Acegi Programmatic Authentication

[danieljsanders]

Hi all (first post),

Sorry if this is a rehash of a common issue but i'm not finding any good answers in the archives.

I've got a Hibernate/Spring/SpringMVC setup using Acegi for authentication.

So far the 'login' scenario is fine - Acegi is correctly granting/denying access to users based upon their credentials. Now I also have a registration flow during which I add the user's creds to the database and then attempt to do programmatic Acegi authentication of the user. I'm doing the following to no avail:

Authentication auth;
GrantedAuthority[] ga = {new GrantedAuthorityImpl("ROLE_USER")};
auth = new UsernamePasswordAuthenticationToken(user.getEmail( ), user.getPassword(), ga);
SecurityContextHolder.getContext().setAuthenticati on( auth );

That is, when I try to access protected resources after registration, i'm still redirected to the login page, when instead I would expect to have already been programmatically authenticated. Any tips on where to look next?

When trying to access the protected resource the log displays:

2007-02-15 12:59:56,015 DEBUG [org.acegisecurity.context.HttpSessionContextIntegr ationFilter] - HttpSession returned null object for ACEGI_SECURITY_CONTEXT - new SecurityContext instance associated with SecurityContextHolder

There is no HTTPS/HTTP switching going on BTW.


Thanks, Daniel.

[karldmoore]

There are quite a few threads on programmatic authentication already, it might be worth doing a search. A few questions. Is the email address used as the username? The code looks ok. I would guess the problem is the Authentication isn't getting put into the session. Wouldn't it be easier after registration to simply post to the authentication filter just like the login.jsp page does in the tutorial example? I would have thought this would be quite neat. Otherwise, is it possible to up the logging to see what is going on.

[danieljsanders]

Hi Karl, thanks.

>>Is the email address used at the username?

Yes.

[danieljsanders]

Hi again Karl,

Well I started looking thru the Acegi source code and then decided to try this in my controller:

request.getSession().setAttribute("ACEGI_SECURITY_ CONTEXT", context);

...and it indeed causes the security context to be retained in the session and the functionality appears correct -after registration the user remains 'authenticated'.


So It appears that previously the context was not being set into the session as an attribute. Authentication was being set on the context, but context was not being put into the Http Session - now it is - explicitly in my controller code. Is this a no-no?

My next question is 'What actually causes the SecurityContext to be saved in the session?' So I can work out why that's not happening and remove my 'bad' code...

Thanks, Daniel.

[karldmoore]

I think HttpSessionContextIntegrationFilter is what you're after.
http://www.acegisecurity.org/multipr...ionFilter.html

[danieljsanders]

Thanks Karl. I do have the following in the Acegi config file, i'm not entirely clear on what i've done wrong here...

<bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">
<property name="filterInvocationDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/**=httpSessionContextIntegrationFilter,authenticat ionProcessingFilter,exceptionTranslationFilter,fil terInvocationInterceptor
</value>
</property>
</bean>