Multiple login pages and authentication

**a1slam** · Aug 10th, 2006, 11:00 AM

Hi, I'm new to acegi and need help on implementing a webapp that requires two login pages and authentication. One for users and another for adminstrators. I've tried using the FilterChainProxy bean to chain in different AuthenticationProcessingFilter's and ExceptionTranslationFilter's based on the url but have come across a stumbling block. Although the application renders the correct login page it fails with a http 404 error stating that the j_acegi_security_check or j_acegi_security_check_admin resources are not available

Below is the config that I'm using

web.xml

Code:

	<!-- Install the Acegi filter -->
	<filter>
	  <filter-name>Acegi Filter Chain Proxy</filter-name>
	  <filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>
	  <init-param>
		<param-name>targetClass</param-name>
	<param-value>org.acegisecurity.util.FilterChainProxy</param-value>
	  </init-param>
	</filter>

	
	<filter-mapping>
	  <filter-name>Acegi Filter Chain Proxy</filter-name>
	  <url-pattern>/*</url-pattern>
	</filter-mapping>

</web-app>

and

applicationContext-acegi-security.xml

Code:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">


<beans>

	<bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">
		<property name="filterInvocationDefinitionSource">
			<value>
				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
				PATTERN_TYPE_APACHE_ANT
				/admin/**=adminAuthenticationProcessingFilter,securityContextHolderAwareRequestFilter,anonymousProcessingFilter,adminExceptionTranslationFilter,filterInvocationInterceptor
				/student/**=authenticationProcessingFilter,securityContextHolderAwareRequestFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor
			</value>
		</property>
	</bean>

	<bean id="httpSessionContextIntegrationFilter" class="org.acegisecurity.context.HttpSessionContextIntegrationFilter"/>

	<bean id="logoutFilter" class="org.acegisecurity.ui.logout.LogoutFilter">
		<constructor-arg value="/index.jsp"/> <!-- URL redirected to after logout -->
		<constructor-arg>
			<list>
				<ref bean="rememberMeServices"/>
				<bean class="org.acegisecurity.ui.logout.SecurityContextLogoutHandler"/>
			</list>
		</constructor-arg>
	</bean>

	<bean id="authenticationProcessingFilter" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
		<property name="authenticationManager" ref="authenticationManager"/>
		<property name="authenticationFailureUrl" value="/login.jsp?login_error=1"/>
		<property name="defaultTargetUrl" value="/"/>
		<property name="filterProcessesUrl" value="/j_acegi_security_check"/>
		<property name="rememberMeServices" ref="rememberMeServices"/>
	</bean>
	
	<bean id="adminAuthenticationProcessingFilter" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
		<property name="authenticationManager" ref="authenticationManager"/>
		<property name="authenticationFailureUrl" value="/adminlogin.jsp?login_error=1"/>
		<property name="defaultTargetUrl" value="/admin/home.jsp"/>
		<property name="filterProcessesUrl" value="/admin/j_acegi_security_check_admin"/>
		<property name="rememberMeServices" ref="rememberMeServices"/>
	</bean>	
   
	<bean id="securityContextHolderAwareRequestFilter" class="org.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter"/>

	<bean id="rememberMeProcessingFilter" class="org.acegisecurity.ui.rememberme.RememberMeProcessingFilter">
		<property name="authenticationManager" ref="authenticationManager"/>
		<property name="rememberMeServices" ref="rememberMeServices"/>
	</bean>

	<bean id="anonymousProcessingFilter" class="org.acegisecurity.providers.anonymous.AnonymousProcessingFilter">
		<property name="key" value="changeThis"/>
		<property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS"/>
	</bean>

	<bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter">
		<property name="authenticationEntryPoint">
			<bean class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
				<property name="loginFormUrl" value="/login.jsp"/>
				<property name="forceHttps" value="false"/>
			</bean>
		</property>
		<property name="accessDeniedHandler">
			<bean class="org.acegisecurity.ui.AccessDeniedHandlerImpl">
				<property name="errorPage" value="/accessDenied.jsp"/>
			</bean>
		</property>
	</bean>
	
	<bean id="adminExceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter">
		<property name="authenticationEntryPoint">
			<bean class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
				<property name="loginFormUrl" value="/adminlogin.jsp"/>
				<property name="forceHttps" value="false"/>
			</bean>
		</property>
		<property name="accessDeniedHandler">
			<bean class="org.acegisecurity.ui.AccessDeniedHandlerImpl">
				<property name="errorPage" value="/accessDenied.jsp"/>
			</bean>
		</property>
	</bean>	

	<bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
		<property name="authenticationManager" ref="authenticationManager"/>
		<property name="accessDecisionManager">
			<bean class="org.acegisecurity.vote.AffirmativeBased">
				<property name="allowIfAllAbstainDecisions" value="false"/>
				<property name="decisionVoters">
					<list>
						<bean class="org.acegisecurity.vote.RoleVoter"/>
						<bean class="org.acegisecurity.vote.AuthenticatedVoter"/>
					</list>
				</property>
			</bean>
		</property>
		<property name="objectDefinitionSource">
			<value>
				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
				PATTERN_TYPE_APACHE_ANT
				/images/**=IS_AUTHENTICATED_ANONYMOUSLY	
				/student/**=ROLE_USER	
				/admin/**=ROLE_SUPERVISOR
			</value>
		</property>
	</bean>

	
	<bean id="rememberMeServices" class="org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices">
		<property name="userDetailsService" ref="userDetailsService"/>
		<property name="key" value="changeThis"/>
	</bean>

	<bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">
		<property name="providers">
			<list>
				<ref local="daoAuthenticationProvider"/>
				<ref local="adminDaoAuthenticationProvider"/>
				<bean class="org.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider">
					<property name="key" value="changeThis"/>
				</bean>
				<bean class="org.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider">
					<property name="key" value="changeThis"/>
				</bean>
			</list>
		</property>
	</bean>

	<bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
		<property name="userDetailsService" ref="userDetailsService"/>
		<property name="userCache">
			<bean class="org.acegisecurity.providers.dao.cache.EhCacheBasedUserCache">
				<property name="cache">
					<bean class="org.springframework.cache.ehcache.EhCacheFactoryBean">
						<property name="cacheManager">
							<bean class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"/>
						</property>
						<property name="cacheName" value="userCache"/>
					</bean>
				</property>
			</bean>
		</property>
	</bean>

	<!-- UserDetailsService is the most commonly frequently Acegi Security interface implemented by end users -->
	<bean id="userDetailsService" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl">
		<property name="userProperties">
			<bean class="org.springframework.beans.factory.config.PropertiesFactoryBean">
				<property name="location" value="/WEB-INF/users.properties"/>
			</bean>
		</property>
	</bean>
	
	<bean id="adminDaoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
		<property name="userDetailsService" ref="adminUserDetailsService"/>
		<property name="userCache">
			<bean class="org.acegisecurity.providers.dao.cache.EhCacheBasedUserCache">
				<property name="cache">
					<bean class="org.springframework.cache.ehcache.EhCacheFactoryBean">
						<property name="cacheManager">
							<bean class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"/>
						</property>
						<property name="cacheName" value="userCache"/>
					</bean>
				</property>
			</bean>
		</property>
	</bean>
		
	<!-- UserDetailsService is the most commonly frequently Acegi Security interface implemented by end users -->
	<bean id="adminUserDetailsService" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl">
		<property name="userProperties">
			<bean class="org.springframework.beans.factory.config.PropertiesFactoryBean">
				<property name="location" value="/WEB-INF/users.properties"/>
			</bean>
		</property>
	</bean>	

	<!-- This bean is optional; it isn't used by any other bean as it only listens and logs -->
	<bean id="loggerListener" class="org.acegisecurity.event.authentication.LoggerListener"/>

</beans>

Does anyone know what I am doing wrong or of another other approach to solving this problem?

Thanks in advance

**icetbr** · Aug 21st, 2006, 01:21 PM

Giving a bump on this post because I'm trying to do the same thing here. I need a different login page for admin and for normal users.

**a1slam** · Aug 22nd, 2006, 04:49 AM

Actually I've managed to fix the problem with my webapp. The filterProcessesUrl needs to point to the domain plus the security check string e.g. /admin/j_acegi_security_check_admin

Below are the changes that I made to the applicationContext-acegi-security.xml file (web.xml is the same)

Code:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">


<beans>

 <bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">
  <property name="filterInvocationDefinitionSource">
   <value>
    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
    PATTERN_TYPE_APACHE_ANT
    /admin/**=httpSessionContextIntegrationFilter,adminAuthenticationProcessingFilter,securityContextHolderAwareRequestFilter,anonymousProcessingFilter,adminExceptionTranslationFilter,filterInvocationInterceptor
    /student/**=httpSessionContextIntegrationFilter,authenticationProcessingFilter,securityContextHolderAwareRequestFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor
   </value>
  </property>
 </bean>

 <bean id="httpSessionContextIntegrationFilter" class="org.acegisecurity.context.HttpSessionContextIntegrationFilter"/>

 <bean id="authenticationProcessingFilter" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
  <property name="authenticationManager" ref="authenticationManager"/>
  <property name="authenticationFailureUrl" value="/loginError.jsp"/>
  <property name="defaultTargetUrl" value="/"/>
  <property name="filterProcessesUrl" value="/student/j_acegi_security_check"/>
 </bean>
 
 <bean id="adminAuthenticationProcessingFilter" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
  <property name="authenticationManager" ref="authenticationManager"/>
  <property name="authenticationFailureUrl" value="/adminLoginError.jsp"/>
  <property name="defaultTargetUrl" value="/admin/home.jsp"/>
  <property name="filterProcessesUrl" value="/admin/j_acegi_security_check_admin"/>
 </bean> 
   
 <bean id="securityContextHolderAwareRequestFilter" class="org.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter"/>


 <bean id="anonymousProcessingFilter" class="org.acegisecurity.providers.anonymous.AnonymousProcessingFilter">
  <property name="key" value="changeThis"/>
  <property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS"/>
 </bean>

 <bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter">
  <property name="authenticationEntryPoint">
   <bean class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
    <property name="loginFormUrl" value="/login.jsp"/>
    <property name="forceHttps" value="false"/>
   </bean>
  </property>
  <property name="accessDeniedHandler">
   <bean class="org.acegisecurity.ui.AccessDeniedHandlerImpl">
    <property name="errorPage" value="/accessDenied.jsp"/>
   </bean>
  </property>
 </bean>
 
 <bean id="adminExceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter">
  <property name="authenticationEntryPoint">
   <bean class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
    <property name="loginFormUrl" value="/adminLogin.jsp"/>
    <property name="forceHttps" value="false"/>
   </bean>
  </property>
  <property name="accessDeniedHandler">
   <bean class="org.acegisecurity.ui.AccessDeniedHandlerImpl">
    <property name="errorPage" value="/accessDenied.jsp"/>
   </bean>
  </property>
 </bean> 

 <bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
  <property name="authenticationManager" ref="authenticationManager"/>
  <property name="accessDecisionManager">
   <bean class="org.acegisecurity.vote.AffirmativeBased">
    <property name="allowIfAllAbstainDecisions" value="false"/>
    <property name="decisionVoters">
     <list>
      <bean class="org.acegisecurity.vote.RoleVoter"/>
      <bean class="org.acegisecurity.vote.AuthenticatedVoter"/>
     </list>
    </property>
   </bean>
  </property>
  <property name="objectDefinitionSource">
   <value>
    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
    PATTERN_TYPE_APACHE_ANT
    /login.jsp=IS_AUTHENTICATED_ANONYMOUSLY
    /loginerror.jsp=IS_AUTHENTICATED_ANONYMOUSLY
    /logout.jsp=IS_AUTHENTICATED_ANONYMOUSLY
    /adminlogin.jsp=IS_AUTHENTICATED_ANONYMOUSLY
    /adminloginerror.jsp=IS_AUTHENTICATED_ANONYMOUSLY
    /adminlogout.jsp=IS_AUTHENTICATED_ANONYMOUSLY
    /images/**=IS_AUTHENTICATED_ANONYMOUSLY 
    /student/**=ROLE_USER 
    /admin/**=ROLE_SUPERVISOR
   </value>
  </property>
 </bean>

 <!--
 <bean id="rememberMeServices" class="org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices">
  <property name="userDetailsService" ref="userDetailsService"/>
  <property name="key" value="changeThis"/>
 </bean>
 -->
 
 <bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">
  <property name="providers">
   <list>
    <ref local="daoAuthenticationProvider"/>
    <ref local="adminDaoAuthenticationProvider"/>
    <ref local="ldapAuthenticationProvider"/>
    <bean class="org.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider">
     <property name="key" value="changeThis"/>
    </bean>
    <bean class="org.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider">
     <property name="key" value="changeThis"/>
    </bean>
   </list>
  </property>
 </bean>

 <bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
  <property name="userDetailsService" ref="jdbcDaoImpl"/>
  <property name="userCache">
   <bean class="org.acegisecurity.providers.dao.cache.EhCacheBasedUserCache">
    <property name="cache">
     <bean class="org.springframework.cache.ehcache.EhCacheFactoryBean">
      <property name="cacheManager">
       <bean class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"/>
      </property>
      <property name="cacheName" value="userCache"/>
     </bean>
    </property>
   </bean>
  </property>
 </bean>

 <bean id="jdbcDaoImpl" class="org.acegisecurity.userdetails.jdbc.JdbcDaoImpl">
   <property name="dataSource"><ref bean="dataSource"/></property>
   <property name="usersByUsernameQuery"><value>SELECT login_id,login_id,1 FROM student WHERE login_id = ?</value></property>
   <property name="authoritiesByUsernameQuery"><value>SELECT login_id,'ROLE_USER' FROM student WHERE login_id = ?</value></property>
 </bean> 
   
 <!-- UserDetailsService is the most commonly frequently Acegi Security interface implemented by end users -->
 <bean id="userDetailsService" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl">
  <property name="userProperties">
   <bean class="org.springframework.beans.factory.config.PropertiesFactoryBean">
    <property name="location" value="/WEB-INF/users.properties"/>
   </bean>
  </property>
 </bean>
 
 <bean id="adminDaoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
  <property name="userDetailsService" ref="adminUserDetailsService"/>
  <property name="userCache">
   <bean class="org.acegisecurity.providers.dao.cache.EhCacheBasedUserCache">
    <property name="cache">
     <bean class="org.springframework.cache.ehcache.EhCacheFactoryBean">
      <property name="cacheManager">
       <bean class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"/>
      </property>
      <property name="cacheName" value="userCache"/>
     </bean>
    </property>
   </bean>
  </property>
 </bean>
  
 <!-- UserDetailsService is the most commonly frequently Acegi Security interface implemented by end users -->
 <bean id="adminUserDetailsService" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl">
  <property name="userProperties">
   <bean class="org.springframework.beans.factory.config.PropertiesFactoryBean">
    <property name="location" value="/WEB-INF/users.properties"/>
   </bean>
  </property>
 </bean> 
 



 <!-- This bean is optional; it isn't used by any other bean as it only listens and logs -->
 <bean id="loggerListener" class="org.acegisecurity.event.authentication.LoggerListener"/>

</beans>

**icetbr** · Aug 22nd, 2006, 08:05 AM

My problem is a bit different. I need to know where the user is logging in from. So, if it is from loginAdmin.jsp, or /j_acegy_security_check_admin was intercepted, the user must have admin role.

The opposite is also true. If the user has admin hole, he cannot login from login.jsp.

What I'm doing is implementing my own AuthenticationProcessingFilter, wich has the user details and the httpRequest. Any other better idea?

thanks

**a1slam** · Aug 22nd, 2006, 10:32 AM

Originally Posted by icetbr

My problem is a bit different. I need to know where the user is logging in from. So, if it is from loginAdmin.jsp, or /j_acegy_security_check_admin was intercepted, the user must have admin role.

The opposite is also true. If the user has admin hole, he cannot login from login.jsp.

What I'm doing is implementing my own AuthenticationProcessingFilter, wich has the user details and the httpRequest. Any other better idea?

thanks

My solution does involve the admin user and the normal user having different roles. Also the admin user is not able to log in from the normal users login page and vice versa because I'm using different authentication sources which are responsible for assigning the roles

**icetbr** · Aug 22nd, 2006, 12:30 PM

But you're using a different namespace for admin. I'm using the same. So, I NEED to know where the login is comming from.

I've overriden AuthenticationProcessingFilter and it works fine, just wondering how could I do better.

**MrBurns** · Mar 15th, 2007, 04:52 PM

Hi I need similar functionality...so that I can log the user back out etc. to the correct area etc. Could you give an example of what you did?

Thanks for any help,

CMB.

Thread: Multiple login pages and authentication

Thread Tools

Display

Multiple login pages and authentication

problem solved

Overriding AuthenticationProcessingFilter

Posting Permissions