filterInvocationInterceptor #NONE#

[meshenka]

I'm using acegi 1.0.2 with spring-2.0 final.

i recently saw this: http://www.mail-archive.com/acegisec.../msg02206.html

a nice way to skip some authorization checks

unfortunatly this config did wrong:

Code:

	<bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
		<property name="authenticationManager"><ref bean="authenticationManager"/></property>
		<property name="accessDecisionManager"><ref local="httpRequestAccessDecisionManager"/></property>
		<property name="objectDefinitionSource">
			<value>
				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
			    PATTERN_TYPE_APACHE_ANT
			    /acegilogin.jsp*=ROLE_ANONYMOUS,ROLE_USER,ROLE_ROOT
			    /costing/**=ROLE_ROOT,ROLE_MODEL_ADMIN
			    /admin/label/**=ROLE_LABEL_ADMIN,ROLE_ROOT
			    /pages/css/*=#NONE#
			    /pages/js/*=#NONE#
			    /pages/i/*=#NONE#
			    /index.jsp*=ROLE_ANONYMOUS,ROLE_USER,ROLE_ROOT			    
				/**=ROLE_USER,ROLE_ROOT
			</value>
		</property>
	</bean>

Code:

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'filterInvocationInterceptor' defined in ServletContext resource [/WEB-INF/applicationContext-acegi.xml]: Invocation of init method failed; nested exception is java.lang.IllegalArgumentException: Unsupported configuration attributes: [#NONE#]
	org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1032)
	org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:420)
	org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:245)
	org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:141)
	org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:242)
	org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:160)
	org.springframework.context.support.AbstractApplicationContext.getBean(AbstractApplicationContext.java:646)
	org.acegisecurity.util.FilterChainProxy.obtainAllDefinedFilters(FilterChainProxy.java:220)
	org.acegisecurity.util.FilterChainProxy.doFilter(FilterChainProxy.java:135)
	org.acegisecurity.util.FilterToBeanProxy.doFilter(FilterToBeanProxy.java:98)

where did i fail?

[Marten Deinum]

You didn't read the message from Ben Alex correctly.

Ben Alex:
Simply edit your FilterChainProxy.filterInvocationDefinitionSource property so that /images/*=#NONE#. If you look at FilterChainProxy, it has a public static final String field named TOKEN_NONE which equals #NONE#. This has special meaning to FilterChainProxy and is useful in forcing particular patterns to be skipped.

He states that you should edit the filterInvocationDefinitionSource property on the FilterChainProxy object. However you are doing things to the objectDefinitionSource of the FilterSecurityInterceptor which are clearly different things.

However somewhere in your configuration you must have something like the following:

Code:

<property name="filterInvocationDefinitionSource">
    <value>                    
        CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
        PATTERN_TYPE_APACHE_ANT
        /**=httpSessionContextIntegrationFilter,channelProcessingFilter,logoutFilter,authenticationProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor,requestWrappingFilter
    </value>
</property>

Add the lines containing #NONE# to that list to make it look like to following. This simple states that filter nothing for /pages/css etc and filter everything else.

Code:

<property name="filterInvocationDefinitionSource">
    <value>                    
        CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
        PATTERN_TYPE_APACHE_ANT
        /pages/css/*=#NONE#
        /pages/js/*=#NONE#
        /pages/i/*=#NONE#
        /**=httpSessionContextIntegrationFilter,channelProcessingFilter,logoutFilter,authenticationProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor,requestWrappingFilter
    </value>
</property>

[meshenka]

my bad, works like a charm



thanks dude

[thusi02]

Hi,

Can you show me what you did. Cause I have the following:

<!-- This file handle the security configuration management provided by Acegisecurity -->
<bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">
<property name="filterInvocationDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/resources/css/*=#NONE#
/resources/js/*=#NONE#
/pages/css/*=#NONE#
/css/*=#NONE#
/**=httpSessionContextIntegrationFilter,logoutFilte r,casProcessingFilter,anonymousProcessingFilter,se curityContextHolderAwareRequestFilter,exceptionTra nslationFilter,filterInvocationInterceptor
</value>
</property>
</bean>

and ...

<!-- Setup Acegi security - session and authentication bits -->
<bean id="filterInvocationInterceptor"
class="org.acegisecurity.intercept.web.FilterSecur ityInterceptor"
parent="parentFilterInvocationInterceptor">
<property name="objectDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/**=ROLE_ANONYMOUS
</value>
</property>
</bean>


But no matter where I put my css I keep getting 404's can't locate the css files.

This is my structure on tomcat:

webapp:
- css
- test.css
-WEB-INF
- bunch of stuff

I can't seem to load test.css.

Any thoughts.
Nathan.

[Luke Taylor]

This isn't the same thing. Adding or removing security constraints shouldn't cause 404s. Make sure your app works without Spring Security enabled first.

[thusi02]

Hi,

Thanks for the reply. It doesn't cause 404 on the whole application. Once I add the constraints I try to visit the css file file on its own and it gives me a 404. Which means that the css is not accessible. My application works fine, just doesn't know where the h**l my css files are. It seems the FilterChainProxy isn't ignoring the css files. Where exactly are the CSS files suppose to be in the application?

Currently I have it in:

TOMCATdIR\webapps\app1\
css\test.css
WEB-INF\rest of the stuff

my FilterChainProxy again is as follows:

<!-- This file handle the security configuration management provided by Acegisecurity -->
<bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">
<property name="filterInvocationDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/resources/css/**=#NONE#
/resources/js/**=#NONE#
/pages/css/**=#NONE#
/css/**=#NONE#
/**/*.css=#NONE#
/**=httpSessionContextIntegrationFilter,logoutFilte r,casProcessingFilter,anonymousProcessingFilter,se curityContextHolderAwareRequestFilter,exceptionTra nslationFilter,filterInvocationInterceptor
</value>
</property>
</bean>

In the URL when I type:
https://server/app1/css/test.css

It should go and view the css file is my understanding?

Cheers,
Nathan.

[Luke Taylor]

That should be the case, yes.

The FilterChainProxy won't return a 404 code, and neither will anything else within Spring Security that I can think of, so that must be coming from your container.

Presumably you've checked the debug log? It should be pretty clear from there what Spring Security is doing for each request and the access log for tomcat should confirm what the 404 is for.

[thusi02]

Hi Luke,

So I found out some more info. So basically the problem why all my css/js files are getting 404's is because of my servlet-mapping. I have the following in my web.xml.

<servlet-mapping>
<servlet-name>test</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>

Now so any page that comes in, it sends to the DispatcherServlet, this includes css and js files. I can put another servlet mapping for the default for say /css/** but I'd rather let acegi deal with in.

I have the following FilterChainProxy:

<!-- This file handle the security configuration management provided by Acegisecurity -->
<bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">
<property name="filterInvocationDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/css/**=#NONE# /**=httpSessionContextIntegrationFilter,logoutFilte r,casProcessingFilter,anonymousProcessingFilter,se curityContextHolderAwareRequestFilter,exceptionTra nslationFilter,filterInvocationInterceptor
</value>
</property>
</bean>

The problem is this "excpetion" to the proxychain is not being picked up. In my debug statements I get:

Code:

2009-03-13 16:58:32,241 [DEBUG] org.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap  - Candidate is: '/css/test.css'; pattern is /css/**; matched=true
2009-03-13 16:58:32,241 [DEBUG] org.hibernate.jdbc.AbstractBatcher  - preparing statement
2009-03-13 16:58:32,242 [DEBUG] org.hibernate.type.StringType  - binding 'anonymous' to parameter: 1
2009-03-13 16:58:32,242 [DEBUG] org.springframework.orm.hibernate3.support.OpenSessionInViewFilter  - Opening single Hibernate Session in OpenSessionInViewFilter
2009-03-13 16:58:32,242 [DEBUG] org.springframework.orm.hibernate3.SessionFactoryUtils  - Opening Hibernate Session
2009-03-13 16:58:32,242 [DEBUG] org.hibernate.impl.SessionImpl  - opened session at timestamp: 12369887122
2009-03-13 16:58:32,242 [DEBUG] org.hibernate.impl.SessionImpl  - setting flush mode to: NEVER
2009-03-13 16:58:32,242 [DEBUG] org.springframework.transaction.support.TransactionSynchronizationManager  - Bound value [org.springframework.orm.hibernate3.SessionHolder@8d26dd] for key [org.hibernate.impl.SessionFactoryImpl@1ec73d9] to thread [http-8443-2]
2009-03-13 16:58:32,242 [DEBUG] org.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap  - Converted URL to lowercase, from: '/test/css/test.css'; to: '/test/css/test.css'
2009-03-13 16:58:32,241 [DEBUG] org.acegisecurity.util.FilterChainProxy  - /css/test.css has an empty filter list
2009-03-13 16:58:32,243 [DEBUG] org.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap  - Candidate is: '/test/css/test.css'; pattern is /**; matched=true
2009-03-13 16:58:32,244 [DEBUG] org.springframework.web.servlet.DispatcherServlet  - Testing handler map [org.springframework.web.servlet.handler.BeanNameUrlHandlerMapping@5b77c] in DispatcherServlet with name 'portal'
2009-03-13 16:58:32,245 [DEBUG] org.springframework.beans.factory.support.DefaultListableBeanFactory  - Returning cached instance of singleton bean 'httpSessionContextIntegrationFilter'
2009-03-13 16:58:32,245 [DEBUG] org.springframework.beans.factory.support.DefaultListableBeanFactory  - Returning cached instance of singleton bean 'logoutFilter'
2009-03-13 16:58:32,245 [DEBUG] org.springframework.beans.factory.support.DefaultListableBeanFactory  - Returning cached instance of singleton bean 'casProcessingFilter'
2009-03-13 16:58:32,245 [DEBUG] org.springframework.beans.factory.support.DefaultListableBeanFactory  - Returning cached instance of singleton bean 'anonymousProcessingFilter'
2009-03-13 16:58:32,245 [DEBUG] org.springframework.beans.factory.support.DefaultListableBeanFactory  - Returning cached instance of singleton bean 'securityContextHolderAwareRequestFilter'
2009-03-13 16:58:32,245 [DEBUG] org.springframework.beans.factory.support.DefaultListableBeanFactory  - Returning cached instance of singleton bean 'exceptionTranslationFilter'
2009-03-13 16:58:32,245 [DEBUG] org.springframework.beans.factory.support.DefaultListableBeanFactory  - Returning cached instance of singleton bean 'filterInvocationInterceptor'
2009-03-13 16:58:32,245 [DEBUG] org.acegisecurity.util.FilterChainProxy  - /test/css/test.css at position 1 of 7 in additional filter chain; firing Filter: 'org.acegisecurity.context.HttpSessionContextIntegrationFilter@1ddfb6a'
2009-03-13 16:58:32,245 [DEBUG] org.springframework.web.servlet.handler.BeanNameUrlHandlerMapping  - Looking up handler for [/css/test.css]

Two things to look for in the logs is:

It matches the pattern of /css/** as the candidate, however it comes down and says:

2009-03-13 16:58:32,241 [DEBUG] org.acegisecurity.util.FilterChainProxy - /css/test.css has an empty filter list

Not quite sure. All I want is acegi to ignore all css/js files. Do I need to define something else where perhaps in my FilterSecurityInterceptor do I need to have something like /css/**=ROLE_ANONYMOUS? I tried that too but no luck.

Your help would be MUCH appreciated.

Cheers,
Nathan.