OpenLDAP - Acegi partial success

[normanb]

Hi,

I have set up a test OpenLDAP server, and am looking to use basic authentication on a web service using acegi filters. I have managed to get the basic web prompt, and for the filter to authenticate against openldap and return a success but then I still get a 403 access denied page as the result. From the debug console I get an Authentication success, but I am concerned that the roles returned is [] is that the problem? I have pasted the output, my application context.xml and the openldap set up data file below and would be grateful for any advice.

Many thanks,

Norman

HTML Code:

2007-03-26 09:01:53,142 DEBUG [org.acegisecurity.ldap.DefaultInitialDirContextFactory] Creating InitialDirContext with environment {java.naming.provider.url=ldap://127.0.0.1:389/dc=mydomain,dc=com, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.principal=cn=Manager,dc=mydomain,dc=com, com.sun.jndi.ldap.connect.pool=true, java.naming.security.authentication=simple, java.naming.security.credentials=******}
2007-03-26 09:01:53,142 DEBUG [org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator] Roles from search: []
2007-03-26 09:01:53,142 DEBUG [org.springframework.web.context.support.XmlWebApplicationContext] Publishing event in context [org.springframework.web.context.support.XmlWebApplicationContext@14f4ec4]: org.acegisecurity.event.authentication.AuthenticationSuccessEvent[source=org.acegisecurity.providers.UsernamePasswordAuthenticationToken@489852a4: Username: org.acegisecurity.userdetails.ldap.LdapUserDetailsImpl@10287d; Password: [PROTECTED]; Authenticated: true; Details: org.acegisecurity.ui.WebAuthenticationDetails@fffe3f86: RemoteIpAddress: 127.0.0.1; SessionId: BB019464FCABCAAA10E9F7E9C150565E; Granted Authorities: ]
2007-03-26 09:01:53,142 WARN  [org.acegisecurity.event.authentication.LoggerListener] Authentication event AuthenticationSuccessEvent: jbloggs; details: org.acegisecurity.ui.WebAuthenticationDetails@fffe3f86: RemoteIpAddress: 127.0.0.1; SessionId: BB019464FCABCAAA10E9F7E9C150565E
2007-03-26 09:01:53,142 DEBUG [org.acegisecurity.ui.basicauth.BasicProcessingFilter] Authentication success: org.acegisecurity.providers.UsernamePasswordAuthenticationToken@489852a4: Username: org.acegisecurity.userdetails.ldap.LdapUserDetailsImpl@10287d; Password: [PROTECTED]; Authenticated: true; Details: org.acegisecurity.ui.WebAuthenticationDetails@fffe3f86: RemoteIpAddress: 127.0.0.1; SessionId: BB019464FCABCAAA10E9F7E9C150565E; Granted Authorities: 
2007-03-26 09:01:53,142 DEBUG [org.acegisecurity.util.FilterChainProxy] /test.jp2 at position 4 of 4 in additional filter chain; firing Filter: 'org.acegisecurity.intercept.web.FilterSecurityInterceptor@175b0b5'
2007-03-26 09:01:53,142 DEBUG [org.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap] Converted URL to lowercase, from: '/test.jp2'; to: '/test.jp2'
2007-03-26 09:01:53,142 DEBUG [org.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap] Candidate is: '/test.jp2'; pattern is /**; matched=true
2007-03-26 09:01:53,142 DEBUG [org.acegisecurity.intercept.AbstractSecurityInterceptor] Secure object: FilterInvocation: URL: /test.jp2; ConfigAttributes: [ROLE_AUTHENTICATED]
2007-03-26 09:01:53,142 DEBUG [org.acegisecurity.intercept.AbstractSecurityInterceptor] Previously Authenticated: org.acegisecurity.providers.UsernamePasswordAuthenticationToken@489852a4: Username: org.acegisecurity.userdetails.ldap.LdapUserDetailsImpl@10287d; Password: [PROTECTED]; Authenticated: true; Details: org.acegisecurity.ui.WebAuthenticationDetails@fffe3f86: RemoteIpAddress: 127.0.0.1; SessionId: BB019464FCABCAAA10E9F7E9C150565E; Granted Authorities: 
2007-03-26 09:01:53,142 DEBUG [org.springframework.web.context.support.XmlWebApplicationContext] Publishing event in context [org.springframework.web.context.support.XmlWebApplicationContext@14f4ec4]: org.acegisecurity.event.authorization.AuthorizationFailureEvent[source=FilterInvocation: URL: /test.jp2]
2007-03-26 09:01:53,142 DEBUG [org.acegisecurity.ui.ExceptionTranslationFilter] Access is denied (user is not anonymous); delegating to AccessDeniedHandler

applicationcontext.xml

HTML Code:

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE 
beans SYSTEM "http://www.springframework.org/dtd/spring-beans.dtd">
<beans>
    <!-- FilterToBeanProxy  -->
    <bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">
            <property name="filterInvocationDefinitionSource">
                    <value>
                            CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
                            PATTERN_TYPE_APACHE_ANT
                            /**=httpSessionContextIntegrationFilter,exceptionTranslationFilter,basicProcessingFilter,filterInvocationInterceptor
                    </value>
            </property>
    </bean>
    
    <!-- filter for unauthenticated users/interactions -->
    <bean id="exceptionTranslationFilter"
            class="org.acegisecurity.ui.ExceptionTranslationFilter">
            <property name="authenticationEntryPoint">
                    <ref local="basicProcessingFilterEntryPoint"/>
            </property>
    </bean>

  <bean id="initialDirContextFactory"
  class="org.acegisecurity.ldap.DefaultInitialDirContextFactory">
    <constructor-arg value="ldap://127.0.0.1:389/dc=mydomain,dc=com" />
    <property name="managerDn">
      <value>cn=Manager,dc=mydomain,dc=com</value>
    </property>
    <property name="managerPassword">
      <value>secret</value>
    </property>
  </bean>
  
  <bean id="ldapAuthenticationProvider" class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider">
    <constructor-arg>
        <bean class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator">
            <constructor-arg>
                <ref local="initialDirContextFactory"/>
            </constructor-arg>
            <property name="userDnPatterns">
                <list>
                    <value>uid={0},ou=people</value>
                </list>
            </property>
        </bean>
    </constructor-arg>
    <constructor-arg>
        <bean class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator">
            <constructor-arg>
                <ref local="initialDirContextFactory"/>
            </constructor-arg>
            <constructor-arg>
                <value>ou=groups</value>
            </constructor-arg>
            <property name="groupRoleAttribute">
                <value>ou</value>
            </property>
            <property name="searchSubtree">
                <value>true</value>
            </property>
            <property name="rolePrefix">
                <value>ROLE_</value>
            </property>
            <property name="convertToUpperCase">
                <value>true</value>
            </property>
        </bean>
    </constructor-arg>
  </bean>
  
  <!-- Automatically receives AuthenticationEvent messages -->
  <bean id="loggerListener"
  class="org.acegisecurity.event.authentication.LoggerListener" />
  
  <bean id="basicProcessingFilter"
  class="org.acegisecurity.ui.basicauth.BasicProcessingFilter">
    <property name="authenticationManager">
      <ref local="authenticationManager" />
    </property>
    <property name="authenticationEntryPoint">
      <ref local="basicProcessingFilterEntryPoint" />
    </property>
  </bean>
  <bean id="basicProcessingFilterEntryPoint"
  class="org.acegisecurity.ui.basicauth.BasicProcessingFilterEntryPoint">
    <property name="realmName">
      <value>EZIM Realm</value>
    </property>
  </bean>
  <bean id="httpSessionContextIntegrationFilter"
  class="org.acegisecurity.context.HttpSessionContextIntegrationFilter">
  </bean>
  <bean id="filterInvocationInterceptor"
  class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
    <property name="authenticationManager">
      <ref bean="authenticationManager" />
    </property>
    <property name="accessDecisionManager">
      <ref local="httpRequestAccessDecisionManager" />
    </property>
    <property name="objectDefinitionSource">
      <value>
            CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
	        PATTERN_TYPE_APACHE_ANT
            /**=ROLE_AUTHENTICATED
      </value>
    </property>
  </bean>
  <bean id="httpRequestAccessDecisionManager"
  class="org.acegisecurity.vote.AffirmativeBased">
    <property name="decisionVoters">
      <bean class="org.acegisecurity.vote.RoleVoter" />
    </property>
  </bean>
  <bean id="authenticationManager"
  class="org.acegisecurity.providers.ProviderManager">
    <property name="providers">
      <list>
        <ref local="ldapAuthenticationProvider" />
      </list>
    </property>
  </bean>
</beans>

ldap config

HTML Code:

dn: dc=mydomain,dc=com
objectClass: top
objectClass: dcObject
objectClass: domain
dc: mydomain

dn: ou=groups,dc=mydomain,dc=com
objectClass: top
objectClass: organizationalUnit
ou: groups

dn: ou=people,dc=mydomain,dc=com
objectClass: top
objectClass: organizationalUnit
ou: people

dn: cn=ezimUsers,ou=groups,dc=mydomain,dc=com
objectClass: groupOfUniqueNames
cn: ezimUsers
uniqueMember: uid=jbloggs,ou=people,dc=mydomain,dc=com

dn: uid=jbloggs,ou=people,dc=mydomain,dc=com
objectClass: person
objectClass: inetOrgPerson
cn: Joe Bloggs
displayName: Joe Bloggs
givenName: Joe
mail: [email]jbloggs@fake.org[/email]
sn: Bloggs
uid: jbloggs
userPassword: password

[karldmoore]

You appear to have the URLs secured with a role called ROLE_AUTHENTICATED, and the prefix is set as ROLE_. Does the user have an assigned role called "authenticated"?

[normanb]

Hi,

I think this is where my problem since the user jbloggs doesn't have any roles at all in OpenLdap, I just want acegi to authenticate his username and password.

Is there a way to do this, and if not is there a quick way to add a role to openldap that will allow me to use acegi.

thanks,

Norman

[karldmoore]

If you don't want to use roles you could simply replace the RoleVoter with AuthenticatedVoter. You could then secure the URL with something like IS_AUTHENTICATED_FULLY.
http://acegisecurity.org/multiprojec...atedVoter.html

[normanb]

fantastic thank you

the authenticated voter worked!

[karldmoore]

Great, glad it worked! If you want to add roles later you can do that as well. For the time being atleast you have to be authenticated to see the pages. One step at a time .