Newbie question, i.e., how to get authentication to work...

[zeikman]

Hi, I am exploring the possibilities of changing our EJB/J2EE based system to be running on Spring&Acegi&Tomcat as soon as possible. I got easily to the point in which I converted my demo EJB and its client to a Spring framework based servlet and a corresponding client utilising HttpInvokerProxyFactoryBean. The ultimate goal is to have a java CLI client (a former EJB client) that can call methods from a server class residing inside a servlet (a former EJB) + A&A for the server side (and here authorisation is needed at method-level, just like in J2EE); no WebUIs are in the picture.

The first part of the goal is OK, but unfortunately I haven't had time yet to go beyond the first A, so the first question is how to get authentication working properly? I have in my servlet's web.xml these spring/acegi related items:


<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/security.xml
</param-value>
</context-param>

<listener>
<listener-class>org.springframework.web.context.ContextLoade rListener</listener-class>
</listener>

and in the security.xml these entries:

<beans>

<bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager ">
<property name="providers">
<list>
<ref local="JAASAuthenticationProvider"/>
</list>
</property>
</bean>

<bean id="JAASAuthenticationProvider" class="org.acegisecurity.providers.jaas.JaasAuthen ticationProvider">
<property name="loginConfig">
<value>/WEB-INF/myJAAS.conf</value>
</property>
<property name="loginContextName">
<value>demoLogin</value>
</property>
<property name="callbackHandlers">
<list>
<bean class="org.acegisecurity.providers.jaas.JaasNameCa llbackHandler"/>
<bean class="org.acegisecurity.providers.jaas.JaasPasswo rdCallbackHandler"/>
</list>
</property>
<property name="authorityGranters">
<list>
<bean class="com.my.own.security.AuthorityGranter"/>
</list>
</property>
</bean>

</beans>

Should this be enough for enabling authentication using my own JAAS modules or am I missing some important entries? Anyway, my servlet does not even start in Tomcat with these configurations and I have not been able to pinpoint the exact cause for the failure. Furthermore, it starts and works OK (however, with no security) if I comment out the above entries in the security.xml. All classes are found properly (at least I do not see any related errors in the logs, but I do see that the acegi classes are at least loaded) - so I am a bit puzzled here. Should this even work? The next question would then be how to configure authorisation most easily, i.e., how to most easily duplicate what ejb-jar.xml is doing for EJBs?

I would very much appreciate advice - and perhaps even clear howtos, if that is not asking too much - on the subject, although I am probably asking the very stupid and basic question (my deep apologies for that). Or is there a good and _simple_ example application showing how to convert a basic CLI client-server system + especially the A&A from the J2EE world to the Spring/Acegi world?

Thanks...

[descat]

In your web.xml you have to define the filters :

Code:

		
<!-- Obtains Authentication from HttpSession attribute, puts it into -->
<!-- ContextHolder for request duration, proceeds with request, then -->
<!-- copies Authentication from ContextHolder back into HttpSession -->
<filter>
    <filter-name>Acegi Security System for Spring HttpSession Integration Filter</filter-name>
    <filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>
    <init-param>
        <param-name>targetClass</param-name>
        <param-value>org.acegisecurity.context.HttpSessionContextIntegrationFilter</param-value>
    </init-param>
</filter>
    
<filter>
    <filter-name>Acegi Authentication Processing Filter</filter-name>
    <filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>
    <init-param>
        <param-name>targetClass</param-name>
        <param-value>org.acegisecurity.ui.basicauth.BasicProcessingFilter</param-value>
    </init-param>
</filter>
		
<filter>
    <filter-name>ACEGI-HTTP-REQUEST-SECURITY-FILTER</filter-name>
    <filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>
    <init-param>
        <param-name>targetClass</param-name>
        <param-value>org.acegisecurity.intercept.web.SecurityEnforcementFilter</param-value>
    </init-param>
</filter>

<filter-mapping>
   <filter-name>Acegi Security System for Spring HttpSession Integration Filter</filter-name>
   <url-pattern>/remoting/*</url-pattern>
</filter-mapping>
    	
<filter-mapping>
    <filter-name>Acegi Authentication Processing Filter</filter-name>
    <url-pattern>/remoting/*</url-pattern>
</filter-mapping>
    	
<filter-mapping>
    <filter-name>ACEGI-HTTP-REQUEST-SECURITY-FILTER</filter-name>
    <url-pattern>/remoting/*</url-pattern>
</filter-mapping>

PS : you does better this with a chain filter... but is not necessary

And in your security.xml :

Code:

	

<!-- Integration filter declaration -->
<!-- responsible for communicating with the user's session -->
<!-- to store the user's authentication in the ContextHolder. -->
<bean id="httpSessionIntegrationFilter" class="org.acegisecurity.context.HttpSessionContextIntegrationFilter"> 
    <property name="context">
        <value>org.acegisecurity.context.SecurityContextImpl</value>
    </property>
</bean>
	
<!-- Basic processing filter declaration -->
<!-- processes an HTTP request's BASIC authorization headers, placing the result into the ContextHolder. -->
<bean id="basicProcessingFilter" 
    class="org.acegisecurity.ui.basicauth.BasicProcessingFilter">
    <property name="authenticationManager">
        <ref local="authenticationManager"/>
    </property>
    <property name="authenticationEntryPoint">
        <ref local="basicProcessingFilterEntryPoint"/>
    </property>
</bean>

<bean id="basicProcessingFilterEntryPoint" 
     class="org.acegisecurity.ui.basicauth.BasicProcessingFilterEntryPoint">
    <property name="realmName">
        <value>ATDL3 realm</value>
    </property>
</bean>
	
<!-- Security enforcement filter -->
<!-- wraps requests to the FilterSecurityInterceptor, which defines the URLs that roles can access -->
<bean id="securityEnforcementFilter" class="org.acegisecurity.intercept.web.SecurityEnforcementFilter">
    <property name="filterSecurityInterceptor">
        <ref bean="filterInvocationInterceptor"/>
    </property>
    <property name="authenticationEntryPoint">
        <ref bean="basicProcessingFilterEntryPoint"/>
    </property>
</bean>
	
<bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
    <property name="authenticationManager">
        <ref bean="authenticationManager"/>
    </property>
    <property name="accessDecisionManager">
        <ref bean="accessDecisionManager"/>
    </property>
    <property name="objectDefinitionSource">
        <value>
            CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
            PATTERN_TYPE_APACHE_ANT
            /**=ROLE_USER,ROLE_SUPERVISOR 
        </value>
    </property>
</bean>

<!-- ========== Access decision manager and voters ============================= -->
	
<bean id="accessDecisionManager" class="org.acegisecurity.vote.AffirmativeBased">
    <property name="allowIfAllAbstainDecisions">
        <value>false</value>
    </property>
    <property name="decisionVoters">
        <list>
            <ref local="roleVoter"/>
        </list>
    </property>
</bean>
	
<bean id="roleVoter" class="org.acegisecurity.vote.RoleVoter"/>

Now you may choose the filters you want (see the API)...

[zeikman]

Hi, and many thanks for the helpful answer. I got to the point in which my servlet starts OK and when I try to run my client, it receives a security related exception. However, I still dare to ask further advice for achieving method level authorisation. It seems that I'd need this kind of entry into the security.xml:

"
<bean id="methodInvocationInterceptor" class="org.acegisecurity.intercept.method.aopallia nce.MethodSecurityInterceptor">
<property name="authenticationManager">
<ref bean="authenticationManager"/>
</property>
<property name="accessDecisionManager">
<ref bean="accessDecisionManager"/>
</property>
<property name="objectDefinitionSource">
<value>
com.my.demo.remotetest.model.DemoServiceImpl.readS tuff=ROLE_TEST
</value>
</property>
</bean>
"

However, from which of the given filters (see the previous posting in the thread) should I call this (and how) - or do I need some other entries either in web.xml or my security.xml?

Thanks in advance...

[Alarmnummer]

Hi, and many thanks for the helpful answer. I got to the point in which my servlet starts OK and when I try to run my client, it receives a security related exception. However, I still dare to ask further advice for achieving method level authorisation. It seems that I'd need this kind of entry into the security.xml:

"
<bean id="methodInvocationInterceptor" class="org.acegisecurity.intercept.method.aopallia nce.MethodSecurityInterceptor">
<property name="authenticationManager">
<ref bean="authenticationManager"/>
</property>
<property name="accessDecisionManager">
<ref bean="accessDecisionManager"/>
</property>
<property name="objectDefinitionSource">
<value>
com.my.demo.remotetest.model.DemoServiceImpl.readS tuff=ROLE_TEST
</value>
</property>
</bean>
"

However, from which of the given filters (see the previous posting in the thread) should I call this (and how) - or do I need some other entries either in web.xml or my security.xml?

Thanks in advance...

You can use this advice in combination with a ProxyFactoryBean to create your final Bean. Personally I don`t care much for the AutoProxyCreators.

If you use the ProxyFactoryBean solution, you will have the same kind of configuration as with Transactions.

example

Code:

<bean id="itemManagerSecurityAdvice"
		  class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
		<property name="validateConfigAttributes" value="true"/>
		<property name="authenticationManager" ref="authenticationManager"/>
		<property name="accessDecisionManager" ref="accessDecisionManager"/>
		<property name="objectDefinitionSource">
			<value>
				nl.ilse.arms.businesslogic.managers.ItemManager.saveOrUpdate*=ACL_SAVEORUPDATE_ITEM,ROLE_ADMIN
				nl.ilse.arms.businesslogic.managers.ItemManager.delete*=ROLE_ADMIN
			</value>
		</property>
	</bean>

	<bean id="itemManagerSecured"
		  class="org.springframework.aop.framework.ProxyFactoryBean">

		<property name="target" ref="itemManagerCore"/>
		<property name="interfaces" value="nl.ilse.arms.businesslogic.managers.ItemManager"/>
		<property name="interceptorNames">
			<list>
				<value>itemManagerSecurityAdvice</value>
			</list>
		</property>
	</bean>

[descat]

out of the reference manual : "Acegi Security provides a MethodDefinitionSourceAdvisor which may be used with Spring's DefaultAdvisorAutoProxyCreator to automatically chain the security interceptor in front of any beans defined against the MethodSecurityInterceptor".

[zeikman]

HI, and many thanks for the replies. Due to other tasks, I have not had time tackle this problem until now. I have applied the Alarmnummer's instructions to my case, but I am wondering should I (here I refer to the given example by Alarmnummer) call the bean itemManagerSecured from some place, e.g., from a filter in the web.xml? Or do these definitions for method level authorisation get to be used automagically? You gurus would not happen to know any pointers to a simple real-life example of a working HttpInvokerProxyFactoryBean based (J2EE-like) CLI client-server system A&A?

Thanks for your patience...