Role Problem

[stanley1610]

There are three groups in my Active Directory with some users:
GroupAaa: usera
GroupBbb: userb
GroupCcc: userc

In my descriptor springapp-servlet.xml, I set

Code:

	<bean id="filterSecurityInterceptor"
		class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
		<property name="authenticationManager">
			<ref bean="authenticationManager" />
		</property>
		<property name="accessDecisionManager">
			<ref bean="accessDecisionManager" />
		</property>
		<property name="objectDefinitionSource">
			<value>
				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
				PATTERN_TYPE_APACHE_ANT
                /*.do=ROLE_GROUPAAA
			</value>
		</property>
	</bean>

All work very well by the user usera.

However, when I set

Code:

	<bean id="filterSecurityInterceptor"
		class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
		<property name="authenticationManager">
			<ref bean="authenticationManager" />
		</property>
		<property name="accessDecisionManager">
			<ref bean="accessDecisionManager" />
		</property>
		<property name="objectDefinitionSource">
			<value>
				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
				PATTERN_TYPE_APACHE_ANT
                /*.do=ROLE_GROUPAAA,ROLE_GROUPBBB,ROLE_GROUPCCC
			</value>
		</property>
	</bean>

My login (usera) is successful (pass the login page). But then it prompts to the next page (MainPage.do) or any page else is Access Denied.

I found the following error in my log:

Code:

2007-03-20 16:35:00,956 DEBUG [org.acegisecurity.ui.ExceptionTranslationFilter] - Chain processed normally
2007-03-20 16:35:00,956 DEBUG [org.acegisecurity.context.HttpSessionContextIntegrationFilter] - HttpSession is null, but SecurityContextHolder has not changed from default: ' org.acegisecurity.context.SecurityContextImpl@ffffffff: Null authentication'; not creating HttpSession or storing SecurityContextHolder contents
2007-03-20 16:35:00,956 DEBUG [org.acegisecurity.context.HttpSessionContextIntegrationFilter] - SecurityContextHolder set to new context, as request processing completed
2007-03-20 16:35:00,956 DEBUG [org.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap] - Converted URL to lowercase, from: '/MainPage.do'; to: '/MainPage.do'
2007-03-20 16:35:00,956 DEBUG [org.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap] - Candidate is: '/MainPage.do'; pattern is /**; matched=true
2007-03-20 16:35:00,956 DEBUG [org.acegisecurity.util.FilterChainProxy] - /MainPage.do at position 1 of 4 in additional filter chain; firing Filter: 'org.acegisecurity.context.HttpSessionContextIntegrationFilter@f631d8'
2007-03-20 16:35:00,956 DEBUG [org.acegisecurity.context.HttpSessionContextIntegrationFilter] - No HttpSession currently exists - new SecurityContext instance associated with SecurityContextHolder
2007-03-20 16:35:00,956 DEBUG [org.acegisecurity.util.FilterChainProxy] - /MainPage.do at position 2 of 4 in additional filter chain; firing Filter: 'org.acegisecurity.ui.webapp.AuthenticationProcessingFilter@1427c33'
2007-03-20 16:35:00,956 DEBUG [org.acegisecurity.util.FilterChainProxy] - /MainPage.do at position 3 of 4 in additional filter chain; firing Filter: 'org.acegisecurity.ui.ExceptionTranslationFilter@1e8032c'
2007-03-20 16:35:00,956 DEBUG [org.acegisecurity.util.FilterChainProxy] - /MainPage.do at position 4 of 4 in additional filter chain; firing Filter: 'org.acegisecurity.intercept.web.FilterSecurityInterceptor@1285e7b'
2007-03-20 16:35:00,956 DEBUG [org.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap] - Converted URL to lowercase, from: '/MainPage.do'; to: '/MainPage.do'
2007-03-20 16:35:00,956 DEBUG [org.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap] - Candidate is: '/MainPage.do'; pattern is /*.do; matched=true
2007-03-20 16:35:00,956 DEBUG [org.acegisecurity.intercept.AbstractSecurityInterceptor] - Secure object: FilterInvocation: URL: /MainPage.do; ConfigAttributes: [ROLE_GROUPAAA, ROLE_GROUPBBB, ROLE_GROUPCCC]
2007-03-20 16:35:00,971 DEBUG [org.acegisecurity.ui.ExceptionTranslationFilter] - Authentication exception occurred; redirecting to authentication entry point
org.acegisecurity.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
	at org.acegisecurity.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:339)
	at org.acegisecurity.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:254)
	at org.acegisecurity.intercept.web.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:104)
	at org.acegisecurity.intercept.web.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:72)
	at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274)
	at org.acegisecurity.ui.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:110)
	at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274)
	at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:217)
	at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274)
	at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:229)
	at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274)
	at org.acegisecurity.util.FilterChainProxy.doFilter(FilterChainProxy.java:148)
	at org.acegisecurity.util.FilterToBeanProxy.doFilter(FilterToBeanProxy.java:98)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
	at org.apache.geronimo.tomcat.valve.DefaultSubjectValve.invoke(DefaultSubjectValve.java:56)
	at org.apache.geronimo.tomcat.GeronimoStandardContext$SystemMethodValve.invoke(GeronimoStandardContext.java:342)
	at org.apache.geronimo.tomcat.valve.GeronimoBeforeAfterValve.invoke(GeronimoBeforeAfterValve.java:31)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:541)
	at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:392)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
	at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:667)
	at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
	at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
	at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:869)
	at java.lang.Thread.run(Thread.java:595)

What's wrong with my ACEGI configuration? Please help.

[karldmoore]

I don't think this is anything to do with the ROLE configuration. It seems the Authentication information isn't there when it's checked. I would have a look at the examples that ship with Acegi and compare your configuration. These kind of problems are usually related to filters.

[stanley1610]

I mainly follow the code shown in http://documentation.wikia.com/wiki/AcegiMsad

Above the suggested code, I also add:

Code:

	<!-- ****** START ACEGI Security Configuration *******-->
	<!-- ======================== FILTER CHAIN ======================= -->

	<!--  if you wish to use channel security, add "channelProcessingFilter," in front
		of "httpSessionContextIntegrationFilter" in the list below -->
	<bean id="filterChainProxy"
		class="org.acegisecurity.util.FilterChainProxy">
		<property name="filterInvocationDefinitionSource">
			<value>
				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
				PATTERN_TYPE_APACHE_ANT
				/**=httpSessionContextIntegrationFilter,formAuthenticationProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor
			</value>
		</property>
	</bean>

	<!-- Start Security filter config -->
	<bean id="exceptionTranslationFilter"
		class="org.acegisecurity.ui.ExceptionTranslationFilter">
		<property name="authenticationEntryPoint">
			<ref bean="formLoginAuthenticationEntryPoint" />
		</property>
	</bean>

	<!-- Define filter to handle BASIC authentication -->
	<bean id="basicProcessingFilter"
		class="org.acegisecurity.ui.basicauth.BasicProcessingFilter">
		<property name="authenticationManager">
			<ref bean="authenticationManager" />
		</property>
		<property name="authenticationEntryPoint">
			<ref bean="authenticationEntryPoint" />
		</property>
	</bean>

	<!-- Define realm for BASIC login-->
	<bean id="authenticationEntryPoint"
		class="org.acegisecurity.ui.basicauth.BasicProcessingFilterEntryPoint">
		<property name="realmName">
			<value>Spring Web Realm</value>
		</property>
	</bean>

	<!-- Define filter to handle FORM authentication -->
	<bean id="formAuthenticationProcessingFilter"
		class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
		<property name="filterProcessesUrl">
			<value>/j_acegi_security_check</value>
		</property>
		<property name="authenticationFailureUrl">
			<value>/login.jsp?error=-00001</value>
		</property>
		<property name="defaultTargetUrl">
			<value>/</value>
		</property>
		<property name="authenticationManager">
			<ref bean="authenticationManager" />
		</property>
	</bean>

	<!-- Define realm for FORM login-->
	<bean id="formLoginAuthenticationEntryPoint"
		class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
		<property name="loginFormUrl">
			<value>/login.jsp</value>
		</property>
		<property name="forceHttps">
			<value>false</value>
		</property>
	</bean>

	<bean id="httpSessionContextIntegrationFilter"
		class="org.acegisecurity.context.HttpSessionContextIntegrationFilter">
	</bean>
	<!-- End Security filter config -->

	<!-- Start Security interceptor config -->
	<!-- Define authentication manager, decision manager and secure URL patterns -->
	<bean id="filterSecurityInterceptor"
		class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
		<property name="authenticationManager">
			<ref bean="authenticationManager" />
		</property>
		<property name="accessDecisionManager">
			<ref bean="accessDecisionManager" />
		</property>
		<property name="objectDefinitionSource">
			<value>
				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
				PATTERN_TYPE_APACHE_ANT 
				/*.do=ROLE_USER
			</value>
		</property>
	</bean>
	<!-- End Security interceptor config -->

	<!-- Start authentication config -->
	<bean id="authenticationManager"
		class="org.acegisecurity.providers.ProviderManager">
		<property name="providers">
			<list>
				<ref bean="authenticationProvider" />
			</list>
		</property>
	</bean>

		<!-- End authentication config -->

	<!-- Start authorization config -->
	<bean id="accessDecisionManager"
		class="org.acegisecurity.vote.UnanimousBased">
		<property name="decisionVoters">
			<list>
				<ref bean="roleVoter" />
			</list>
		</property>
	</bean>

	<bean id="roleVoter" class="org.acegisecurity.vote.RoleVoter">
		<property name="rolePrefix">
			<value>ROLE_</value>
		</property>
	</bean>
	<!-- End authorization config -->

And my web.xml contains:

Code:

<!-- 
	 - ACEGI Security Configuration
	 -->
	<filter>
		<filter-name>Acegi Filter Chain Proxy</filter-name>
		<filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>
		<init-param>
			<param-name>targetBean</param-name>
			<param-value>filterChainProxy</param-value>
		</init-param>
	</filter>
	<filter-mapping>
		<filter-name>Acegi Filter Chain Proxy</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>

Are the above related codes related to the problem? What's wrong? Thanks.

[stanley1610]

Thanks for your advice. I got the solution. The key is in the bean accessDecisionManager.

I used UnanimousBased (all roles are fulfilled) so access was denied.
And I turn to AffirmativeBased (any role is fulfilled) so access is allowed.

[karldmoore]

I'm glad it's sorted but I'm confused why that change made it work. It didn't seem related to that at all.

[stanley1610]

When the previous voting method is used,
usera accesses an object that is set for GroupAaa,GroupBbb,GroupCcc, usera belongs to GroupAaa but not GroupBbb or GroupCcc, so usera is rejected.

[Luke Taylor]

Was there another exception after the one you've posted? This is the one that causes the redirect to the login page. If it was an access decision issue then the re would be another exception.

[karldmoore]

Was there another exception after the one you've posted? This is the one that causes the redirect to the login page. If it was an access decision issue then the re would be another exception.

Yes, my point indeed. The original exception just doesn't seem related to the solution.

[stanley1610]

Code:

2007-03-20 16:35:00,956 DEBUG [org.acegisecurity.intercept.AbstractSecurityInterceptor] - Secure object: FilterInvocation: URL: /MainPage.do; ConfigAttributes: [ROLE_GROUPAAA, ROLE_GROUPBBB, ROLE_GROUPCCC]
2007-03-20 16:35:00,971 DEBUG [org.acegisecurity.ui.ExceptionTranslationFilter] - Authentication exception occurred; redirecting to authentication entry point
org.acegisecurity.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext

Only this exception.

The error does not redirect the user to login page but only exception. I can use error-page in web.xml to capture this error.

[Luke Taylor]

Well, the exception you're seeing is a debug message from here:

http://acegisecurity.org/multiprojec...ilter.html#147

not actually an error. It then calls the configured entry point here:

http://acegisecurity.org/multiprojec...yPoint.html#80

which should result in a redirect (and a corresponding log message).