Results 1 to 8 of 8

Thread: Strange endless loop using ACEGI due to unsuccessful login

  1. Aug 3rd, 2005, 08:22 AM #1
    danjla
    danjla is offline Junior Member
    Join Date
    Aug 2005
    Location
    Denmark
    Posts
    4

    Default Strange endless loop using ACEGI due to unsuccessful login

    Hi there,

    I hope you can help me, because I am stucked.

    I have a strange problem using ACEGI 0.8.2 and tomcat 5.0.28.
    The following triggers the endless loop in acegi:

    I have 2 sessions running against my web-app. In both sessions, a user has been successfully logged in using via the url: /eportal/login.htm
    using the following filter:


    Code:
     <bean id="authenticationProcessingFilter" class="net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
        <property name="authenticationManager"><ref local="authenticationManager"/></property>
        <property name="authenticationFailureUrl">
            <value>/login.htm?login_error=1</value>
        </property>
        <property name="exceptionMappings">
          <props>
            <prop  key="net.sf.acegisecurity.LockedException">/login.htm?login_error=2</prop>
            <prop  key="net.sf.acegisecurity.DisabledException">/login.htm?login_error=3</prop>
            <prop  key="net.sf.acegisecurity.CredentialsExpiredException">/login.htm?login_error=4</prop>
            <prop  key="net.sf.acegisecurity.AccountExpiredException">/login.htm?login_error=4</prop>
            <prop  key="net.sf.acegisecurity.AuthenticationServiceException">/login.htm?login_error=5</prop>
          </props>
        </property>
        <property name="defaultTargetUrl">
            <value>/home.htm</value>
        </property>
        <property name="filterProcessesUrl">
            <value>/j_acegi_security_check</value>
        </property>
    </bean>
    It all works fine, BUT if user1 changes the account status (locked=true) of user2, then user2 can trigger endless looping, if user2 logs off or
    retries log in.

    Note that, when user1 changed the account status of user2, I removed the user2 from the EhCache (userCache) used by daoAuthenticationProvider.
    But i think, that this caching issue is not really the problem (or?)!

    Code:
        <!-- ============= SECURITY &#40;AUTHENTICATION&#41; BEANS YOU WILL RARELY &#40;IF EVER&#41; CHANGE ============ -->

    <bean id="authenticationManager" class="net.sf.acegisecurity.providers.ProviderManager">
        <property name="providers">
            <list>
                <ref local="daoAuthenticationProvider"/>
                <ref local="runAsAuthenticationProvider"/>
                <ref local="anonymousAuthenticationProvider"/>
            </list>
        </property>
    </bean>

    <bean id="daoAuthenticationProvider" class="net.sf.acegisecurity.providers.dao.DaoAuthenticationProvider">
<!--
        <property name="authenticationDao"><ref local="inMemoryDaoImpl"/></property>
-->
        <property name="authenticationDao"><ref local="authenticationDao"/></property>
        <property name="passwordEncoder"><ref local="passwordEncoder"/></property>
        <property name="userCache"><ref local="userCache"/></property>
    </bean>

    <bean id="passwordEncoder" class="net.sf.acegisecurity.providers.encoding.PlaintextPasswordEncoder"/>

    <bean id="cacheManager" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"/>
    <bean id="userCacheBackend" class="org.springframework.cache.ehcache.EhCacheFactoryBean">
       <property name="cacheManager"><ref local="cacheManager"/></property>
       <property name="cacheName"><value>userCache</value></property>
    </bean>

    <bean id="userCache" class="net.sf.acegisecurity.providers.dao.cache.EhCacheBasedUserCache">
       <property name="cache"><ref local="userCacheBackend"/></property>
    </bean>

    Here is an extract of the tomcat log file, which goes on and on forever (when user2 tries to log in):
    Code:
    ...
...
2005-08-03 14&#58;45&#58;55,552 DEBUG &#91;net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter&#93; - <Authentication entry point being called; target URL added to Session&#58; http&#58;//localhost&#58;8080/eportal/login.htm>
2005-08-03 14&#58;45&#58;55,552 DEBUG &#91;net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint&#93; - <Redirecting to&#58; http&#58;//localhost&#58;8080/eportal/login.htm>
2005-08-03 14&#58;45&#58;55,552 DEBUG &#91;net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter&#93; - <Context stored to HttpSession&#58; 'net.sf.acegisecurity.context.security.SecureContextImpl@e8cc94&#58; Authentication&#58; net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken@9235c2&#58; Username&#58; dk.dannet.eportal.util.AuthUser@95a626&#58; Username&#58; user2; Password&#58; &#91;PROTECTED&#93;; Enabled&#58; true; AccountNonExpired&#58; true; credentialsNonExpired&#58; true; AccountNonLocked&#58; true; Granted Authorities&#58; ROLE_EP_SC_SUPERUSER; Password&#58; &#91;PROTECTED&#93;; Authenticated&#58; true; Details&#58; net.sf.acegisecurity.ui.WebAuthenticationDetails@329bcb&#58; RemoteIpAddress&#58; 127.0.0.1; SessionId&#58; 0B7A172EBFA8D1FF169E3EE65E0026C3; Granted Authorities&#58; ROLE_EP_SC_SUPERUSER'>
2005-08-03 14&#58;45&#58;55,552 DEBUG &#91;net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter&#93; - <ContextHolder set to null as request processing completed>
2005-08-03 14&#58;45&#58;55,562 DEBUG &#91;net.sf.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap&#93; - <Converted URL to lowercase, from&#58; '/login.htm'; to&#58; '/login.htm'>
2005-08-03 14&#58;45&#58;55,702 DEBUG &#91;net.sf.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap&#93; - <Candidate is&#58; '/login.htm'; pattern is /**; matched=true>
2005-08-03 14&#58;45&#58;55,702 DEBUG &#91;net.sf.acegisecurity.util.FilterChainProxy&#93; - </login.htm at position 1 of 5 in additional filter chain; firing Filter&#58; 'net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter@b7bf86'>
2005-08-03 14&#58;45&#58;55,702 DEBUG &#91;net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter&#93; - <Obtained from ACEGI_SECURITY_CONTEXT a valid Context and set to ContextHolder&#58; 'net.sf.acegisecurity.context.security.SecureContextImpl@e8cc94&#58; Authentication&#58; net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken@9235c2&#58; Username&#58; dk.dannet.eportal.util.AuthUser@95a626&#58; Username&#58; user2; Password&#58; &#91;PROTECTED&#93;; Enabled&#58; true; AccountNonExpired&#58; true; credentialsNonExpired&#58; true; AccountNonLocked&#58; true; Granted Authorities&#58; ROLE_EP_SC_SUPERUSER; Password&#58; &#91;PROTECTED&#93;; Authenticated&#58; true; Details&#58; net.sf.acegisecurity.ui.WebAuthenticationDetails@329bcb&#58; RemoteIpAddress&#58; 127.0.0.1; SessionId&#58; 0B7A172EBFA8D1FF169E3EE65E0026C3; Granted Authorities&#58; ROLE_EP_SC_SUPERUSER'>
2005-08-03 14&#58;45&#58;55,702 DEBUG &#91;net.sf.acegisecurity.util.FilterChainProxy&#93; - </login.htm at position 2 of 5 in additional filter chain; firing Filter&#58; 'net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilter@2e34bf'>
2005-08-03 14&#58;45&#58;55,702 DEBUG &#91;net.sf.acegisecurity.util.FilterChainProxy&#93; - </login.htm at position 3 of 5 in additional filter chain; firing Filter&#58; 'net.sf.acegisecurity.ui.basicauth.BasicProcessingFilter@88f506'>
2005-08-03 14&#58;45&#58;55,702 DEBUG &#91;net.sf.acegisecurity.ui.basicauth.BasicProcessingFilter&#93; - <Authorization header&#58; null>
2005-08-03 14&#58;45&#58;55,702 DEBUG &#91;net.sf.acegisecurity.util.FilterChainProxy&#93; - </login.htm at position 4 of 5 in additional filter chain; firing Filter&#58; 'net.sf.acegisecurity.providers.anonymous.AnonymousProcessingFilter@8e85b5'>
2005-08-03 14&#58;45&#58;55,702 DEBUG &#91;net.sf.acegisecurity.providers.anonymous.AnonymousProcessingFilter&#93; - <ContextHolder not replaced with anonymous token, as ContextHolder already contained&#58; 'net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken@9235c2&#58; Username&#58; dk.dannet.eportal.util.AuthUser@95a626&#58; Username&#58; user2; Password&#58; &#91;PROTECTED&#93;; Enabled&#58; true; AccountNonExpired&#58; true; credentialsNonExpired&#58; true; AccountNonLocked&#58; true; Granted Authorities&#58; ROLE_EP_SC_SUPERUSER; Password&#58; &#91;PROTECTED&#93;; Authenticated&#58; true; Details&#58; net.sf.acegisecurity.ui.WebAuthenticationDetails@329bcb&#58; RemoteIpAddress&#58; 127.0.0.1; SessionId&#58; 0B7A172EBFA8D1FF169E3EE65E0026C3; Granted Authorities&#58; ROLE_EP_SC_SUPERUSER'>
2005-08-03 14&#58;45&#58;55,702 DEBUG &#91;net.sf.acegisecurity.util.FilterChainProxy&#93; - </login.htm at position 5 of 5 in additional filter chain; firing Filter&#58; 'net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter@395dab'>
2005-08-03 14&#58;45&#58;55,702 DEBUG &#91;net.sf.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap&#93; - <Converted URL to lowercase, from&#58; '/login.htm'; to&#58; '/login.htm'>
2005-08-03 14&#58;45&#58;55,702 DEBUG &#91;net.sf.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap&#93; - <Candidate is&#58; '/login.htm'; pattern is /index.jsp*; matched=false>
2005-08-03 14&#58;45&#58;55,702 DEBUG &#91;net.sf.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap&#93; - <Candidate is&#58; '/login.htm'; pattern is /login.htm*; matched=true>
2005-08-03 14&#58;45&#58;55,702 DEBUG &#91;net.sf.acegisecurity.intercept.AbstractSecurityInterceptor&#93; - <Secure object&#58; FilterInvocation&#58; URL&#58; /login.htm; ConfigAttributes&#58; &#91;ROLE_ANONYMOUS, ROLE_EP_SUPERVISOR, ROLE_EP_ADMINISTRATOR, ROLE_EP_OPERATOR, ROLE_EP_SC_SUPERUSER, ROLE_EP_EXT_SUPERUSER, ROLE_EP_SC_USER, ROLE_EP_EXT_USER&#93;>
2005-08-03 14&#58;45&#58;55,702 DEBUG &#91;net.sf.acegisecurity.providers.ProviderManager&#93; - <Authentication attempt using net.sf.acegisecurity.providers.dao.DaoAuthenticationProvider>
2005-08-03 14&#58;45&#58;55,702 DEBUG &#91;net.sf.acegisecurity.providers.dao.cache.EhCacheBasedUserCache&#93; - <Cache hit&#58; false; username&#58; user2>
Hibernate&#58; select epuser0_.USERID as USERID0_, epuser0_.PASSWORD as PASSWORD0_, epuser0_.ENABLED as ENABLED0_, epuser0_.LOCKED as LOCKED0_, epuser0_.VALIDFROM as VALIDFROM0_, epuser0_.VALIDTO as VALIDTO0_, epuser0_.FAILEDLOGIN as FAILEDLO7_0_, epuser0_.PASSWORDEXPIREAT as PASSWORD8_0_, epuser0_.CONTRACTID as CONTRACTID0_, epuser0_.NAME as NAME0_, epuser0_.ADDRESS1 as ADDRESS10_, epuser0_.ADDRESS2 as ADDRESS20_, epuser0_.POSTALCODE as POSTALCODE0_, epuser0_.CITY as CITY0_, epuser0_.COUNTRY as COUNTRY0_, epuser0_.PHONE as PHONE0_, epuser0_.FAX as FAX0_, epuser0_.CONTACT_NAME as CONTACT18_0_, epuser0_.CONTACT_OFFICEPHONE as CONTACT19_0_, epuser0_.CONTACT_CELLPHONE as CONTACT20_0_, epuser0_.CONTACT_FAX as CONTACT21_0_ from EP_USER epuser0_ where epuser0_.USERID=?
Hibernate&#58; select epauthorit0_.USERID as USERID__, epauthorit0_.AUTHORITY as AUTHORITY__, epauthorit0_.USERID as USERID0_, epauthorit0_.AUTHORITY as AUTHORITY0_, epauthorit0_.USERID as USERID0_ from EP_AUTHORITY epauthorit0_ where epauthorit0_.USERID=?
2005-08-03 14&#58;45&#58;56,253 INFO &#91;dk.dannet.eportal.dao.hibernate.UserManagerDaoHibernate&#93; - <User loaded by name&#58; 'user2'&#58; dk.dannet.eportal.util.AuthUser@c74de9&#58; Username&#58; user2; Password&#58; &#91;PROTECTED&#93;; Enabled&#58; false; AccountNonExpired&#58; true; credentialsNonExpired&#58; true; AccountNonLocked&#58; true; Granted Authorities&#58; ROLE_EP_SC_SUPERUSER>
2005-08-03 14&#58;45&#58;56,253 WARN &#91;dk.dannet.eportal.event.AuthenticationEventListener&#93; - <Authentication failed due to account being disabled for user&#58; user2; details&#58; net.sf.acegisecurity.ui.WebAuthenticationDetails@329bcb&#58; RemoteIpAddress&#58; 127.0.0.1; SessionId&#58; 0B7A172EBFA8D1FF169E3EE65E0026C3>
2005-08-03 14&#58;45&#58;56,253 DEBUG &#91;net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter&#93; - <Authentication exception occurred; redirecting to authentication entry point>
net.sf.acegisecurity.DisabledException&#58; User is disabled
	at net.sf.acegisecurity.providers.dao.DaoAuthenticationProvider.authenticate&#40;DaoAuthenticationProvider.java&#58;246&#41;
	at net.sf.acegisecurity.providers.ProviderManager.doAuthentication&#40;ProviderManager.java&#58;159&#41;
	at net.sf.acegisecurity.AbstractAuthenticationManager.authenticate&#40;AbstractAuthenticationManager.java&#58;49&#41;
	at net.sf.acegisecurity.intercept.AbstractSecurityInterceptor.beforeInvocation&#40;AbstractSecurityInterceptor.java&#58;372&#41;
	at net.sf.acegisecurity.intercept.web.FilterSecurityInterceptor.invoke&#40;FilterSecurityInterceptor.java&#58;81&#41;
	at net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter.doFilter&#40;SecurityEnforcementFilter.java&#58;182&#41;
	at net.sf.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter&#40;FilterChainProxy.java&#58;303&#41;
	at net.sf.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter&#40;AnonymousProcessingFilter.java&#58;153&#41;
	at net.sf.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter&#40;FilterChainProxy.java&#58;303&#41;
	at net.sf.acegisecurity.ui.basicauth.BasicProcessingFilter.doFilter&#40;BasicProcessingFilter.java&#58;206&#41;
	at net.sf.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter&#40;FilterChainProxy.java&#58;303&#41;
	at net.sf.acegisecurity.ui.AbstractProcessingFilter.doFilter&#40;AbstractProcessingFilter.java&#58;305&#41;
	at net.sf.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter&#40;FilterChainProxy.java&#58;303&#41;
	at net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter&#40;HttpSessionContextIntegrationFilter.java&#58;225&#41;
	at net.sf.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter&#40;FilterChainProxy.java&#58;303&#41;
	at net.sf.acegisecurity.util.FilterChainProxy.doFilter&#40;FilterChainProxy.java&#58;173&#41;
	at net.sf.acegisecurity.util.FilterToBeanProxy.doFilter&#40;FilterToBeanProxy.java&#58;125&#41;
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter&#40;ApplicationFilterChain.java&#58;186&#41;
	at org.apache.catalina.core.ApplicationFilterChain.doFilter&#40;ApplicationFilterChain.java&#58;157&#41;
	at org.apache.catalina.core.StandardWrapperValve.invoke&#40;StandardWrapperValve.java&#58;214&#41;
	at org.apache.catalina.core.StandardValveContext.invokeNext&#40;StandardValveContext.java&#58;104&#41;
	at org.apache.catalina.core.StandardPipeline.invoke&#40;StandardPipeline.java&#58;520&#41;
	at org.apache.catalina.core.StandardContextValve.invokeInternal&#40;StandardContextValve.java&#58;198&#41;
	at org.apache.catalina.core.StandardContextValve.invoke&#40;StandardContextValve.java&#58;152&#41;
	at org.apache.catalina.core.StandardValveContext.invokeNext&#40;StandardValveContext.java&#58;104&#41;
	at org.apache.catalina.core.StandardPipeline.invoke&#40;StandardPipeline.java&#58;520&#41;
	at org.apache.catalina.core.StandardHostValve.invoke&#40;StandardHostValve.java&#58;137&#41;
	at org.apache.catalina.core.StandardValveContext.invokeNext&#40;StandardValveContext.java&#58;104&#41;
	at org.apache.catalina.valves.ErrorReportValve.invoke&#40;ErrorReportValve.java&#58;118&#41;
	at org.apache.catalina.core.StandardValveContext.invokeNext&#40;StandardValveContext.java&#58;102&#41;
	at org.apache.catalina.core.StandardPipeline.invoke&#40;StandardPipeline.java&#58;520&#41;
	at org.apache.catalina.core.StandardEngineValve.invoke&#40;StandardEngineValve.java&#58;109&#41;
	at org.apache.catalina.core.StandardValveContext.invokeNext&#40;StandardValveContext.java&#58;104&#41;
	at org.apache.catalina.core.StandardPipeline.invoke&#40;StandardPipeline.java&#58;520&#41;
	at org.apache.catalina.core.ContainerBase.invoke&#40;ContainerBase.java&#58;929&#41;
	at org.apache.coyote.tomcat5.CoyoteAdapter.service&#40;CoyoteAdapter.java&#58;160&#41;
	at org.apache.coyote.http11.Http11Processor.process&#40;Http11Processor.java&#58;799&#41;
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection&#40;Http11Protocol.java&#58;705&#41;
	at org.apache.tomcat.util.net.TcpWorkerThread.runIt&#40;PoolTcpEndpoint.java&#58;577&#41;
	at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run&#40;ThreadPool.java&#58;683&#41;
	at java.lang.Thread.run&#40;Thread.java&#58;536&#41;
2005-08-03 14&#58;45&#58;56,253 DEBUG &#91;net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter&#93; - <Authentication entry point being called; target URL added to Session&#58; http&#58;//localhost&#58;8080/eportal/login.htm>
2005-08-03 14&#58;45&#58;56,253 DEBUG &#91;net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint&#93; - <Redirecting to&#58; http&#58;//localhost&#58;8080/eportal/login.htm>
2005-08-03 14&#58;45&#58;56,253 DEBUG &#91;net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter&#93; - <Context stored to HttpSession&#58; 'net.sf.acegisecurity.context.security.SecureContextImpl@e8cc94&#58; Authentication&#58; net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken@9235c2&#58; Username&#58; dk.dannet.eportal.util.AuthUser@95a626&#58; Username&#58; user2; Password&#58; &#91;PROTECTED&#93;; Enabled&#58; true; AccountNonExpired&#58; true; credentialsNonExpired&#58; true; AccountNonLocked&#58; true; Granted Authorities&#58; ROLE_EP_SC_SUPERUSER; Password&#58; &#91;PROTECTED&#93;; Authenticated&#58; true; Details&#58; net.sf.acegisecurity.ui.WebAuthenticationDetails@329bcb&#58; RemoteIpAddress&#58; 127.0.0.1; SessionId&#58; 0B7A172EBFA8D1FF169E3EE65E0026C3; Granted Authorities&#58; ROLE_EP_SC_SUPERUSER'>
2005-08-03 14&#58;45&#58;56,253 DEBUG &#91;net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter&#93; - <ContextHolder set to null as request processing completed>
2005-08-03 14&#58;45&#58;56,263 DEBUG &#91;net.sf.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap&#93; - <Converted URL to lowercase, from&#58; '/login.htm'; to&#58; '/login.htm'>
2005-08-03 14&#58;45&#58;56,263 DEBUG &#91;net.sf.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap&#93; - <Candidate is&#58; '/login.htm'; pattern is /**; matched=true>
2005-08-03 14&#58;45&#58;56,263 DEBUG &#91;net.sf.acegisecurity.util.FilterChainProxy&#93; - </login.htm at position 1 of 5 in additional filter chain; firing Filter&#58; 'net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter@b7bf86'>
2005-08-03 14&#58;45&#58;56,263 DEBUG &#91;net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter&#93; - <Obtained from ACEGI_SECURITY_CONTEXT a valid Context and set to ContextHolder&#58; 'net.sf.acegisecurity.context.security.SecureContextImpl@e8cc94&#58; Authentication&#58; net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken@9235c2&#58; Username&#58; dk.dannet.eportal.util.AuthUser@95a626&#58; Username&#58; user2; Password&#58; &#91;PROTECTED&#93;; Enabled&#58; true; AccountNonExpired&#58; true; credentialsNonExpired&#58; true; AccountNonLocked&#58; true; Granted Authorities&#58; ROLE_EP_SC_SUPERUSER; Password&#58; &#91;PROTECTED&#93;; Authenticated&#58; true; Details&#58; net.sf.acegisecurity.ui.WebAuthenticationDetails@329bcb&#58; RemoteIpAddress&#58; 127.0.0.1; SessionId&#58; 0B7A172EBFA8D1FF169E3EE65E0026C3; Granted Authorities&#58; ROLE_EP_SC_SUPERUSER'>
2005-08-03 14&#58;45&#58;56,263 DEBUG &#91;net.sf.acegisecurity.util.FilterChainProxy&#93; - </login.htm at position 2 of 5 in additional filter chain; firing Filter&#58; 'net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilter@2e34bf'>
2005-08-03 14&#58;45&#58;56,263 DEBUG &#91;net.sf.acegisecurity.util.FilterChainProxy&#93; - </login.htm at position 3 of 5 in additional filter chain; firing Filter&#58; 'net.sf.acegisecurity.ui.basicauth.BasicProcessingFilter@88f506'>
2005-08-03 14&#58;45&#58;56,263 DEBUG &#91;net.sf.acegisecurity.ui.basicauth.BasicProcessingFilter&#93; - <Authorization header&#58; null>
2005-08-03 14&#58;45&#58;56,263 DEBUG &#91;net.sf.acegisecurity.util.FilterChainProxy&#93; - </login.htm at position 4 of 5 in additional filter chain; firing Filter&#58; 'net.sf.acegisecurity.providers.anonymous.AnonymousProcessingFilter@8e85b5'>
2005-08-03 14&#58;45&#58;56,263 DEBUG &#91;net.sf.acegisecurity.providers.anonymous.AnonymousProcessingFilter&#93; - <ContextHolder not replaced with anonymous token, as ContextHolder already contained&#58; 'net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken@9235c2&#58; Username&#58; dk.dannet.eportal.util.AuthUser@95a626&#58; Username&#58; user2; Password&#58; &#91;PROTECTED&#93;; Enabled&#58; true; AccountNonExpired&#58; true; credentialsNonExpired&#58; true; AccountNonLocked&#58; true; Granted Authorities&#58; ROLE_EP_SC_SUPERUSER; Password&#58; &#91;PROTECTED&#93;; Authenticated&#58; true; Details&#58; net.sf.acegisecurity.ui.WebAuthenticationDetails@329bcb&#58; RemoteIpAddress&#58; 127.0.0.1; SessionId&#58; 0B7A172EBFA8D1FF169E3EE65E0026C3; Granted Authorities&#58; ROLE_EP_SC_SUPERUSER'>
2005-08-03 14&#58;45&#58;56,263 DEBUG &#91;net.sf.acegisecurity.util.FilterChainProxy&#93; - </login.htm at position 5 of 5 in additional filter chain; firing Filter&#58; 'net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter@395dab'>
2005-08-03 14&#58;45&#58;56,263 DEBUG &#91;net.sf.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap&#93; - <Converted URL to lowercase, from&#58; '/login.htm'; to&#58; '/login.htm'>
2005-08-03 14&#58;45&#58;56,263 DEBUG &#91;net.sf.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap&#93; - <Candidate is&#58; '/login.htm'; pattern is /index.jsp*; matched=false>
2005-08-03 14&#58;45&#58;56,263 DEBUG &#91;net.sf.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap&#93; - <Candidate is&#58; '/login.htm'; pattern is /login.htm*; matched=true>
2005-08-03 14&#58;45&#58;56,263 DEBUG &#91;net.sf.acegisecurity.intercept.AbstractSecurityInterceptor&#93; - <Secure object&#58; FilterInvocation&#58; URL&#58; /login.htm; ConfigAttributes&#58; &#91;ROLE_ANONYMOUS, ROLE_EP_SUPERVISOR, ROLE_EP_ADMINISTRATOR, ROLE_EP_OPERATOR, ROLE_EP_SC_SUPERUSER, ROLE_EP_EXT_SUPERUSER, ROLE_EP_SC_USER, ROLE_EP_EXT_USER&#93;>
2005-08-03 14&#58;45&#58;56,263 DEBUG &#91;net.sf.acegisecurity.providers.ProviderManager&#93; - <Authentication attempt using net.sf.acegisecurity.providers.dao.DaoAuthenticationProvider>
2005-08-03 14&#58;45&#58;56,263 DEBUG &#91;net.sf.acegisecurity.providers.dao.cache.EhCacheBasedUserCache&#93; - <Cache hit&#58; false; username&#58; user2>
Hibernate&#58; select epuser0_.USERID as USERID0_, epuser0_.PASSWORD as PASSWORD0_, epuser0_.ENABLED as ENABLED0_, epuser0_.LOCKED as LOCKED0_, epuser0_.VALIDFROM as VALIDFROM0_, epuser0_.VALIDTO as VALIDTO0_, epuser0_.FAILEDLOGIN as FAILEDLO7_0_, epuser0_.PASSWORDEXPIREAT as PASSWORD8_0_, epuser0_.CONTRACTID as CONTRACTID0_, epuser0_.NAME as NAME0_, epuser0_.ADDRESS1 as ADDRESS10_, epuser0_.ADDRESS2 as ADDRESS20_, epuser0_.POSTALCODE as POSTALCODE0_, epuser0_.CITY as CITY0_, epuser0_.COUNTRY as COUNTRY0_, epuser0_.PHONE as PHONE0_, epuser0_.FAX as FAX0_, epuser0_.CONTACT_NAME as CONTACT18_0_, epuser0_.CONTACT_OFFICEPHONE as CONTACT19_0_, epuser0_.CONTACT_CELLPHONE as CONTACT20_0_, epuser0_.CONTACT_FAX as CONTACT21_0_ from EP_USER epuser0_ where epuser0_.USERID=?
Hibernate&#58; select epauthorit0_.USERID as USERID__, epauthorit0_.AUTHORITY as AUTHORITY__, epauthorit0_.USERID as USERID0_, epauthorit0_.AUTHORITY as AUTHORITY0_, epauthorit0_.USERID as USERID0_ from EP_AUTHORITY epauthorit0_ where epauthorit0_.USERID=?
2005-08-03 14&#58;45&#58;56,423 INFO &#91;dk.dannet.eportal.dao.hibernate.UserManagerDaoHibernate&#93; - <User loaded by name&#58; 'user2'&#58; dk.dannet.eportal.util.AuthUser@8448d5&#58; Username&#58; user2; Password&#58; &#91;PROTECTED&#93;; Enabled&#58; false; AccountNonExpired&#58; true; credentialsNonExpired&#58; true; AccountNonLocked&#58; true; Granted Authorities&#58; ROLE_EP_SC_SUPERUSER>
2005-08-03 14&#58;45&#58;56,423 WARN &#91;dk.dannet.eportal.event.AuthenticationEventListener&#93; - <Authentication failed due to account being disabled for user&#58; user2; details&#58; net.sf.acegisecurity.ui.WebAuthenticationDetails@329bcb&#58; RemoteIpAddress&#58; 127.0.0.1; SessionId&#58; 0B7A172EBFA8D1FF169E3EE65E0026C3>
2005-08-03 14&#58;45&#58;56,423 DEBUG &#91;net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter&#93; - <Authentication exception occurred; redirecting to authentication entry point>
net.sf.acegisecurity.DisabledException&#58; User is disabled
	at net.sf.acegisecurity.providers.dao.DaoAuthenticationProvider.authenticate&#40;DaoAuthenticationProvider.java&#58;246&#41;
	at net.sf.acegisecurity.providers.ProviderManager.doAuthentication&#40;ProviderManager.java&#58;159&#41;
    Please, can anyone help me - I am lost here.
    Thanks

    /Jens[/code]
  2. Aug 3rd, 2005, 08:54 AM #2
    RayKrueger
    RayKrueger is offline Senior Member
    Join Date
    Oct 2004
    Posts
    207

    Default

    Your login page may require authentication possibly...

    Could you post your filterChainProxy bean definition please?
  3. Aug 3rd, 2005, 09:16 AM #3
    danjla
    danjla is offline Junior Member
    Join Date
    Aug 2005
    Location
    Denmark
    Posts
    4

    Default

    Here is an extract from web.xml concerning the acegi filter:


    Code:
        <!-- ===================== FILTER DEFINITIONS ==================== -->
    <filter>
         <filter-name>Acegi Filter Chain Proxy</filter-name>
         <filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
         <init-param>
             <param-name>targetClass</param-name>
             <param-value>net.sf.acegisecurity.util.FilterChainProxy</param-value>
         </init-param>
    </filter>

    <filter>
        <filter-name>ResponseOverrideFilter</filter-name>
        <filter-class>org.displaytag.filter.ResponseOverrideFilter</filter-class>
    </filter>
    I also enclose the complete acegi context file:

    Code:
    <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN"
    "http&#58;//www.springframework.org/dtd/spring-beans.dtd">

<beans>

    <!-- ======================== FILTER CHAIN ======================= -->

     <!--  if you wish to use channel security, add "channelProcessingFilter," in front
           of "httpSessionContextIntegrationFilter" in the list below -->
     <bean id="filterChainProxy" class="net.sf.acegisecurity.util.FilterChainProxy">
       <property name="filterInvocationDefinitionSource">
          <value>
             CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
             PATTERN_TYPE_APACHE_ANT
             /**=httpSessionContextIntegrationFilter,authenticationProcessingFilter,basicProcessingFilter,anonymousProcessingFilter,securityEnforcementFilter
          </value>
       </property>
     </bean>

    <!-- ============= SECURITY &#40;AUTHENTICATION&#41; BEANS YOU WILL RARELY &#40;IF EVER&#41; CHANGE ============ -->

    <bean id="authenticationManager" class="net.sf.acegisecurity.providers.ProviderManager">
        <property name="providers">
            <list>
                <ref local="daoAuthenticationProvider"/>
                <ref local="runAsAuthenticationProvider"/>
                <ref local="anonymousAuthenticationProvider"/>
            </list>
        </property>
    </bean>

    <bean id="daoAuthenticationProvider" class="net.sf.acegisecurity.providers.dao.DaoAuthenticationProvider">
<!--
        <property name="authenticationDao"><ref local="inMemoryDaoImpl"/></property>
-->
        <property name="authenticationDao"><ref local="authenticationDao"/></property>
        <property name="passwordEncoder"><ref local="passwordEncoder"/></property>
        <property name="userCache"><ref local="userCache"/></property>
    </bean>

    <bean id="passwordEncoder" class="net.sf.acegisecurity.providers.encoding.PlaintextPasswordEncoder"/>

    <bean id="cacheManager" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"/>
    <bean id="userCacheBackend" class="org.springframework.cache.ehcache.EhCacheFactoryBean">
       <property name="cacheManager"><ref local="cacheManager"/></property>
       <property name="cacheName"><value>userCache</value></property>
    </bean>

    <bean id="userCache" class="net.sf.acegisecurity.providers.dao.cache.EhCacheBasedUserCache">
       <property name="cache"><ref local="userCacheBackend"/></property>
    </bean>


    <bean id="anonymousAuthenticationProvider" class="net.sf.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider">
       <property name="key"><value>foobar</value></property>
    </bean>

    <!-- ============= SECURITY &#40;AUTHENTICATION&#41; BEANS YOU SHOULD CHANGE ============ -->

    <bean id="authenticationDao" class="dk.dannet.eportal.dao.hibernate.UserManagerDaoHibernate">
        <property name="sessionFactory"><ref bean="sessionFactory"/></property>
    </bean>

    <!-- ============= SECURITY &#40;ACCESS DECISION&#41;  =================================== -->

    <bean id="accessDecisionManager" class="net.sf.acegisecurity.vote.AffirmativeBased">
        <property name="allowIfAllAbstainDecisions"><value>false</value></property>
        <property name="decisionVoters">
            <list>
                <ref local="roleVoter"/>
            </list>
        </property>
    </bean>

    <bean id="roleVoter" class="net.sf.acegisecurity.vote.RoleVoter"/>

    <!-- ============= SECURITY &#40;INTERCEPTERS&#41; BEANS YOU WILL RARELY &#40;IF EVER&#41; CHANGE ============ -->

    <!-- ===================== INTEGRATION FILTER ==================== -->

    <!-- Filter that ensures the contextHolder is present at the HTTPSession object.
    -->
    <bean id="httpSessionContextIntegrationFilter" class="net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter">
       <property name="context"><value>net.sf.acegisecurity.context.security.SecureContextImpl</value></property>
    </bean>

    <!-- ============= FORM AUTHENTICATION ========================== -->

    <!-- Filter that enables form based authentication.
         Redirect to /login.htm is NOT yet logged in. Otherwise redirects to defaultTargetUrl&#58; ?
    -->
    <bean id="authenticationProcessingFilter" class="net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
        <property name="authenticationManager"><ref local="authenticationManager"/></property>
        <property name="authenticationFailureUrl">
            <value>/login.htm?login_error=1</value>
        </property>
        <property name="exceptionMappings">
          <props>
<!--            <prop  key="net.sf.acegisecurity.BadCredentialsException">/login.jsp?login_error=1</prop>-->
            <prop  key="net.sf.acegisecurity.LockedException">/login.htm?login_error=2</prop>
            <prop  key="net.sf.acegisecurity.DisabledException">/login.htm?login_error=3</prop>
            <prop  key="net.sf.acegisecurity.CredentialsExpiredException">/login.htm?login_error=4</prop>
            <prop  key="net.sf.acegisecurity.AccountExpiredException">/login.htm?login_error=4</prop>
            <prop  key="net.sf.acegisecurity.AuthenticationServiceException">/login.htm?login_error=5</prop>
          </props>
        </property>
        <property name="defaultTargetUrl">
            <value>/home.htm</value>
        </property>
        <property name="filterProcessesUrl">
            <value>/j_acegi_security_check</value>
        </property>
    </bean>

    <!-- ===================== BASIC AUTHENTICATION ==================== -->

    <bean id="basicProcessingFilter" class="net.sf.acegisecurity.ui.basicauth.BasicProcessingFilter">
        <property name="authenticationManager"><ref bean="authenticationManager"/></property>
        <property name="authenticationEntryPoint"><ref bean="authenticationEntryPoint"/></property>
    </bean>

    <bean id="authenticationEntryPoint" class="net.sf.acegisecurity.ui.basicauth.BasicProcessingFilterEntryPoint">
      <property name="realmName"><value>ePortal User</value></property>
    </bean>

    <!-- ============= ANANYMOUS AUTHENTICATION ======================== -->

    <bean id="anonymousProcessingFilter" class="net.sf.acegisecurity.providers.anonymous.AnonymousProcessingFilter">
       <property name="key"><value>foobar</value></property>
       <property name="userAttribute"><value>anonymousUser,ROLE_ANONYMOUS</value></property>
    </bean>

    <!-- ===================== HTTP REQUEST SECURITY INTERCEPTOR ==================== -->

    <bean id="securityEnforcementFilter" class="net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter">
        <property name="filterSecurityInterceptor"><ref local="filterInvocationInterceptor"/></property>
        <property name="authenticationEntryPoint"><ref local="authenticationProcessingFilterEntryPoint"/></property>
    </bean>

    <!-- Note the order that entries are placed against the objectDefinitionSource is critical.
         The FilterSecurityInterceptor will work from the top of the list down to the FIRST pattern that matches the request URL.
         Accordingly, you should place MOST SPECIFIC &#40;ie a/b/c/d.*&#41; expressions first, with LEAST SPECIFIC &#40;ie a/.*&#41; expressions last -->
    <bean id="filterInvocationInterceptor" class="net.sf.acegisecurity.intercept.web.FilterSecurityInterceptor">
        <property name="authenticationManager"><ref local="authenticationManager"/></property>
        <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
        <property name="runAsManager"><ref bean="runAsManager"/></property>
        <property name="objectDefinitionSource">
            <value>
		CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
		PATTERN_TYPE_APACHE_ANT
                /index.jsp*=ROLE_ANONYMOUS, ROLE_EP_SUPERVISOR, ROLE_EP_ADMINISTRATOR, ROLE_EP_OPERATOR, ROLE_EP_SC_SUPERUSER, ROLE_EP_EXT_SUPERUSER, ROLE_EP_SC_USER, ROLE_EP_EXT_USER
                /login.htm*=ROLE_ANONYMOUS, ROLE_EP_SUPERVISOR, ROLE_EP_ADMINISTRATOR, ROLE_EP_OPERATOR, ROLE_EP_SC_SUPERUSER, ROLE_EP_EXT_SUPERUSER, ROLE_EP_SC_USER, ROLE_EP_EXT_USER
                /logoff.htm*=ROLE_ANONYMOUS, ROLE_EP_SUPERVISOR, ROLE_EP_ADMINISTRATOR, ROLE_EP_OPERATOR, ROLE_EP_SC_SUPERUSER, ROLE_EP_EXT_SUPERUSER, ROLE_EP_SC_USER, ROLE_EP_EXT_USER
                /home.htm*=ROLE_EP_SUPERVISOR, ROLE_EP_ADMINISTRATOR, ROLE_EP_OPERATOR, ROLE_EP_SC_SUPERUSER, ROLE_EP_EXT_SUPERUSER, ROLE_EP_SC_USER, ROLE_EP_EXT_USER
                /searchtransactions.htm*=ROLE_EP_SUPERVISOR, ROLE_EP_ADMINISTRATOR, ROLE_EP_OPERATOR, ROLE_EP_SC_SUPERUSER, ROLE_EP_EXT_SUPERUSER, ROLE_EP_SC_USER, ROLE_EP_EXT_USER
                /searchusers.htm*=ROLE_EP_SUPERVISOR, ROLE_EP_ADMINISTRATOR, ROLE_EP_OPERATOR, ROLE_EP_SC_SUPERUSER, ROLE_EP_EXT_SUPERUSER
                /edituser.htm*=ROLE_EP_SUPERVISOR, ROLE_EP_ADMINISTRATOR, ROLE_EP_OPERATOR, ROLE_EP_SC_SUPERUSER, ROLE_EP_EXT_SUPERUSER
                /newuser.htm*=ROLE_EP_SUPERVISOR, ROLE_EP_ADMINISTRATOR, ROLE_EP_OPERATOR, ROLE_EP_SC_SUPERUSER, ROLE_EP_EXT_SUPERUSER
            </value>
        </property>
    </bean>

    <bean id="authenticationProcessingFilterEntryPoint" class="net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
        <property name="loginFormUrl"><value>/login.htm</value></property>
        <property name="forceHttps"><value>false</value></property>
    </bean>

    <!-- ===================== AOP SECURITY INTERCEPTOR ======================== -->
    Hope you can help
  4. Aug 3rd, 2005, 09:25 AM #4
    paskos
    paskos is offline Member
    Join Date
    Mar 2005
    Location
    montreal, Canada
    Posts
    52

    Default

    Hi danjla.

    I'm not sure but tt's possible that because you have a security constraint on login.htm you enter in an infinite loop.

    Usually your login page shouldn't be in the filterInvocationInterceptor.

    Again it's just a suggestion.

    Hope it helps

    paskos
  5. Aug 3rd, 2005, 09:33 AM #5
    RayKrueger
    RayKrueger is offline Senior Member
    Join Date
    Oct 2004
    Posts
    207

    Default

    Exactly...
    Your filterInvocationInterceptor is configured to protect the login.htm and require a series of permissions.

    /login.htm*=ROLE_ANONYMOUS, ROLE_EP_SUPERVISOR......

    Remove that and you should be fine.

    And yes, I asked for the wrong bean when I said filterChainProxy, I'm glad you posted the whole file :)
  6. Aug 4th, 2005, 05:33 AM #6
    danjla
    danjla is offline Junior Member
    Join Date
    Aug 2005
    Location
    Denmark
    Posts
    4

    Default

    Super - Thanks a lot
    I could not have figured that out myself!

    But I am not sure, I understand why it works. I thought that the filterInvocationInterceptor would allow /login.htm to pass through as ROLE_ANONYMOUS was an allowed role. Did I miss the point here?

    Could you explain, why it is working now? Thanks a lot in advance
    /Jens
  7. Aug 4th, 2005, 09:36 AM #7
    RayKrueger
    RayKrueger is offline Senior Member
    Join Date
    Oct 2004
    Posts
    207

    Default

    I think it may be because the user isn't anonymous, the user is disabled. Being disabled ends the process right off the bat. That's my theory at least.

    Placing your login page behind the security filters is like locking your keys in your car. Sure, the keys are safe, but now what? :)
  8. Aug 5th, 2005, 02:50 AM #8
    danjla
    danjla is offline Junior Member
    Join Date
    Aug 2005
    Location
    Denmark
    Posts
    4

    Default

    Thanks for your help
« Previous Thread | Next Thread »

Similar Threads

  1. Endless Loop Configuring Hibernate SessionFactory
    By cepage in forum Data
    Replies: 6
    Last Post: Apr 28th, 2010, 07:57 AM
  2. acegi + CAS going in loop after login
    By mcecca in forum Security
    Replies: 3
    Last Post: Sep 30th, 2005, 02:56 PM
  3. Endless loop in web authentication
    By gmansoor in forum Security
    Replies: 14
    Last Post: Apr 7th, 2005, 06:58 PM
  4. Acegi - Login Tapestry
    By john017 in forum Security
    Replies: 1
    Last Post: Feb 4th, 2005, 01:11 AM
  5. Endless Loop in JdbcTemplate class with Oracle stored proc
    By dortman in forum Data
    Replies: 5
    Last Post: Oct 22nd, 2004, 11:13 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules