Authentication.getDetails() is null

[rafanami]

Hi everyone.
I'm trying to develop a simple web services security authentication and authorization based on XFire and Acegi with Spring. I manage to configure everything, but when I try to test the web services, it complains about Authentication.getDetails() is required. There's nothing fancy about the User/Roles, and I'm setting the UsernamePasswordAuthenticationToken on the header of the SOAP message to get the principals. Below is my testcase:

Code:

public class TaskWebServiceTest extends AbstractXFireAegisTest{
	private Service serviceModel;
	private String urlMethodCall;
	private XFire xfire = null;
	private XFireProxyFactory factory = null;
	@Override
	public void setUp() throws Exception {
		this.xfire = XFireFactory.newInstance().getXFire();
		this.factory = new XFireProxyFactory(this.xfire);
		this.serviceModel = new ObjectServiceFactory().create(TaskWebService.class);
	}
	public void tearDown() throws Exception {
		this.serviceModel = null;
	}
	public void testGetAll() throws Exception{
		this.urlMethodCall = "http://localhost:8080/webservices/TaskWebService";
		TaskWebService service = (TaskWebService) this.factory.create(this.serviceModel, this.urlMethodCall);
		XFireProxy proxy = (XFireProxy) Proxy.getInvocationHandler(service);
		Client c = proxy.getClient();
		c.addOutHandler(new ClientAuthHandler("user", "test"));
		c.setTransport(new SoapHttpTransport());
		TaskSearch result = service.getAll();
		assertNotNull(result);
		assertTrue(result.getList().size() > 0);
	}
}

and this is my security configurations:

Code:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns...>
	<!-- Filter Proxy for filtering each http request -->
	<bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">
		<property name="filterInvocationDefinitionSource">
			<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
				PATTERN_TYPE_APACHE_ANT
				/**=httpSessionContextIntegrationFilterWithACSFalse, basicProcessingFilter, channelProcessingFilter, logoutFilter, securityContextHolderAwareRequestFilter,exceptionTranslationFilter,filterInvocationInterceptor
			</value>
		</property>
	</bean>
	<bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
        <property name="authenticationManager" ref="authenticationManager"/>
        <property name="accessDecisionManager" ref="accessDecisionManager"/>
        <property name="objectDefinitionSource">
            <value>
                PATTERN_TYPE_APACHE_ANT
                /services/**=ROLE_ANONYMOUS
            </value>
        </property>
    </bean>
	<bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">
		<property name="providers">
			<list>
				<ref local="daoAuthenticationProvider"/>
				<ref local="anonymousAuthenticationProvider"/>
				<ref local="rememberMeAuthenticationProvider"/>
			</list>
		</property>
		<property name="sessionController">
			<ref bean="concurrentSessionController"/>
		</property>
	</bean>
	<bean id="loggerListener" class="org.acegisecurity.event.authentication.LoggerListener"/>
    <bean id="basicProcessingFilter" class="org.acegisecurity.ui.basicauth.BasicProcessingFilter">
    	<property name="authenticationManager" ref="authenticationManager" />
    	<property name="authenticationEntryPoint" ref="basicProcessingFilterEntryPoint" />
    </bean>
    <bean id="basicProcessingFilterEntryPoint" class="org.acegisecurity.ui.basicauth.BasicProcessingFilterEntryPoint">
    	<property name="realmName" value="Workspace Realm" />
    </bean> 
    <bean id="anonymousProcessingFilter" class="org.acegisecurity.providers.anonymous.AnonymousProcessingFilter">
    	<property name="key" value="default" />
    	<property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS" />
    </bean>
    <bean id="anonymousAuthenticationProvider" class="org.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider">
    	<property name="key" value="default" />
    </bean>
    <bean id="httpSessionContextIntegrationFilter" class="org.acegisecurity.context.HttpSessionContextIntegrationFilter"/>
    <bean id="httpSessionContextIntegrationFilterWithACSFalse" class="org.acegisecurity.context.HttpSessionContextIntegrationFilter">
    	<property name="allowSessionCreation" value="false" />
    </bean>
    
    <bean id="rememberMeProcessingFilter" class="org.acegisecurity.ui.rememberme.RememberMeProcessingFilter">
    	<property name="authenticationManager" ref="authenticationManager" />
    	<property name="rememberMeServices" ref="rememberMeServices"></property>
    </bean>
    <bean id="rememberMeServices" class="org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices">
    	<property name="userDetailsService" ref="userLoginService" />
    	<property name="key" value="springrocks" />
    </bean> 
    
    <bean id="rememberMeAuthenticationProvider" class="org.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider">
    	<property name="key" value="springrocks" />
    </bean>
    
    <bean id="logoutFilter" class="org.acegisecurity.ui.logout.LogoutFilter">
    	<constructor-arg value="/laszlo/library/usecases/security/logout.lzx" />
    	<constructor-arg>
    		<list>
    			<ref bean="rememberMeServices"/> 
    			<bean class="org.acegisecurity.ui.logout.SecurityContextLogoutHandler" />
    		</list>
    	</constructor-arg>
    </bean>
    
    <bean id="securityContextHolderAwareRequestFilter" class="org.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter" />
	
	<!-- Concurrent Controller to prevent concurrent access for the same user/session -->
	<bean id="concurrentSessionController" class="org.acegisecurity.concurrent.ConcurrentSessionControllerImpl">
		<property name="maximumSessions" value="1"/>
		<property name="sessionRegistry" ref="sessionRegistry" />
	</bean>

	<bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter">
		<property name="authenticationEntryPoint" ref="authenticationProcessingFilterEntryPoint" />
		<property name="accessDeniedHandler">
			<bean class="org.acegisecurity.ui.AccessDeniedHandlerImpl">
				<property name="errorPage" value="/accessDenied.lzx" />
			</bean>
		</property>
	</bean>
	
	<bean id="authenticationProcessingFilter" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
		<property name="authenticationManager" ref="authenticationManager" />
		<property name="authenticationFailureUrl" value="/laszlo/login.lzx?login_error=1" />
		<property name="defaultTargetUrl" value="/" />
		<property name="filterProcessesUrl" value="/j_acegi_security_check" />
		<property name="rememberMeServices" ref="rememberMeServices" />
	</bean>
	
	<bean id="authenticationProcessingFilterEntryPoint" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
		<property name="loginFormUrl" value="/laszlo/login.lzx" />
		<property name="forceHttps" value="false" />
	</bean>
	
	<bean id="httpRequestAccessDecisionManager" class="org.acegisecurity.vote.AffirmativeBased">
		<property name="allowIfAllAbstainDecisions" value="false" />
		<property name="decisionVoters">
			<list>
				<ref bean="roleVoter"/>
			</list>
		</property>
	</bean>
	
	<bean id="accessDecisionManager" class="org.acegisecurity.vote.AffirmativeBased">
        <property name="allowIfAllAbstainDecisions" value="false"/>
        <property name="decisionVoters">
            <list>
                <ref bean="roleVoter"/>
            </list>
        </property>
    </bean>
	
	<bean id="roleVoter" class="org.acegisecurity.vote.RoleVoter" />
	
	<!-- Session Registry to prevent concurrent access for a same session/user -->
	<bean id="sessionRegistry" class="org.acegisecurity.concurrent.SessionRegistryImpl" />
	
	<!-- Bean for password encryption -->
	<bean id="passwordEncoder" class="org.acegisecurity.providers.encoding.Md5PasswordEncoder" />
	
	<!-- Bean for managing the cache -->
	<bean id="cacheManager" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean">
		<property name="configLocation" value="classpath:/ehcache.xml" />
	</bean>
	
	<!-- Bean for caching the user at the backend -->
	<bean id="userCacheBackend" class="org.springframework.cache.ehcache.EhCacheFactoryBean">
		<property name="cacheManager" ref="cacheManager" />
		<property name="cacheName" value="userCache" />
	</bean>
	
	<!-- Bean for caching the user -->
	<bean id="userCache" class="org.acegisecurity.providers.dao.cache.EhCacheBasedUserCache">
		<property name="cache" ref="userCacheBackend" />
	</bean>
	
	<!-- Dao authentication Provider -->
	<bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
		<property name="userDetailsService" ref="userLoginService" />
		<property name="passwordEncoder" ref="passwordEncoder"></property>
	</bean>
	
	<bean id="objectDefinitionAnnotationsSource" class="org.acegisecurity.intercept.method.MethodDefinitionAttributes">
  		<property name="attributes">
  			<ref bean="attributes"/>
  		</property>
	</bean>
	<bean id="attributes" class="org.acegisecurity.annotation.SecurityAnnotationAttributes"/>
	
	<bean id="userManagerSecurity" class="org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
		<property name="validateConfigAttributes" value="false" />
		<property name="authenticationManager" ref="authenticationManager" />
		<property name="accessDecisionManager" ref="httpRequestAccessDecisionManager" />
		<property name="objectDefinitionSource" ref="objectDefinitionAnnotationsSource"/>
	</bean>
	channelprocessingfilter and stuff...

</beans>

Thanks in advance and best regards

[the_fryar]

I don't think you want to be using a filter for this. What I have done to secure Xfire webservices with Acegi is write a custom handler that extracts the credentials from the SOAP header and propogates them to the acegi security context. With that done you can then proxy the service objects you are using with a security advisor as needed.