ROLE Question

**rfulcher** · Sep 7th, 2005, 05:21 PM

I have integrated Acegi into my application and am now trying to assign roles. I want two roles 1)Regular User 2)View only user. I was planning on using the ROLE_SUPERVISOR and ROLE_USER (for view). If I use one role everything works fine. When I add the other role I start getting access denied errors. I am using the net.sf.acegisecurity.vote.RoleVoter.

Code:

/*.htm*=ROLE_USER,ROLE_SUPERVISOR

For now I am using in memory while I develop

Code:

<value>
  User=pass,ROLE_USER,ROLE_SUPERVISOR
  User2=pass2,ROLE_USER
</value>

Code:

HTTP Status 403 - Access is denied.

--------------------------------------------------------------------------------

type Status report

message Access is denied.

description Access to the specified resource &#40;Access is denied.&#41; has been forbidden.


--------------------------------------------------------------------------------

Apache Tomcat/5.0.18

User gets in fine. User2 does not get in (error above). I read and re-read the info in the reference document and it seems that this setup should work fine.

Help please.....

Thanks

**schrepfler** · Sep 7th, 2005, 06:05 PM

I don't know but shouldn't that be:

Code:

/*.htm**=ROLE_USER,ROLE_SUPERVISOR

and not

Code:

/*.htm*=ROLE_USER,ROLE_SUPERVISOR

?

**reggie** · Sep 8th, 2005, 01:29 AM

Can you post all of your config about FilterSecurityInterceptor?

**Ben Alex** · Sep 8th, 2005, 06:40 AM

Which AccessDecisionManager are you using?

**rfulcher** · Sep 8th, 2005, 11:28 AM

Here is my application context and web.xml.

accessDecisionManager = net.sf.acegisecurity.vote.UnanimousBased

applicationContext.xml

Code:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http&#58;//webster/dtd/spring-beans.dtd">

<beans>
    		
	<!--  Security Section  -->
	
	<bean id="memoryAuthenticationDao" class="net.sf.acegisecurity.providers.dao.memory.InMemoryDaoImpl">
		<property name="userMap">
			<value>
				rfulcher=rfulcher,ROLE_USER,ROLE_SUPERVISOR
				rfulcher2=rfulcher2,ROLE_USER
			</value>
		</property>
	</bean>
	
	<bean id="daoAuthenticationProvider" class="net.sf.acegisecurity.providers.dao.DaoAuthenticationProvider">
		<property name="authenticationDao">
        	<ref local="memoryAuthenticationDao"/>
     	</property>
	</bean>
	
	<bean id="authenticationManager" class="net.sf.acegisecurity.providers.ProviderManager">
    	<property name="providers">
        	<list>
            	<ref bean="daoAuthenticationProvider"/>
        	</list>
    	</property>
	</bean>
    
  <!--  Filter Wiring  -->
  	<!-- HttpSessionContextIntegrationFilter -->
  	<bean id="httpSessionIntegrationFilter" class="net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter">
		<property name="context">
			<value>net.sf.acegisecurity.context.security.SecureContextImpl</value>
		</property>
	</bean>
	
	<!-- ********* AuthenticationProcessingFilter ********* -->
    <bean id="authenticationProcessingFilter" class="net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
	    <property name="authenticationManager">
	        <ref bean="authenticationManager"/>
	    </property>
	    <property name="authenticationFailureUrl">
	        <value>/index.jsp?error=1</value>
	    </property>
	    <property  name="defaultTargetUrl">
	        <value>/main.htm</value>
	    </property>
	    <property name="filterProcessesUrl">
	        <value>/j_acegi_security_check</value>
	    </property>
	</bean>
	
	<!-- ******************************************************************************************************** -->
	
	<!-- ********* Security Enforcement area ********* -->
	<bean id="securityEnforcementFilter" class="net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter">
	    <property name="filterSecurityInterceptor">
	        <ref bean="filterInvocationInterceptor"/>
	    </property>
	    <property name="authenticationEntryPoint">
	        <ref bean="authenticationEntryPoint"/>
	    </property>
	</bean>
	
	<bean id="authenticationEntryPoint" class="net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
	    <property name="loginFormUrl">
	        <value>/index.jsp</value>
	    </property>
	    <property name="forceHttps">
	    	<value>false</value>
	    </property>
	</bean>
	
	<bean id="filterInvocationInterceptor" class="net.sf.acegisecurity.intercept.web.FilterSecurityInterceptor">
	    <property name="authenticationManager">
	        <ref bean="authenticationManager"/></property>
	    <property name="accessDecisionManager">
	        <ref bean="accessDecisionManager"/></property>
	    <property name="objectDefinitionSource">
	        <value>
	            CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
	            PATTERN_TYPE_APACHE_ANT
	            /*.htm*=ROLE_USER,ROLE_SUPERVISOR
	        </value>
	    </property>
	</bean>
	
	<bean id="roleVoter" class="net.sf.acegisecurity.vote.RoleVoter"/>

	<bean id="accessDecisionManager" class="net.sf.acegisecurity.vote.UnanimousBased">
	    <property name="allowIfAllAbstainDecisions">
	        <value>false</value>
	    </property>
	    <property name="decisionVoters">
	        <list>
	           <ref local="roleVoter"/>
	        </list>
	    </property>
	</bean>
	<!-- ******************************************************************************************************** -->
	
    
</beans>

web.xml

Code:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN' 'http&#58;//webster/dtd/web-app_2_3.dtd'>

<web-app>
  <servlet>
    <servlet-name>bpt</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
  </servlet>
  
  
<!-- *********  This is the filters for authentication and security ********* -->
  <listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
  </listener> 
   
  <filter>
    <filter-name>Acegi Security System for Spring HttpSession Integration Filter</filter-name>
    <filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
    <init-param>
      <param-name>targetClass</param-name>
      <param-value>net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter</param-value>
    </init-param>
  </filter>
    
  <filter>
    <filter-name>Acegi-Authentication</filter-name>
    <filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
    <init-param>
        <param-name>targetClass</param-name>
        <param-value>net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilter</param-value>
    </init-param>
  </filter>
  
  <!-- this filter is added for secuirty enforcement &#40;locking down resources&#41; -->
  <filter>
    <filter-name>Acegi HTTP Request Security Filter</filter-name>
    <filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
    <init-param>
        <param-name>targetClass</param-name>
        <param-value>net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter</param-value>
    </init-param>
  </filter>

  <filter-mapping>
    <filter-name>Acegi Security System for Spring HttpSession Integration Filter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>
    
  <filter-mapping>
    <filter-name>Acegi-Authentication</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>
  
  <!--  Coresponding filter mapping for security enforcement -->
  <filter-mapping>
    <filter-name>Acegi HTTP Request Security Filter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>	
<!-- ************************************************************************************** -->
  

  <servlet-mapping>
    <servlet-name>bpt</servlet-name>
    <url-pattern>*.htm</url-pattern>
  </servlet-mapping>
  
  <welcome-file-list>
    <welcome-file>
      index.jsp
    </welcome-file>
  </welcome-file-list>
    
  <resource-ref>
    <res-ref-name>jdbc/bpt</res-ref-name>
    <res-type>javax.sql.DataSource</res-type>
    <res-auth>Container</res-auth>
  </resource-ref>
  
  <taglib>
  	<taglib-uri>/spring</taglib-uri>
  	<taglib-location>/WEB-INF/spring.tld</taglib-location>
  </taglib>
    
</web-app>

Thanks for any help. I really like Acegi and want to use it on a lot of projects.

Thanks

**rfulcher** · Sep 8th, 2005, 11:47 AM

Ben,

Thanks for asking that question. I took a look and re-read the setion in the reference document and changed the accessDecisionManager to net.sf.acegisecurity.vote.AffirmativeBased. I have to admit that I thought that I understood it but I really didn't. My only quetion now is are the classes that are listed under net.sf.acegisecurity.vote interchangeable with the accessDecisionManager and the roleVoter?

Thanks so much for your help. I really appreciate it and really appreciate the great code that you have created.

**Ben Alex** · Sep 10th, 2005, 12:47 AM

You can use any AccessDecisionManager implementation with any AccessDecisionVoter implementation.

So, put differently, UnanimousBased, AffirmativeBased and ConsensusBased can each be used without an issue with RoleVoter and BasicAclEntryVoter.

Thread: ROLE Question

Thread Tools

Display

ROLE Question

Similar Threads

LDAPPasswordAuthenticationDao problem

Loosing my SecureContext

Acegi- Basic Question

Role prefix

About User - Role - Action security implementation from DB

Posting Permissions