Cannot setupa a custom Access Denied error page using X509 Authentication

[srxavi]

Hello Everybody!

First of all, thank you for this great project. It's worth its fame and it's really really useful. And now the "please please help me" stuff.

I am developing an application that needs to validate users using X509 certificates but also allows users without a certificate to perform certain actions. The problem is that I cannot make Acegi show me a personalized 403 page. No matter what I put in the exceptionTranslationFilter, it keeps showing me the Tomcat 403 page.

Here's my applicationContext-acegi-security.xml:

Code:

<beans>
	
	<bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">
      	<property name="filterInvocationDefinitionSource">
         	<value>
		    	CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
		    	PATTERN_TYPE_APACHE_ANT
            	/**=channelProcessingFilter,httpSessionContextIntegrationFilter,x509ProcessingFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor
         	</value>
      	</property>
    </bean>
	
	<bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">
      	<property name="providers">
         	<list>
		    	<ref local="x509AuthenticationProvider"/>
		    	<ref local="anonymousAuthenticationProvider"/>
         	</list>
		</property>
   	</bean>

	<bean id="httpSessionContextIntegrationFilter" class="org.acegisecurity.context.HttpSessionContextIntegrationFilter">
	</bean>

	<bean id="x509AuthenticationProvider" class="org.acegisecurity.providers.x509.X509AuthenticationProvider">
		<property name="x509AuthoritiesPopulator"><ref local="x509AuthoritiesPopulator"/></property>
        <property name="x509UserCache"><ref local="x509UserCache"/></property>
	</bean>
	
	<bean id="cacheManager" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"/>
	
	<bean id="x509UserCacheBackend" class="org.springframework.cache.ehcache.EhCacheFactoryBean">
       	<property name="cacheManager">
          	<ref local="cacheManager"/>
       	</property>
       	<property name="cacheName">
          	<value>x509Cache</value>
       	</property>
    </bean>

	<bean id="x509UserCache" class="org.acegisecurity.providers.x509.cache.EhCacheBasedX509UserCache">
      	<property name="cache"><ref local="x509UserCacheBackend"/></property>
	</bean>
	
	<bean id="x509AuthoritiesPopulator" class="org.acegisecurity.providers.x509.populator.DaoX509AuthoritiesPopulator">
			<property name="userDetailsService"><ref local="inMemoryDaoImpl"/></property>
      <!--  <property name="subjectDNRegex"><value>emailAddress=(.*?),</value></property> -->
	</bean>
	
	<bean id="anonymousProcessingFilter" class="org.acegisecurity.providers.anonymous.AnonymousProcessingFilter">
		<property name="key"><value>foobar</value></property>
		<property name="userAttribute"><value>anonymousUser,ROLE_ANONYMOUS</value></property>
	</bean>
	
	<bean id="anonymousAuthenticationProvider" class="org.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider">
		<property name="key"><value>foobar</value></property>
	</bean>
	
	<bean id="inMemoryDaoImpl" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl">
		<property name="userMap">
			<value>
				administrator,ROLE_ADMIN
			</value>
		</property>
	</bean>
	
	<!-- ===================== HTTP CHANNEL REQUIREMENTS ==================== -->
	
	<bean id="channelProcessingFilter" class="org.acegisecurity.securechannel.ChannelProcessingFilter">
		<property name="channelDecisionManager"><ref local="channelDecisionManager"/></property>
 		<property name="filterInvocationDefinitionSource">
			<value>
			    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
				\A.*\Z=REQUIRES_SECURE_CHANNEL
			</value>
		</property>
	</bean>
	
	<bean id="channelDecisionManager" class="org.acegisecurity.securechannel.ChannelDecisionManagerImpl">
	    <property name="channelProcessors">
      		<list>
 	        	<ref local="secureChannelProcessor"/>
        		<ref local="insecureChannelProcessor"/>
     		</list>
	    </property>
	</bean>

	<bean id="secureChannelProcessor" class="org.acegisecurity.securechannel.SecureChannelProcessor"/>
	<bean id="insecureChannelProcessor" class="org.acegisecurity.securechannel.InsecureChannelProcessor"/>

	<!-- ===================== HTTP REQUEST SECURITY ==================== -->
	
	<bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter">
		<property name="authenticationEntryPoint"><ref local="x509ProcessingFilterEntryPoint"/></property>
		<property name="accessDeniedHandler">
    		<bean class="org.acegisecurity.ui.AccessDeniedHandlerImpl">
      			<property name="errorPage" value="/accessDenied.jsp"/>
    		</bean>
  		</property>
	</bean>

	<bean id="x509ProcessingFilter" class="org.acegisecurity.ui.x509.X509ProcessingFilter">
		<property name="authenticationManager"><ref local="authenticationManager"/></property>
	</bean>

	<bean id="x509ProcessingFilterEntryPoint" class="org.acegisecurity.ui.x509.X509ProcessingFilterEntryPoint">
	</bean>

	<bean id="httpRequestAccessDecisionManager" class="org.acegisecurity.vote.AffirmativeBased">
   		<property name="allowIfAllAbstainDecisions"><value>false</value></property>
		<property name="decisionVoters">
			<list>
		    	<ref bean="roleVoter"/>
		  	</list>
		</property>
	</bean>
	
	<bean id="roleVoter" class="org.acegisecurity.vote.RoleVoter"/>
	
	<bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
    	<property name="authenticationManager"><ref local="authenticationManager"/></property>
    	<property name="accessDecisionManager"><ref local="httpRequestAccessDecisionManager"/></property>
 		<property name="objectDefinitionSource">
			<value>
			    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
				\A/index.jsp\Z=ROLE_ADMIN
				\A/accessDenied.jsp\Z=ROLE_ANONYMOUS
			</value>
		</property>
	</bean>
	
</beans>

Maybe I am doing stupid things, but I am really really new to Acegi and although I have read the Reference guide I do not know if there is something wrong...

Thanks in advance

[karldmoore]

If you want to supply a custom error page you can simply do this in the web.xml.
http://wiki.metawerx.net/Wiki.jsp?pa....xml.ErrorCode

[srxavi]

Hi!

Thanks for the info, but I tried this before and it's not the most suitable solution because I am using sitemesh to decorate the pages and this page needs to be decorated also and using this technique I cannot decorate it. Is this the only way to do it?

Thanks

[srxavi]

Solved!

It was a problem with the configuration of Sitemesh. Thanks for everything!

[karldmoore]

Not a problem, you beat me to the answer . Glad you got it working!

[srxavi]

Another question (I know I should open a new thread but if you know it, it will be quickly done)

I cannot get the user using the InMemoryDao although in the certificate I send the CN is the username I put in the userMap... do you know what can be wrong? I mean it always authenticates me as an anonymous user

[karldmoore]

Any chance you could post your solution to the original problem as another user emailed me to see how you solved it.

[srxavi]

Hi!

This is how you enable sitemesh for the error pages. You have to configure the filter-mapping of sitemesh in the web.xml file this way.

Code:

<filter-mapping>
	<filter-name>sitemesh</filter-name>
	<url-pattern>/*</url-pattern>
	<dispatcher>REQUEST</dispatcher>
	<dispatcher>FORWARD</dispatcher>
	<dispatcher>ERROR</dispatcher>
</filter-mapping>

Also, you have to add the error-page configuration you told me to the web.xml file and add this line to the top of the error page

Code:

<%@ page isErrorPage="true" %>

Also, the other I had is solved too.

[karldmoore]

Any chance you could give the solution to that as well. I'd sooner not get more emails about that as well .

[srxavi]

Well, to solve that I made another UserDetailsService of my own using Hibernate because the project needs it. The InMemoryDaoImpl was used only to test if DaoX509AuthenticatorPopulator worked (and it works ). So really, I did not solved the problem, I took a different approach