authentication successful but browser displays login page

**naor** · Oct 9th, 2005, 10:58 AM

Hi,

I'm making my first steps to integrate Acegi as a weblogic replacement.

I use the following definition in web.xml:

Code:

<welcome-file-list>
        <welcome-file>secured/redirect.jsp</welcome-file>
    </welcome-file-list>

    <filter>
      <filter-name>Acegi-Integration</filter-name>
      <filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
      <init-param>
         <param-name>targetClass</param-name>
         <param-value>net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter</param-value>
      </init-param>
   </filter>

   <filter>
      <filter-name>Acegi-Authentication</filter-name>
      <filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
      <init-param>
         <param-name>targetClass</param-name>
            <param-value>net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilter</param-value>
      </init-param>
   </filter>

   <filter-mapping>
      <filter-name>Acegi-Integration</filter-name>
         <url-pattern>/*</url-pattern>
   </filter-mapping>


   <filter-mapping>
      <filter-name>Acegi-Authentication</filter-name>
         <url-pattern>/*</url-pattern>
   </filter-mapping>

and the following beans:

Code:

<bean id="httpSessionIntegrationFilter" class="net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter">
          <property name="context" value="net.sf.acegisecurity.context.security.SecureContextImpl"/>
    </bean>

    <bean id="authenticationProcessingFilter" class="net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
        <property name="authenticationManager">
            <ref bean="authenticationManager"/>
        </property>
        <property name="authenticationFailureUrl">
            <value>/login_error.jsp</value>
        </property>
        <property  name="defaultTargetUrl">
            <value>/</value>
        </property>
        <property name="filterProcessesUrl">
            <value>/j_acegi_security_check</value>
        </property>
    </bean>

    <bean id="authenticationManager" class="net.sf.acegisecurity.providers.ProviderManager">
        <property name="providers">
            <list>
                <ref bean="safewordAuthenticationProvider"/>
            </list>
        </property>
    </bean>

    <bean id="safewordAuthenticationProvider" class="com.itp.gt.security.acegi.providers.SafewordAuthenticationProvider">

    </bean>

the safewordAuthenticationProvider implementation looks like:

Code:

public Authentication authenticate&#40;Authentication authentication&#41;throws AuthenticationException
    &#123;
        Authentication auth = null;

        String loginName = &#40;String&#41;authentication.getPrincipal&#40;&#41;;
        String password = &#40;String&#41;authentication.getCredentials&#40;&#41;;
        
        try&#123;
            User user = UserDAO.getUser&#40;loginName&#41;;
        &#125;
        catch&#40;Exception e&#41;&#123;
            throw new AuthenticationServiceException&#40;"Exceprion getting user from database&#58; ", e&#41;;
        &#125;
        
        if&#40;user == null&#41;&#123;
            throw new BadCredentialsException&#40;"User "+loginName+" Not Found!"&#41;;
        &#125;
        //check password&#58;
        if&#40;user.getPassword&#40;&#41;.equals&#40;password&#41;&#41;&#123;
            try&#123;
                // load permissions&#58;
                UserPermissions perms = UserDAO.loadPermissionsForUser&#40;user&#41;;
                auth = new UsernamePasswordAuthenticationToken&#40;user, perms&#41;;
                auth.setAuthenticated&#40;true&#41;;
            &#125;
            catch&#40;Exception e&#41;&#123;
                throw new AuthenticationServiceException&#40;"Exceprion logging in user&#58; ", e&#41;;
            &#125;
        &#125;
        else&#123;
            throw new BadCredentialsException&#40;"Password for User "+loginName+" Did Not Match!"&#41;;
        &#125;
        return auth;
    &#125;

    public boolean supports&#40;Class authentication&#41;
    &#123;
        if &#40;authentication.equals&#40;UsernamePasswordAuthenticationToken.class&#41;&#41;&#123;return true;&#125;

        return false;
    &#125;

and using debug logging (not in the code above) I see that when the user+password combination is correct login is successful.

however there is something I'm probably missing here as a successful login results only in a refresh to the login screen

can anyone point me to what am I doing wrong?

Thanks

naor

**Johannes Hiemer** · Oct 9th, 2005, 11:18 AM

From the documentation:

Once the ContextHolder has been updated, the browser will need to be redirected to the target URL. The target URL is usually indicated by the HttpSession attribute specified by AbstractProcessingFilter.ACEGI_SECURITY_TARGET_URL _KEY. This attribute is automatically set by the SecurityEnforcementFilter when an AuthenticationException occurs, so that after login is completed the user can return to what they were trying to access. If for some reason the HttpSession does not indicate the target URL, the browser will be redirected to the defaultTargetUrl property.

But perhaps you are using jsf or something different and need to populate the direction you want to on your own?
Do you use a different view technologie than plain jsp?

Regards Johannes

**naor** · Oct 9th, 2005, 11:31 AM

thanks for your help,

I do use a homegrown MVC framework but the target url for a successful login is allways /secured/redirect.jsp

where should i specify this ACEGI_SECURITY_TARGET_URL_KEY?

naor

**naor** · Oct 9th, 2005, 11:50 AM

i've fixed the bean definition to be:

Code:

<bean id="authenticationProcessingFilter" class="net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
        <property name="authenticationManager">
            <ref bean="authenticationManager"/>
        </property>
        <property name="authenticationFailureUrl">
            <value>/login_error.jsp</value>
        </property>
        <property  name="defaultTargetUrl">
            <value>/secured/redirect.jsp</value>
        </property>
        <property name="filterProcessesUrl">
            <value>/j_acegi_security_check</value>
        </property>
    </bean>

but still get the login screen again after log in

any idea?

**naor** · Oct 9th, 2005, 01:08 PM

this is the trail of debug i currently get:

Code:

Token@5b0c7e&#58; Username&#58; naor; Password&#58; &#91;PROTECTED&#93;; Authenticated&#58; true; Details&#58; null; Not granted any authorities
Oct-09-2005 18&#58;02&#58;45 DEBUG &#40;AbstractProcessingFilter.java&#58;372&#41; - Updated ContextHolder to contain the following Authentication&#58; 'net.sf.acegisecurity.
providers.UsernamePasswordAuthenticationToken@5b0c7e&#58; Username&#58; naor; Password&#58; &#91;PROTECTED&#93;; Authenticated&#58; true; Details&#58; null; Not granted any autho
rities'
Oct-09-2005 18&#58;02&#58;45 DEBUG &#40;AbstractProcessingFilter.java&#58;389&#41; - Redirecting to target URL from HTTP Session &#40;or default&#41;&#58; /myapp/secured/redirect.
jsp
Oct-09-2005 18&#58;02&#58;45 DEBUG &#40;HttpSessionContextIntegrationFilter.java&#58;278&#41; - Context stored to HttpSession&#58; 'net.sf.acegisecurity.context.security.Secu
reContextImpl@3a1b6e&#58; Authentication&#58; net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken@5b0c7e&#58; Username&#58; naor; Password&#58; &#91;PROTECTED&#93;
; Authenticated&#58; true; Details&#58; null; Not granted any authorities'
Oct-09-2005 18&#58;02&#58;45 DEBUG &#40;HttpSessionContextIntegrationFilter.java&#58;287&#41; - ContextHolder set to null as request processing completed
Oct-09-2005 18&#58;02&#58;45 DEBUG &#40;HttpSessionContextIntegrationFilter.java&#58;183&#41; - Obtained from ACEGI_SECURITY_CONTEXT a valid Context and set to ContextHol
der&#58; 'net.sf.acegisecurity.context.security.SecureContextImpl@3a1b6e&#58; Authentication&#58; net.sf.acegisecurity.providers.UsernamePasswordAuthenticationTok
en@5b0c7e&#58; Username&#58; naor; Password&#58; &#91;PROTECTED&#93;; Authenticated&#58; true; Details&#58; null; Not granted any authorities'
Oct-09-2005 18&#58;02&#58;46 DEBUG &#40;__login.java&#58;154&#41; - Session ID&#58; DJbBm2S918LG7RppyqT1JflrpG1zmGrS7Pfd09t1dcllLLmtCFHQ!792637006!1128880961625
Oct-09-2005 18&#58;02&#58;46 DEBUG &#40;__login.java&#58;155&#41; - request.getRemoteUser&#40;&#41;&#58; null
Oct-09-2005 18&#58;02&#58;46 DEBUG &#40;__login.java&#58;156&#41; - Security.getCurrentUser&#40;&#41;&#58; null
Oct-09-2005 18&#58;02&#58;46 DEBUG &#40;HttpSessionContextIntegrationFilter.java&#58;278&#41; - Context stored to HttpSession&#58; 'net.sf.acegisecurity.context.security.Secu
reContextImpl@3a1b6e&#58; Authentication&#58; net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken@5b0c7e&#58; Username&#58; naor; Password&#58; &#91;PROTECTED&#93;
; Authenticated&#58; true; Details&#58; null; Not granted any authorities'
Oct-09-2005 18&#58;02&#58;46 DEBUG &#40;HttpSessionContextIntegrationFilter.java&#58;287&#41; - ContextHolder set to null as request processing completed

naor

**Johannes Hiemer** · Oct 9th, 2005, 01:25 PM

Hi,
I am not sure, till yet I am not really an expert regarding acegi but what doesn't seem to be okay is that you don't get any authorities granted.
As I can see in your log:

Oct-09-2005 18:02:46 DEBUG (HttpSessionContextIntegrationFilter.java:278) - Context stored to HttpSession: 'net.sf.acegisecurity.context.security.Secu
reContextImpl@3a1b6e: Authentication: net.sf.acegisecurity.providers.UsernamePasswordAut henticationToken@5b0c7e: Username: naor; Password: [PROTECTED]
; Authenticated: true; Details: null; Not granted any authorities'
Oct-09-2005 18:02:46 DEBUG (HttpSessionContextIntegrationFilter.java:287) - ContextHolder set to null as request processing completed

Not granted any authorities'

How do you retrieve your authorities?

Regards Johannes

**naor** · Oct 9th, 2005, 01:32 PM

I've modified the code to set a JaasGrantedAuthority:

Code:

auth = new UsernamePasswordAuthenticationToken&#40;user, perms, new GrantedAuthority&#91;&#93;&#123;new JaasGrantedAuthority&#40;"user_role", user&#41;&#125;&#41;;

and now the debug shows:

Code:

Oct-09-2005 18&#58;17&#58;56 DEBUG &#40;AbstractProcessingFilter.java&#58;365&#41; - Authentication success&#58; net.sf.acegisecurity.providers.UsernamePasswordAuthentication
Token@4bd0ca&#58; Username&#58; naor; Password&#58; &#91;PROTECTED&#93;; Authenticated&#58; true; Details&#58; null; Granted Authorities&#58; user_role
Oct-09-2005 18&#58;17&#58;56 DEBUG &#40;AbstractProcessingFilter.java&#58;372&#41; - Updated ContextHolder to contain the following Authentication&#58; 'net.sf.acegisecurity.
providers.UsernamePasswordAuthenticationToken@4bd0ca&#58; Username&#58; naor; Password&#58; &#91;PROTECTED&#93;; Authenticated&#58; true; Details&#58; null; Granted Authorities&#58;
user_role'
Oct-09-2005 18&#58;17&#58;56 DEBUG &#40;AbstractProcessingFilter.java&#58;389&#41; - Redirecting to target URL from HTTP Session &#40;or default&#41;&#58; /myapp/secured/redirect.
jsp
Oct-09-2005 18&#58;17&#58;57 DEBUG &#40;HttpSessionContextIntegrationFilter.java&#58;278&#41; - Context stored to HttpSession&#58; 'net.sf.acegisecurity.context.security.Secu
reContextImpl@292be3&#58; Authentication&#58; net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken@4bd0ca&#58; Username&#58; naor; Password&#58; &#91;PROTECTED&#93;
; Authenticated&#58; true; Details&#58; null; Granted Authorities&#58; user_role'
Oct-09-2005 18&#58;17&#58;57 DEBUG &#40;HttpSessionContextIntegrationFilter.java&#58;287&#41; - ContextHolder set to null as request processing completed
Oct-09-2005 18&#58;17&#58;57 DEBUG &#40;HttpSessionContextIntegrationFilter.java&#58;183&#41; - Obtained from ACEGI_SECURITY_CONTEXT a valid Context and set to ContextHol
der&#58; 'net.sf.acegisecurity.context.security.SecureContextImpl@292be3&#58; Authentication&#58; net.sf.acegisecurity.providers.UsernamePasswordAuthenticationTok
en@4bd0ca&#58; Username&#58; naor; Password&#58; &#91;PROTECTED&#93;; Authenticated&#58; true; Details&#58; null; Granted Authorities&#58; user_role'
Oct-09-2005 18&#58;18&#58;00 DEBUG &#40;__login.java&#58;154&#41; - Session ID&#58; DJpQhHCBs38h1NjpN2G7Mxr1ps4bhN4lNJ2PXWg7CzNW40LQfvLF!1805436806!1128881872906
Oct-09-2005 18&#58;18&#58;00 DEBUG &#40;__login.java&#58;155&#41; - request.getRemoteUser&#40;&#41;&#58; null
Oct-09-2005 18&#58;18&#58;00 DEBUG &#40;__login.java&#58;156&#41; - Security.getCurrentUser&#40;&#41;&#58; null
Oct-09-2005 18&#58;18&#58;00 DEBUG &#40;HttpSessionContextIntegrationFilter.java&#58;278&#41; - Context stored to HttpSession&#58; 'net.sf.acegisecurity.context.security.Secu
reContextImpl@292be3&#58; Authentication&#58; net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken@4bd0ca&#58; Username&#58; naor; Password&#58; &#91;PROTECTED&#93;
; Authenticated&#58; true; Details&#58; null; Granted Authorities&#58; user_role'
Oct-09-2005 18&#58;18&#58;00 DEBUG &#40;HttpSessionContextIntegrationFilter.java&#58;287&#41; - ContextHolder set to null as request processing completed

but i still get the login screen and /secured/redirect.jsp is not being called.

naor

**Johannes Hiemer** · Oct 9th, 2005, 01:52 PM

Hm okay next idea, you said you are using a homegrown MVC framework, could you tell me how you handle redirects in your framework?
In JSF for example I had the issue that the redirection didn't work either, because JSF overrides the redirection with it's own navigationhandler.

Regards Johannes

**naor** · Oct 9th, 2005, 04:34 PM

I've looked into that and enabled debug on our MVC control servlet and related code but i don't see that it is being called at all

naor

**naor** · Oct 11th, 2005, 07:07 PM

figured it out.

it turned out that I had to comment out my existing weblogic security in config.xml.
once this was done redirect works fine and i hit the next issue.

when done using weblogic/JAAS provider the authorization is settin the UserPrinciple in the http request. this is later being used by various pages that call request.getUserPrinciple() to get the user object.
however with the Acegi authorization this call returns null.

can anyone please advise? and i missing something here?

naor

Thread: authentication successful but browser displays login page

Thread Tools

Display

authentication successful but browser displays login page

Similar Threads

Login goes fine until....AuthenticationCredentialsNotFoundEx

httpsession aware SecurityContext between requests

Loosing my SecureContext

Timeout and the Login pages with Form based authentication

Posting Permissions