Acegi Security System in Spring WebFlow

[trdyer]

Hi, just wondering if I could get a copy of your workshop code.

I saw in another thread that it was committed in march i think...not included in the head dist though?

any reason why?

I noticed that in the FlowSecurityIntereceptor class that it is missing the sessionCreated method, is that so that people are forced to implement it? or did the FlowExecutionListener interface change since the code was created?

just wondering

thanks

[Marten Deinum]

If I'm not mistaken I committed a new zip with classes some time ago, that one includes the sessionCreated method. It wasn't there because the first version didn't include that method, it was introduced in SWF 1.0.4, we developed it at first for 1.0...

[trdyer]

yup, you are right...my bad...downloaded both then opened the zip that was at the top of the page.

[Marten Deinum]

We are using it with SWF 1.0.5 currently works like a charm. Haven't (yet) tested it with 2.0M1 or nightly builds for 2.0, maybe something to do when my laptop returns

[trdyer]

im using 1.0.4 and still slogging through...i think it shouldnt be too hard to get it working though.

[trdyer]

hi,

its up and semi-running (users.properties file)

when i try and access a more secured page with a less privliged user Acegi throws an access denied exception, and i get the ugly tomcat death page...should i be catching this with an on-exception transition? or is there a accessdenied page that i need to define somewhere?

when i try and login with a user that is not authorized before the flow starts i do get redirected to the accessdenied.jsp page.

so...to sum up
supervisor->secure_page->works
user->secure_page->ugly arse tomcat exception
evil_user->login.jsp->accessdenied.jsp

thanks

[Marten Deinum]

If you have setup your filter chain correctly Acegi should convert the AccessDenied exception and redirect to a AccessDenied page.

Configure a AccessDeniedHandler and inject that into the ExceptionTranslationFilter.

[trdyer]

this is the filterchain

Code:

/**=httpSessionContextIntegrationFilter,logoutFilter,authenticationProcessingFilter,securityContextHolderAwareRequestFilter,rememberMeProcessingFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor

the exceptionTranslationFilter

Code:

	<bean id="exceptionTranslationFilter"
		class="org.acegisecurity.ui.ExceptionTranslationFilter">
		<property name="authenticationEntryPoint">
			<bean
				class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
				<property name="loginFormUrl" value="/rfslogin.jsp" />
				<property name="forceHttps" value="false" />
			</bean>
		</property>
		<property name="accessDeniedHandler">
			<bean
				class="org.acegisecurity.ui.AccessDeniedHandlerImpl">
				<property name="errorPage" value="/accessDenied.jsp" />
			</bean>
		</property>
	</bean>

and the exception

Code:

o rg.springframework.web.util.NestedServletException: Request processing failed; nested exception is o rg.springframework.webflow.execution.FlowExecutionException: Exception thrown in state 'startRFSPortal' of flow 'rfsportal-flow'; nested exception is o rg.acegisecurity.AccessDeniedException: Access is denied

any suggestions?

[Marten Deinum]

Hmm just looked at the source code and it looks at the nested exception and checks if that is of the type AccessDeniedException. If not it simply ignores the message.

So it is probably needed to check the whole exception chain and see if one of the nested exceptions is an instance of AccessDeniedException. I recommend posting a JIRA for this issue.

[trdyer]

ok... for the moment a quick workaround is

Code:

            <transition on-exception="org.acegisecurity.AccessDeniedException" to="accessDenied" />
 		
</global-transitions>

just to verify...the jira issue is for swf-93?