication.LoggerListener"/>

	<bean id="anonymousProcessingFilter" class="org.acegisecurity.providers.anonymous.AnonymousProcessingFilter">
      <property name="key"><value>foobar</value></property>
      <property name="userAttribute"><value>anonymousUser,ROLE_ANONYMOUS</value></property>
   </bean>

   <bean id="anonymousAuthenticationProvider" class="org.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider">
      <property name="key"><value>foobar</value></property>
   </bean>

   <bean id="httpSessionContextIntegrationFilter" class="org.acegisecurity.context.HttpSessionContextIntegrationFilter">
   </bean>

   <!-- ===================== HTTP CHANNEL REQUIREMENTS ==================== -->
   <!-- You will need to uncomment the "Acegi Channel Processing Filter"
        <filter-mapping> in web.xml for the following beans to be used -->

   <bean id="channelProcessingFilter" class="org.acegisecurity.securechannel.ChannelProcessingFilter">
      <property name="channelDecisionManager"><ref local="channelDecisionManager"/></property>
      <property name="filterInvocationDefinitionSource">
         <value>
			    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
				\A/secure/.*\Z=REQUIRES_SECURE_CHANNEL
				\A/logon.htm.*\Z=REQUIRES_SECURE_CHANNEL
				\A/j_acegi_security_check\.jsp.*\Z=REQUIRES_SECURE_CHANNEL
				\A.*\Z=REQUIRES_INSECURE_CHANNEL
         </value>
      </property>
   </bean>

   <bean id="channelDecisionManager" class="org.acegisecurity.securechannel.ChannelDecisionManagerImpl">
      <property name="channelProcessors">
         <list>
            <ref local="secureChannelProcessor"/>
            <ref local="insecureChannelProcessor"/>
         </list>
      </property>
   </bean>

   <bean id="secureChannelProcessor" class="org.acegisecurity.securechannel.SecureChannelProcessor"/>
   <bean id="insecureChannelProcessor" class="org.acegisecurity.securechannel.InsecureChannelProcessor"/>

   <!-- ===================== HTTP REQUEST SECURITY ==================== -->
   <bean id="securityEnforcementFilter" class="org.acegisecurity.intercept.web.SecurityEnforcementFilter">
      <property name="filterSecurityInterceptor"><ref local="filterInvocationInterceptor"/></property>
      <property name="authenticationEntryPoint"><ref local="authenticationProcessingFilterEntryPoint"/></property>
   </bean>

   <bean id="authenticationProcessingFilter" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
      <property name="authenticationManager"><ref bean="authenticationManager"/></property>
      <property name="authenticationFailureUrl"><value>/logon.htm?login_error=1</value></property>
      <property name="defaultTargetUrl"><value>/</value></property>
      <property name="filterProcessesUrl"><value>/j_acegi_security_check.jsp</value></property>
      <!--property name="rememberMeServices"><ref local="rememberMeServices"/></property-->
   </bean>

   <bean id="authenticationProcessingFilterEntryPoint" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
      <property name="loginFormUrl"><value>/logon.htm</value></property>
      <property name="forceHttps"><value>false</value></property>
   </bean>

  <!-- Standard Acegi security role voter implementation. -->
  <bean id="roleVoter" class="org.acegisecurity.vote.RoleVoter"/>

   <bean id="httpRequestAccessDecisionManager" class="org.acegisecurity.vote.AffirmativeBased">
      <property name="allowIfAllAbstainDecisions"><value>false</value></property>
      <property name="decisionVoters">
         <list>
            <ref bean="roleVoter"/>
         </list>
      </property>
   </bean>

   <!-- Note the order that entries are placed against the objectDefinitionSource is critical.
        The FilterSecurityInterceptor will work from the top of the list down to the FIRST pattern that matches the request URL.
        Accordingly, you should place MOST SPECIFIC (ie a/b/c/d.*) expressions first, with LEAST SPECIFIC (ie a/.*) expressions last -->
   <bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
      <property name="authenticationManager"><ref bean="authenticationManager"/></property>
      <property name="accessDecisionManager"><ref local="httpRequestAccessDecisionManager"/></property>
      <property name="objectDefinitionSource">
         <value>
			    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
			    PATTERN_TYPE_APACHE_ANT
			    /index.*=ROLE_ANONYMOUS,ROLE_USER,ROLE_ADMIN
			    /logoff.jsp=ROLE_ANONYMOUS,ROLE_USER,ROLE_ADMIN
			    /logon.htm*=ROLE_ANONYMOUS,ROLE_USER,ROLE_ADMIN
			    /decorators/**=ROLE_ANONYMOUS,ROLE_USER,ROLE_ADMIN
			    /init.xml*=ROLE_ANONYMOUS,ROLE_USER,ROLE_ADMIN
			    /subNode.xml*=ROLE_ANONYMOUS,ROLE_USER,ROLE_ADMIN
				/**=ROLE_USER,ROLE_ADMIN
         </value>
      </property>
   </bean>

</beans>

Hope this can be of any help. At least i wish someone gave me this a few weeks back

Should be able to do something like /**/*.gif=ROLE_ANONYMOUS or even more spesific maybe. I added more roles coz i wanted my admins etc to see it to..

-Erik