Results 1 to 4 of 4

Thread: images over SSL w/ IE

  1. Apr 1st, 2006, 04:55 AM #1
    paulnw
    paulnw is offline Junior Member
    Join Date
    Apr 2006
    Posts
    6

    Default images over SSL w/ IE

    I have been working happily w/ Acegi until it came time to test some parts of my web app w/ IE. I have since learned that IE has a *feature* where it does not download linked content from a secure connection w/ certain combinations of header values. I'm guessing my problem is simliar to what these different groups have come across.

    The header content from a page secured w/ Acegi on my machine is:

    Server: Apache-Coyote/1.1
    Pragma: No-cache
    Expires: Thu, 01 Jan 1970 00:00:00 GMT
    Cache-Control: no-cache, no-store
    Content-Type: text/html;charset=UTF-8
    Content-Language: en-US
    Transfer-Encoding: chunked
    Date: Sat, 01 Apr 2006 10:37:57 GMT

    200 OK

    Reading the above links and others on the web indicate that these two lines are causing my problems:
    Pragma: No-cache
    Cache-Control: no-cache, no-store

    When Tomcat sees a secure connection, it will automatically apply those headers to the response, causing some obvious difficulties.

    Having not come across this before though, I went back to a Struts app still on the same box, visited a secure page in it, and it worked fine for IE - its response header for the secure page is:

    Server: Apache-Coyote/1.1
    Content-Type: text/html;charset=ISO-8859-1
    Transfer-Encoding: chunked
    Date: Sat, 01 Apr 2006 10:43:48 GMT

    200 OK

    I'm just about out of ideas, and would appreciate any thoughts on getting past this.

    Thanks,

    Paul
  2. Apr 2nd, 2006, 08:18 AM #2
    Luke Taylor
    Luke Taylor is offline Senior Member Acegi Security System TeamSpring Team
    Join Date
    Aug 2004
    Location
    Glasgow, Scotland
    Posts
    3,449

    Default

    Hi,

    It's not clear whether you're just looking for general suggestions on the problem or do you have some reason to believe that Acegi is influencing the headers that are being produced (other than the difference with the struts app)? If so you'll need to give more specific information on what Acegi features you're using.

    Do you still see the same headers with Acegi's filters disabled completely?

    What transport constraints (if any) are being applied in web.xml in both apps? One of the comments in the bugzilla link you posted mentions that

    "Tomcat adds the respective caching headers to the HTTP header automatically if and only if a resource of a webapp is being accessed for which a user data constraint of CONFIDENTIAL has been set."
  3. Apr 2nd, 2006, 07:18 PM #3
    paulnw
    paulnw is offline Junior Member
    Join Date
    Apr 2006
    Posts
    6

    Default

    Thanks for responding. At this point, I'll take any suggestions - specific or otherwise. I looked over the web.xml files for both applications as well as the default for the server, and cannot find anything referencing a security-constraint, confidential or otherwise.

    Just incase, I added a security-constraint with a transport-guarantee value of NONE to my webapp w/ no effect.

    I did temporarily remove Acegi from the app, and had the exact same headers for pages loaded with both http:// and https:// so Acegi would appear to not be the issue. Interesting enough though before the original post I'd written a small filter to set the offending headers to IE friendly values, and it had no effect - the values would not sitck, so I commented that out of the applications web.xml file. While I had Acegi temporarily removed this time around, I re-added that filter, and the headers were finally what they should be - it worked.

    I'd tend to think this is a tomcat issue, but I have a webapp (struts though) that works on this box w/o problem.

    Here are my Acegi entries in web.xml:
    Code:
      <filter>
  	<filter-name>Acegi-Channel</filter-name>
  	<filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>
  	<init-param>
  		<param-name>targetClass</param-name>
  		<param-value>org.acegisecurity.securechannel.ChannelProcessingFilter</param-value>
  	</init-param>
  </filter>
  
  <filter> 
    <filter-name>Acegi Security System for Spring HTTP Session Integration Filter</filter-name> 
    <filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class> 
    <init-param> 
      <param-name>targetClass</param-name> 
      <param-value>org.acegisecurity.context.HttpSessionContextIntegrationFilter</param-value> 
    </init-param> 
  </filter> 

  <filter>
    <filter-name>Acegi Authentication Processing Filter</filter-name>
    <filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>
    <init-param>
      <param-name>targetClass</param-name>
      <param-value>org.acegisecurity.ui.webapp.AuthenticationProcessingFilter</param-value> 
    </init-param>
  </filter>

  <filter>
    <filter-name>Acegi HTTP Request Security Filter</filter-name>
    <filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>
    <init-param>
      <param-name>targetBean</param-name>
      <param-value>securityEnforcementFilter</param-value>
    </init-param>
  </filter>

  <filter>
    <filter-name>Acegi HTTP Request Security Interceptor</filter-name>
    <filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>
    <init-param>
      <param-name>targetBean</param-name>
      <param-value>filterInvocationInterceptor</param-value>
    </init-param>
  </filter>


  <filter-mapping>
  	<filter-name>Acegi-Channel</filter-name>
  	<url-pattern>/*</url-pattern>
  </filter-mapping>
  
  <filter-mapping> 
    <filter-name>Acegi Security System for Spring HTTP Session Integration Filter</filter-name> 
    <url-pattern>/*</url-pattern> 
  </filter-mapping> 

  <filter-mapping>
    <filter-name>Acegi Authentication Processing Filter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>

  <filter-mapping>
    <filter-name>Acegi HTTP Request Security Filter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>

  <filter-mapping>
    <filter-name>Acegi HTTP Request Security Interceptor</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>
    My -security.xml file that configures Acegi:
    Code:
    	<!-- Security Enforcement Filter - - decide what is supposed to be secured -->
	<bean id="securityEnforcementFilter"
    	  class="org.acegisecurity.ui.ExceptionTranslationFilter">
    	<property name="authenticationEntryPoint">
	      <ref bean="authenticationEntryPoint"/>
    	</property>
	</bean>
	
	
	<bean id="authenticationProcessingFilter" 
		class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
		<property name="filterProcessesUrl">
			<value>/j_acegi_security_check</value>
		</property>
		<property name="authenticationFailureUrl">
			<value>/adminlogin.jsp?failed=true</value>
		</property>
		<property name="defaultTargetUrl">
			<value>/</value>
		</property>
		<property name="authenticationManager">
			<ref bean="authenticationManager"/>
		</property>
	</bean>

	<!--   Populates the SecurityContextHolder with information obtained from the HttpSession -->
	<bean id="HttpSessionContextIntegrationFilter"
		class="org.acegisecurity.context.HttpSessionContextIntegrationFilter">
        <property name="context"><value>org.acegisecurity.context.SecurityContextImpl</value></property>
	</bean>								
	
	<bean id="authenticationEntryPoint" 
			class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
		<property name="loginFormUrl">
			<value>/adminlogin.jsp</value>
		</property>
		<property name="forceHttps"><value>true</value></property>
	</bean>
	

  <!-- = = = = = = = = SECURITY INTERCEPTOR = = = = = = = = -->  
	<bean id="filterInvocationInterceptor"
		class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
		<property name="authenticationManager">
			<ref bean="authenticationManager"/>
		</property>
		<property name="accessDecisionManager">
			<ref bean="accessDecisionManager"/> 
		</property>
		<property name="objectDefinitionSource">
			<value>
				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
				PATTERN_TYPE_APACHE_ANT
 				/admin/**=ROLE_ADMINISTRATOR
			</value>
		</property>
	</bean>
	
	
	<!--  Called from web.xml filter, ensures secure/insecure url -->
 	<bean id="channelProcessingFilter" class="org.acegisecurity.securechannel.ChannelProcessingFilter">
		<property name="filterInvocationDefinitionSource">
			<value>
				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
				\A/admin/.*\Z=REQUIRES_SECURE_CHANNEL
				\A/adminlogin.jsp\Z=REQUIRES_SECURE_CHANNEL
				\A/adminlogin.*\Z=REQUIRES_SECURE_CHANNEL
				\A/secure/.*\Z=REQUIRES_SECURE_CHANNEL
				\A/j_acegi_security_check.*\Z=REQUIRES_SECURE_CHANNEL
				\A/.*\Z=REQUIRES_INSECURE_CHANNEL
			</value>
		</property>
		<property name="channelDecisionManager">
			<ref bean="channelDecisionManager"/>
		</property>
	</bean>
	
	<bean id="channelDecisionManager" class="org.acegisecurity.securechannel.ChannelDecisionManagerImpl">
		<property name="channelProcessors">
			<list>
				<ref bean="secureChannelProcessor" />
				<ref bean="insecureChannelProcessor" />
			</list>
		</property>
	</bean>
	
	<bean id="secureChannelProcessor" class="org.acegisecurity.securechannel.SecureChannelProcessor" />
	<bean id="insecureChannelProcessor" class="org.acegisecurity.securechannel.InsecureChannelProcessor" />

	
	<!--  =================== AUTHENTICATION ================================ -->
	<bean id="authenticationManager"
		class="org.acegisecurity.providers.ProviderManager">
		<property name="providers">
			<ref bean="daoAuthenticationProvider" />
		</property>
	</bean>
	

	<bean id="daoAuthenticationProvider" 
		class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
		<property name="userDetailsService">
			<ref bean="userDetailsService" />
		</property>
	</bean>
	
	
	<!-- Declare authenticationDao, which does actual authentication.  Uses JdbcDaoImpl -->
	<bean id="userDetailsService" 
		class="org.acegisecurity.userdetails.jdbc.JdbcDaoImpl">
		<property name="dataSource">
			<ref bean="dataSource" />
		</property>
		<property name="usersByUsernameQuery">
			<value><snipped></value>
		</property>
		<property name="authoritiesByUsernameQuery">
			<value><snipped></value>
		</property>
	</bean>
	
	
	<!--  =================== AUTHORIZATION ================================ -->
	<!-- Configure an Access Decision Manager -->
	<bean id="accessDecisionManager" 
		class="org.acegisecurity.vote.UnanimousBased">
		<property name="allowIfAllAbstainDecisions">
			<value>false</value>
		</property>
		<property name="decisionVoters">
			<list><ref bean="roleVoter"/></list>
		</property>
	</bean>
	
	<!-- Configure the Role Voter -->
	<bean id="roleVoter"
		class="org.acegisecurity.vote.RoleVoter" />

</beans>
    Just to clarify my OP, the 'linked content' is an <img> tag displaying the company logo on a variety of secure pages. Tomcat 5.5.9, JDK 1.5.0_04, Acegi 1.0RC2.

    If it might help I can post the server.xml for my dev box, though it's pretty basic. Thanks again,

    Paul
    Last edited by paulnw; Apr 2nd, 2006 at 10:45 PM.
  4. Apr 4th, 2006, 03:52 AM #4
    paulnw
    paulnw is offline Junior Member
    Join Date
    Apr 2006
    Posts
    6

    Default

    I found the problem and can now apply a fix. It finally dawned on me that the secure pages I was having problems with - I had thought it was all of them - were form controller backed pages. I did not know, but AbstractFormController (and SimpleFormController) in its constructor calls setCacheSeconds(0), a method inherited from WebContentGenerator. This in turn sets the offending headers. Calling this same method w/ a value of -1 in my own constructor removes the headers - though I still have to disable caching w/o cratering IE.

    Thanks again, Paul
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules