Using Acegi

**amin** · Mar 12th, 2007, 06:05 AM

Hi All

I've been working on re-vamping my final year project using Spring. I'm now looking into security and thought about using Acegi for securing the application.

The project is broken into two "components", component 1 contains layered module that connects to a database and contains the service layer for clients to use. The second part is the web component. Now the question I have (probably more of an acrhitectural question i think) is do i place the acegi stuff in component 1 or in do i create the bean definition in the web part?

Not sure if that made sense...please let me know if you need more info.

Thanks

**karldmoore** · Mar 12th, 2007, 01:02 PM

Personally I think you need both. FilterSecurityInterceptor for the web tier and MethodSecurityInterceptor for the service layer. If you have any more details on what you are trying to do, post back and I'll try and help some more.
http://acegisecurity.org/multiprojec...terceptor.html

**amin** · Mar 12th, 2007, 02:46 PM

Hi there! Thanks for getting back to me. Basically here is what i am trying to do:

Use acegi to authenticate users into the web application. There is a login page and i want to make sure that the person who is trying to access the application has permission. I'm not sure I can set the authentication levels in acegi, for example there are only certain members who can create, update and delete asset details. Now do i set access on the url level e.g. restrict access using filters based on the url (createAsset.do) or do i set it up on the method invocation level which would mean that it was reside on the backend component level.

You mentioned that I should apply it to both parts but if i apply it to the model component then does it mean i would need to set something up in the web part?

Not sure if that helps, but i can give more info.

Thanks

**karldmoore** · Mar 12th, 2007, 04:47 PM

Have you had a look at the acegi-security-sample-tutorial example that ships with Acegi? This already covers the logon and URL securing you are after. So this covers your basic /secureURL.do style security. If you also declare method based security on your service layer then this covers all aspects of it.

**amin** · Mar 13th, 2007, 03:26 AM

Hi there

I'll have a look. I was wondering if you could help with soemthing. I have implemented form based authentication using the example that is provided in the Acegi documentation. I have used:

Code:

<bean id="authenticationProcessingFilter" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
  <property name="authenticationManager"><ref bean="authenticationManager"/></property>
  <property name="authenticationFailureUrl"><value>/login.jsp?login_error=1</value></property>
  <property name="defaultTargetUrl"><value>/</value></property>
  <property name="filterProcessesUrl"><value>/j_acegi_security_check</value></property>
</bean>

My question is that when the user has logged in is there a way to specify where to take the user? Do i need to specify it in the defaultTargetUrl? or is that for something else?

My form action points to j_acegi_security_check. I presume that is correct. I couldn't find a section that said when login successful take the user to the desired location.

Thanks again!

**amin** · Mar 13th, 2007, 09:01 AM

Hi again

Not sure if this has been covered. But when the user first logs in then i want him/her to be taken to the main menu page. But when the session expires then the login page needs to be displayed. When the user logins again then he/she needs to be taken to the original place where they came from. If i put the mainmenu.do in the defaultUrl definition will the user always be taken to the mainmenu.

Apologies if this has been discussed but i couldn;t find a response.

Thanks

**Luke Taylor** · Mar 13th, 2007, 09:33 AM

Originally Posted by amin

Hi there

My question is that when the user has logged in is there a way to specify where to take the user? Do i need to specify it in the defaultTargetUrl? or is that for something else?

Please try to make use of the online documentation. For example, searching for "defaultTargetUrl acegi" in Google would take you here:

http://acegisecurity.org/multiprojec...ingFilter.html

which would answer this question immediately, as well as giving you information on how to specify that you always want to go to a particular url. Searching the forum for defaultTargetUrl will also give you a lot of different discussions on the use this property.

**karldmoore** · Mar 13th, 2007, 01:22 PM

As for the session timeout aspect I would have thought that would be handled for you.

**amin** · Mar 13th, 2007, 03:09 PM

I set the session timeout in the web.xml for 3 mins but nothing happened. I refreshed the page and got the same page. Didn't get the login page. Going to search the web now...

**amin** · Mar 14th, 2007, 03:20 AM

The other thing i noticed was that i had set up a resource to have the following:

/secure/test.jsp=ROLE_ADMIN

And in the user details I had set up

aminmoco=password,ROLE_USER

The login in component works fine, so if i enter an incorrect username and password then i am directed back to the login page with an error message being displayed. The problem is that i get through the login page to the test.jsp but that's not right as my access control is ROLE_USER not ROLE_ADMIN. I've been using the examples from the acegi sample war and the configuration files are pretty much the same e.g. they have the necessary bean definitions.

Not sure what i'm doing wrong. I'll post my applicationContext.xml file when i get home, currently at work.

Thanks
Amin

Thread: Using Acegi

Thread Tools

Display

Using Acegi

Posting Permissions