Access is denied (user is not anonymous)

[matthewramella]

I think I'm very close to having my application cut-over to Acegi, however, I'm receiving the following error upon authentication:

"Access is denied (user is not anonymous); sending back forbidden response"

I do, however, see that my User object is populated with my username and the following Granted Authorities:

anonymous, role_administration, role_anonymous, role_user

Has anyone out there run into this issue?

Thanks,

Matt

[Luke Taylor]

This just means that your user has been through the authentication process and been denied access. Some more information (e.g. your configuration for FilterSecurityInterceptor) would be helpful in working out what's amiss.

Luke.

[matthewramella]

Luke,

Thanks for your reply, I more than appreciate it.

I ended up fixing the problem by changing the authority field values in the authorities table to all upper case... Apparently, they're case-sensitive...

Again, thanks for your reply.

Take care,

Matt

[jas]

So, is this a case issue then? I'm not quite at the liberty to change the case of the roles I'm fetching from LDAP, but I do prefix them all with ROLE_ in the process. But, I have the exact same exception/condition if the authenticated user does not have ALL of the roles specified. My impression (Acegi docbook, Spring In Action) was that a list of roles specified in the objectDefinitionSource for FilterSecurityInterceptor indicate that if the user is an ANY of the roles, then to grant access...

Looking at the source to RoleVoter, it seems to confirm the first role that matches the criteria returns with ACCESS_GRANTED, so I don't know why the user has to be in ALL roles listed.

For example:

Code:

2005-06-07 12&#58;46&#58;37,883 DEBUG &#91;net.sf.acegisecurity.ui.AbstractProcessingFilter&#93; - <Redirecting to target URL from HTTP Session &#40;or default&#41;&#58; http&#58;//sdmaapp1&#58;8103/pa/secure/index.jsp>
2005-06-07 12&#58;46&#58;37,885 DEBUG &#91;net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter&#93; - <Context stored to HttpSession&#58; 'net.sf.acegisecurity.context.security.SecureContextImpl@ea3932&#58; Authentication&#58; net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken@f70ee1&#58; Username&#58; com.ingenuity.security.dao.IngenuityLegacyLdapUser@1f1e39b; Password&#58; &#91;PROTECTED&#93;; Authenticated&#58; false; Details&#58; net.sf.acegisecurity.ui.WebAuthenticationDetails@1d056de&#58; RemoteIpAddress&#58; 10.32.18.95; SessionId&#58; 583063dc83736948563a; Granted Authorities&#58; ROLE_PAADMIN, ROLE_paumadmin, ROLE_PAUSERTRIAL, ROLE_PAUSERPAID, ROLE_RoleSharingWithMe, ROLE_RoleSharingWithOthers'>
2005-06-07 12&#58;46&#58;37,886 DEBUG &#91;net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter&#93; - <ContextHolder set to null as request processing completed>
2005-06-07 12&#58;46&#58;37,907 DEBUG &#91;net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter&#93; - <Obtained from ACEGI_SECURITY_CONTEXT a valid Context and set to ContextHolder&#58; 'net.sf.acegisecurity.context.security.SecureContextImpl@ea3932&#58; Authentication&#58; net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken@f70ee1&#58; Username&#58; com.ingenuity.security.dao.IngenuityLegacyLdapUser@1f1e39b; Password&#58; &#91;PROTECTED&#93;; Authenticated&#58; false; Details&#58; net.sf.acegisecurity.ui.WebAuthenticationDetails@1d056de&#58; RemoteIpAddress&#58; 10.32.18.95; SessionId&#58; 583063dc83736948563a; Granted Authorities&#58; ROLE_PAADMIN, ROLE_paumadmin, ROLE_PAUSERTRIAL, ROLE_PAUSERPAID, ROLE_RoleSharingWithMe, ROLE_RoleSharingWithOthers'>
2005-06-07 12&#58;46&#58;37,908 DEBUG &#91;net.sf.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap&#93; - <Candidate is&#58; '/secure/index.jsp'; pattern is /secure/admin/**; matched=false>
2005-06-07 12&#58;46&#58;37,908 DEBUG &#91;net.sf.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap&#93; - <Candidate is&#58; '/secure/index.jsp'; pattern is /secure/index.jsp; matched=true>
2005-06-07 12&#58;46&#58;37,908 DEBUG &#91;net.sf.acegisecurity.intercept.AbstractSecurityInterceptor&#93; - <Secure object&#58; FilterInvocation&#58; URL&#58; /secure/index.jsp; ConfigAttributes&#58; &#91;ROLE_PAUSERPAID, ROLE_PAUSERINTERNAL&#93;>
2005-06-07 12&#58;46&#58;37,909 DEBUG &#91;net.sf.acegisecurity.providers.ProviderManager&#93; - <Authentication attempt using net.sf.acegisecurity.providers.dao.PasswordDaoAuthenticationProvider>
2005-06-07 12&#58;46&#58;37,909 DEBUG &#91;com.ingenuity.security.ldap.IngenuityLegacyLdapPasswordAuthenticationDao&#93; - <** email&#58; 'jschmidt@ingenuity.com'>
2005-06-07 12&#58;46&#58;37,910 DEBUG &#91;com.ingenuity.security.ldap.IngenuityLegacyLdapPasswordAuthenticationDao&#93; - <** password&#58; '**'>
2005-06-07 12&#58;46&#58;37,910 DEBUG &#91;com.ingenuity.security.ldap.IngenuityLegacyLdapPasswordAuthenticationDao&#93; - <Attempting to authenticate 'jschmidt@ingenuity.com'>
2005-06-07 12&#58;46&#58;38,054 DEBUG &#91;com.ingenuity.security.dao.IngenuityLegacyLdapUser&#93; - <ILLU, username&#58; jschmidt@ingenuity.com>
2005-06-07 12&#58;46&#58;38,054 DEBUG &#91;com.ingenuity.security.ldap.IngenuityLegacyLdapPasswordAuthenticationDao&#93; - <Added authority&#58; ROLE_PAADMIN>
2005-06-07 12&#58;46&#58;38,055 DEBUG &#91;com.ingenuity.security.ldap.IngenuityLegacyLdapPasswordAuthenticationDao&#93; - <Added authority&#58; ROLE_paumadmin>
2005-06-07 12&#58;46&#58;38,055 DEBUG &#91;com.ingenuity.security.ldap.IngenuityLegacyLdapPasswordAuthenticationDao&#93; - <Added authority&#58; ROLE_PAUSERTRIAL>
2005-06-07 12&#58;46&#58;38,060 DEBUG &#91;com.ingenuity.security.ldap.IngenuityLegacyLdapPasswordAuthenticationDao&#93; - <Added authority&#58; ROLE_PAUSERPAID>
2005-06-07 12&#58;46&#58;38,061 DEBUG &#91;com.ingenuity.security.ldap.IngenuityLegacyLdapPasswordAuthenticationDao&#93; - <Added authority&#58; ROLE_RoleSharingWithMe>
2005-06-07 12&#58;46&#58;38,061 DEBUG &#91;com.ingenuity.security.ldap.IngenuityLegacyLdapPasswordAuthenticationDao&#93; - <Added authority&#58; ROLE_RoleSharingWithOthers>
2005-06-07 12&#58;46&#58;38,062 DEBUG &#91;com.ingenuity.security.ldap.IngenuityLegacyLdapPasswordAuthenticationDao&#93; - <Successfully authenticated 'jschmidt@ingenuity.com'>
2005-06-07 12&#58;46&#58;38,062 DEBUG &#91;org.springframework.web.context.support.XmlWebApplicationContext&#93; - <Publishing event in context &#91;Root WebApplicationContext&#93;&#58; net.sf.acegisecurity.providers.dao.event.AuthenticationSuccessEvent&#91;source=net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken@f70ee1&#58; Username&#58; com.ingenuity.security.dao.IngenuityLegacyLdapUser@1f1e39b; Password&#58; &#91;PROTECTED&#93;; Authenticated&#58; false; Details&#58; net.sf.acegisecurity.ui.WebAuthenticationDetails@1d056de&#58; RemoteIpAddress&#58; 10.32.18.95; SessionId&#58; 583063dc83736948563a; Granted Authorities&#58; ROLE_PAADMIN, ROLE_paumadmin, ROLE_PAUSERTRIAL, ROLE_PAUSERPAID, ROLE_RoleSharingWithMe, ROLE_RoleSharingWithOthers&#93;>

2005-06-07 12&#58;46&#58;38,063 DEBUG &#91;net.sf.acegisecurity.intercept.AbstractSecurityInterceptor&#93; - <Authenticated&#58; net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken@5f1c48&#58; Username&#58; com.ingenuity.security.dao.IngenuityLegacyLdapUser@39ea58; Password&#58; &#91;PROTECTED&#93;; Authenticated&#58; true; Details&#58; net.sf.acegisecurity.ui.WebAuthenticationDetails@1d056de&#58; RemoteIpAddress&#58; 10.32.18.95; SessionId&#58; 583063dc83736948563a; Granted Authorities&#58; ROLE_PAADMIN, ROLE_paumadmin, ROLE_PAUSERTRIAL, ROLE_PAUSERPAID, ROLE_RoleSharingWithMe, ROLE_RoleSharingWithOthers>
2005-06-07 12&#58;46&#58;38,065 DEBUG &#91;org.springframework.web.context.support.XmlWebApplicationContext&#93; - <Publishing event in context &#91;Root WebApplicationContext&#93;&#58; net.sf.acegisecurity.intercept.event.AuthorizationFailureEvent&#91;source=FilterInvocation&#58; URL&#58; /secure/index.jsp&#93;>
2005-06-07 12&#58;46&#58;38,066 DEBUG &#91;net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter&#93; - <Access is denied &#40;user is not anonymous&#41;; sending back forbidden response>
net.sf.acegisecurity.AccessDeniedException&#58; Access is denied.
        at net.sf.acegisecurity.vote.UnanimousBased.decide&#40;UnanimousBased.java&#58;108&#41;
        at net.sf.acegisecurity.intercept.AbstractSecurityInterceptor.beforeInvocation&#40;AbstractSecurityInterceptor.java&#58;394&#41;
        at net.sf.acegisecurity.intercept.web.FilterSecurityInterceptor.invoke&#40;FilterSecurityInterceptor.java&#58;81&#41;
        at net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter.doFilter&#40;SecurityEnforcementFilter.java&#58;182&#41;
        at net.sf.acegisecurity.util.FilterToBeanProxy.doFilter&#40;FilterToBeanProxy.java&#58;125&#41;
        at jrun.servlet.FilterChain.doFilter&#40;FilterChain.java&#58;94&#41;
        at com.ingenuity.security.ldap.IngenuityLegacyContextHolderAwareRequestFilter.doFilter&#40;IngenuityLegacyContextHolderAwareRequestFilter.java&#58;44&#41;
        at net.sf.acegisecurity.util.FilterToBeanProxy.doFilter&#40;FilterToBeanProxy.java&#58;125&#41;
        at jrun.servlet.FilterChain.doFilter&#40;FilterChain.java&#58;94&#41;
        at net.sf.acegisecurity.ui.AbstractProcessingFilter.doFilter&#40;AbstractProcessingFilter.java&#58;305&#41;
        at net.sf.acegisecurity.util.FilterToBeanProxy.doFilter&#40;FilterToBeanProxy.java&#58;125&#41;
        at jrun.servlet.FilterChain.doFilter&#40;FilterChain.java&#58;94&#41;
        at net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter&#40;HttpSessionContextIntegrationFilter.java&#58;225&#41;
        at net.sf.acegisecurity.util.FilterToBeanProxy.doFilter&#40;FilterToBeanProxy.java&#58;125&#41;
        at jrun.servlet.FilterChain.doFilter&#40;FilterChain.java&#58;94&#41;
        at com.ingenuity.security.jrun4.ContextLoaderFilter.doFilter&#40;ContextLoaderFilter.java&#58;59&#41;
        at jrun.servlet.FilterChain.doFilter&#40;FilterChain.java&#58;94&#41;
        at jrun.servlet.FilterChain.service&#40;FilterChain.java&#58;101&#41;
        at jrun.servlet.ServletInvoker.invoke&#40;ServletInvoker.java&#58;91&#41;
        at jrun.servlet.JRunInvokerChain.invokeNext&#40;JRunInvokerChain.java&#58;42&#41;
        at jrun.servlet.JRunRequestDispatcher.invoke&#40;JRunRequestDispatcher.java&#58;257&#41;
        at jrun.servlet.ServletEngineService.dispatch&#40;ServletEngineService.java&#58;541&#41;
        at jrun.servlet.http.WebService.invokeRunnable&#40;WebService.java&#58;172&#41;
        at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable&#40;ThreadPool.java&#58;426&#41;
        at jrunx.scheduler.WorkerThread.run&#40;WorkerThread.java&#58;66&#41;
2005-06-07 12&#58;46&#58;38,093 DEBUG &#91;net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter&#93; - <Context stored to HttpSession&#58; 'net.sf.acegisecurity.context.security.SecureContextImpl@ea3932&#58; Authentication&#58; net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken@5f1c48&#58; Username&#58; com.ingenuity.security.dao.IngenuityLegacyLdapUser@39ea58; Password&#58; &#91;PROTECTED&#93;; Authenticated&#58; true; Details&#58; net.sf.acegisecurity.ui.WebAuthenticationDetails@1d056de&#58; RemoteIpAddress&#58; 10.32.18.95; SessionId&#58; 583063dc83736948563a; Granted Authorities&#58; ROLE_PAADMIN, ROLE_paumadmin, ROLE_PAUSERTRIAL, ROLE_PAUSERPAID, ROLE_RoleSharingWithMe, ROLE_RoleSharingWithOthers'>
2005-06-07 12&#58;46&#58;38,094 DEBUG &#91;net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter&#93; - <ContextHolder set to null as request processing completed>

Configuration wise, this looks like:

Code:

        <bean name="filterSecurityInterceptor"
                class="net.sf.acegisecurity.intercept.web.FilterSecurityInterceptor">

                <property name="authenticationManager">
                        <ref bean="authenticationManager"/>
                </property>
                <property name="accessDecisionManager">
                        <ref bean="accessDecisionManager"/>
                </property>
                <property name="objectDefinitionSource">
                        <!--
                                Define application URI to role associations here. Configure more specific
                                patterns above less specific ones, or they may not be discerned.
                        -->
                        <value>
                                CONVERT_URL_TOLOWERCASE_BEFORE_COMPARISON
                                PATTERN_TYPE_APACHE_ANT
                                /secure/admin/**=ROLE_PAADMIN
                                /secure/**=ROLE_PAUSERPAID,ROLE_PAUSERINTERNAL
                        </value>
                </property>
        </bean>

        <bean name="authenticationManager"
                class="net.sf.acegisecurity.providers.ProviderManager">

                <property name="providers">
                        <list>
                                <ref bean="passwordDaoAuthenticationProvider"/>
                        </list>
                </property>
        </bean>

        <bean name="passwordDaoAuthenticationProvider"
                class="net.sf.acegisecurity.providers.dao.PasswordDaoAuthenticationProvider">

                <property name="passwordAuthenticationDao">
                        <ref bean="ldapPasswordAuthenticationDao"/>
                </property>
        </bean>

        <bean name="ldapPasswordAuthenticationDao"
                class="com.ingenuity.security.ldap.IngenuityLegacyLdapPasswordAuthenticationDao">

        </bean>

        <bean name="accessDecisionManager"
                class="net.sf.acegisecurity.vote.UnanimousBased">

                <property name="decisionVoters">
                        <list>
                                <ref bean="roleVoter"/>
                        </list>
                </property>
                <property name="allowIfAllAbstainDecisions">
                        <value>false</value>
                </property>
        </bean>

        <bean name="roleVoter"
                class="net.sf.acegisecurity.vote.RoleVoter">
        </bean>

        <bean name="requestFilter"
                class="com.ingenuity.security.ldap.IngenuityLegacyContextHolderAwareRequestFilter"/>

A question you may have is what are the IngenuityLegacy* classes. Legacy code requires the ability to retrieve a particular implementation of Principal from the HttpServletRequest. The wrapper and associated filter are used so that rather than the Authentication, it returns the Principal within the authentication, which is what the legacy code expects:

Code:

    public Principal getUserPrincipal() {
    	
    	Principal acegiPrincipalToken = super.getUserPrincipal();
    	if (acegiPrincipalToken != null)
    		return (Principal)((Authentication)acegiPrincipalToken).getPrincipal();
    	else
    		return null;
    }

The LDAP based authentication seems to be working as expected, it's just the authorization that is messing me up. The output listed (far) above shows the roles associated with the user, and when accessing /secure/index.jsp, access is denied. The user has the authority ROLE_PAUSERPAID, but not ROLE_PAUSERINTERNAL. If I make the user have both roles, then access is granted. I should not have to do that though, should I?

BTW, this is Acegi 0.8.2 with Spring 1.2.1 on JRun 4. The LDAP code is proprietary at the moment, but I'd like to make use of the Acegi sandbox LDAP in the near future.

Again, this application is just a prototype to see how to get Acegi to play with some legacy issues.

Thanks!

Jeff

[matthewramella]

Jas,

I noticed in your accessDecisionManager definition, you've specified the class "net.sf.acegisecurity.vote.UnanimousBased". If you specify "net.sf.acegisecurity.vote.AffirmativeBased" instead of "UnanimousBased," this will grant access if any AccessDecisionVoter returns an affirmative response. Or, you may try "net.sf.acegisecurity.vote.AffirmativeBased" which will grant access if the majority of AccessDecisionVoter returns an affirmative response.

Hope this helps,

Matt

[jas]

Matt:

Many thanks. AffirmativeBased seems to do the trick. I'd like to understand why, however.

The RoleVoter javadoc (0.8.2) specifies:

Code:

Abstains from voting if no configuration attribute commences with the role prefix. Votes to grant access if there is an exact matching GrantedAuthority to a ConfigAttribute  starting with the role prefix. Votes to deny access if there is no exact matching GrantedAuthority to a ConfigAttribute  starting with the role prefix

The RoleVoter vote() method looks like once it finds the first match of a config attribute and an authoritiy, it stops and returns ACCESS_GRANTED.

Code:

    public int vote(Authentication authentication, Object object,
        ConfigAttributeDefinition config) {
        int result = ACCESS_ABSTAIN;
        Iterator iter = config.getConfigAttributes();

        while (iter.hasNext()) {
            ConfigAttribute attribute = (ConfigAttribute) iter.next();

            if (this.supports(attribute)) {
                result = ACCESS_DENIED;

                // Attempt to find a matching granted authority
                for &#40;int i = 0; i < authentication.getAuthorities&#40;&#41;.length;
                    i++&#41; &#123;
                    if &#40;attribute.getAttribute&#40;&#41;.equals&#40;authentication
                            .getAuthorities&#40;&#41;&#91;i&#93;.getAuthority&#40;&#41;&#41;&#41; &#123;
                        return ACCESS_GRANTED;
                    &#125;
                &#125;
            &#125;
        &#125;

        return result;
   &#125;

So, with the ObjectDefinitionSource set up as:

Code:

		<property name="objectDefinitionSource">
			<!--
				Define application URI to role associations here. Configure more specific
				patterns above less specific ones, or they may not be discerned.
			-->
			<value>
				CONVERT_URL_TOLOWERCASE_BEFORE_COMPARISON
				PATTERN_TYPE_APACHE_ANT
				/secure/admin/**=ROLE_PAADMIN
				/secure/**=ROLE_PAUSERPAID,ROLE_PABLAHBLAH	
			</value>
		</property>

When I access /secure/index.jsp does RoleVoter get invoked a single time with the last config attribute, in which case it will vote ACCESS_GRANTED, or is it invoked twice, in which case it abstains the first time since the URL pattern does not match, and then is invoked again and votes ACCESS_GRANTED, but then overall access is denied?

The access decision manager only has the one decision voter contigured:

Code:

	<bean name="accessDecisionManager"
		class="net.sf.acegisecurity.vote.AffirmativeBased">
		
		<property name="decisionVoters">
			<list>
				<ref bean="roleVoter"/>
			</list>
		</property>
		<property name="allowIfAllAbstainDecisions">
			<value>false</value>
		</property>
	</bean>

I thought whether or not the manager was affirmative or unamimous based pertained to how do deal with the sum total of votes, not how any one voter makes its decision.

Thanks,

Jeff

[Ben Alex]

When I access /secure/index.jsp does RoleVoter get invoked a single time with the last config attribute, in which case it will vote ACCESS_GRANTED, or is it invoked twice, in which case it abstains the first time since the URL pattern does not match, and then is invoked again and votes ACCESS_GRANTED, but then overall access is denied?

The RoleVoter will be invoked once, and it will vote ACCESS_GRANTED if the user holds either ROLE_PASERPAID or ROLE_BLAHBLAH.

[doankhoavy]

I also have this probleam, i have just changed role name to upper case,that's all.