ExceptionTranslationFilter with FlowSecurityInterceptor

[kobiav]

Hi All,

I have configured acegi with the default config and everything works fine, when I add the FlowSecurityInterceptor and call a secured webflow (after debugging) I find out that the acegi is throwing AuthenticationCredentialsNotFoundException for the ExceptionTranslationFilter to catch in the HandleException method only that when I use the default config it catches the exception and redirects me to the login page and when using the flow config I just get the exception and the ExceptionTranslationFilter doesn't catch the exception...

Any ideas why this is hapenning???

Please Advise,
Thanks,
Kobi

[kobiav]

I found out that the Exception is wrapped by a NestedServletException and the root cause is of type AuthenticationException, I am using the new ExceptionTranslationFilter written by mdeinum but it doesn't traverse to the acegi exception in getAcegiSecurityException.

I don't want to change the code b/c I think there might be something else wrong...

Any ideas??

mdeinum maybe??

Thanks in advance,
Kobi

[kobiav]

This is how I changed the doFilter in ExceptionTranslation.. class

I am not sure this is the best solution and why do I have to go to the root and the cause of the root..

Anyone has an idea?

Code:

 public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException,
	           ServletException {
	       if (!(request instanceof HttpServletRequest)) {
	           throw new ServletException("HttpServletRequest required");
	       }

	       if (!(response instanceof HttpServletResponse)) {
	           throw new ServletException("HttpServletResponse required");
	       }

	       try {
	           chain.doFilter(request, response);

	           if (logger.isDebugEnabled()) {
	               logger.debug("Chain processed normally");
	           }
	       }
	       catch (AuthenticationException ex) {
	           handleException(request, response, chain, ex);
	       }
	       catch (AccessDeniedException ex) {
	           handleException(request, response, chain, ex);
	       }catch (ServletException ex) {
				if (ex.getRootCause() instanceof AuthenticationException
						|| ex.getRootCause() instanceof AccessDeniedException) {
					handleException(request, response, chain, (AcegiSecurityException) ex.getRootCause());
				}
				else if (ex.getRootCause().getCause() instanceof AuthenticationException
						|| ex.getRootCause().getCause() instanceof AccessDeniedException) {
					handleException(request, response, chain, (AcegiSecurityException) ex.getRootCause().getCause());
				}
				else {
					throw ex;
				}
			}
			catch (IOException ex) {
				throw ex;
			}
	   }

[Marten Deinum]

We uses the filter without any problems are you SURE you use the filter I wrote, also try to use a debugging tool and see what is happening why the exception isn't resolved.

[kobiav]

In my case the exception is wrapped twice...
Can you think of a reason why the exception is wrapped again?

[Marten Deinum]

If you use the correct filter (my modified version) that unwinds the whole exception stack so even it it is wrapper 123 times it still will resolve. For some reason I still doubt if you use the correct filter.

Code:

AcegiSecurityException getAcegiSecurityException(Exception e) {
   if (e instanceof IOException) {
       return null;
   }
   
   AcegiSecurityException ase = null;
   
   Throwable t = e;
   while (ase == null && t != null) {
       if (t instanceof AccessDeniedException || t instanceof AuthenticationException) {
           ase = (AcegiSecurityException) t;
       }
       t = t.getCause();
   }
   return ase;
}

This method (which comes from my modified filter) traverses the whole stack until one of the desired exceptions is found.

Post your configuration.

[kobiav]

Thanks for the reply!

I did use this version that traverses the entire stack BUT when it does the t = t.getCause(); the cause in my case is the same type of exception (NestedServletException) so what happen is (take a look at the getCause code) the cause returned is null and your code does not go over the entire stack...

I debugged it and saw it returned null instantly instead of going over the stack.

Let me know what you think..

Thanks,
Kobi

[Marten Deinum]

Why do you even have 2 NestedServletExceptions?! As stated before post your configuration, because that shouldn't even happen.

[kobiav]

Thanks again, I figured this is my problem but I can understand why it is hapenning ...

Here is my configuration, if you need anything else let me know..

Acegi config:

Code:

    <!-- ****** START ACEGI Security Configuration *******-->
    <!-- ======================== FILTER CHAIN ======================= -->

    <!--  if you wish to use channel security, add "channelProcessingFilter," in front
		of "httpSessionContextIntegrationFilter" in the list below -->
    <bean id="filterChainProxy"
          class="org.acegisecurity.util.FilterChainProxy">
        <property name="filterInvocationDefinitionSource">
            <value>
                CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
                PATTERN_TYPE_APACHE_ANT
                /**=httpSessionContextIntegrationFilter,formAuthenticationProcessingFilter,exceptionTranslationFilter<!-- ,filterSecurityInterceptor --> 
            </value>
        </property>
    </bean>
    
    <!-- Start Security filter config -->
    
    <bean id="exceptionTranslationFilter"
          class="com.tangentlogic.uptous.spring.util.security.ExceptionTranslationFilter">
        <property name="authenticationEntryPoint">
            <ref bean="formLoginAuthenticationEntryPoint" />
        </property>
        <property name="accessDeniedHandler">
            <bean class="org.acegisecurity.ui.AccessDeniedHandlerImpl">
                <property name="errorPage" value="/accessDenied.htm"/>
            </bean>
        </property>
    </bean>
    
    <!-- Define filter to handle BASIC authentication -->
    <bean id="basicProcessingFilter"
          class="org.acegisecurity.ui.basicauth.BasicProcessingFilter">
        <property name="authenticationManager">
            <ref bean="authenticationManager" />
        </property>
        <property name="authenticationEntryPoint">
            <ref bean="authenticationEntryPoint" />
        </property>
    </bean>
    
    <!-- Define realm for BASIC login-->
    <bean id="authenticationEntryPoint"
          class="org.acegisecurity.ui.basicauth.BasicProcessingFilterEntryPoint">
        <property name="realmName">
            <value>Spring Web Realm</value>
        </property>
    </bean>
    
    <!-- Define filter to handle FORM authentication -->
    <bean id="formAuthenticationProcessingFilter"
          class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
        <property name="filterProcessesUrl">
            <value>/j_acegi_security_check</value>
        </property>
        <property name="authenticationFailureUrl">
            <value>/uptous.htm?_flowId=login-flow</value>
        </property>
        <property name="defaultTargetUrl">
            <value>/</value>
        </property>
        <property name="authenticationManager">
            <ref bean="authenticationManager" />
        </property>
    </bean>
    
    <!-- Define realm for FORM login-->
    <bean id="formLoginAuthenticationEntryPoint"
          class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
        <property name="loginFormUrl">
            <value>/uptous.htm?_flowId=login-flow</value>
        </property>
        <property name="forceHttps">
            <value>false</value>
        </property>
    </bean>
    
    <bean id="httpSessionContextIntegrationFilter"
          class="org.acegisecurity.context.HttpSessionContextIntegrationFilter">          
    </bean>
    <!-- End Security filter config -->
    
    <!-- Start Security interceptor config -->
    <!-- Define authentication manager, decision manager and secure URL patterns-->
     <bean id="flowSecurityListener" class="org.springframework.webflow.security.FlowSecurityInterceptor">     		   		
          <property name="authenticationManager">
          	<ref bean="authenticationManager" />
          </property>
          <property name="accessDecisionManager">
          	<ref bean="accessDecisionManager" />
          </property>
          <property name="flowDefinitionSource">
            <value>                          	
                createAccount-flow=ROLE_TEST
                invites-flow=ROLE_TEST  
                main-flow=ROLE_TEST                     
            </value>
        </property>
    </bean> 
     
    
     <!-- <bean id="filterSecurityInterceptor"
		class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
		<property name="authenticationManager">
			<ref bean="authenticationManager" />
		</property>
		<property name="accessDecisionManager">
			<ref bean="accessDecisionManager" />
		</property>
		<property name="objectDefinitionSource">
			<value>
				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
				PATTERN_TYPE_APACHE_ANT
				/main*=ROLE_TEST						
			</value>
		</property>
	</bean> --> 
    <!-- End Security interceptor config -->
    
    <!-- Start authentication config -->
    <bean id="authenticationManager"
          class="org.acegisecurity.providers.ProviderManager">
        <property name="providers">
            <list>
                <ref bean="daoAuthenticationProvider" />
            </list>
        </property>        
    </bean>
    
    <bean id="daoAuthenticationProvider"
          class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
        <property name="userDetailsService">
            <ref bean="userDetailsService" />
        </property>        
    </bean>
        
    <!-- Authentication using JDBC Dao -->
    <bean id="userDetailsService"
          class="com.tangentlogic.uptous.spring.util.security.AuthenticationJdbcDaoImpl">
        <property name="userDAO">
            <ref bean="userDAO"/>
        </property>       
        <property name="dataSource" ref="myDataSource"/>
       	<property name="usersByUsernameQuery">
			<value>
				SELECT EMAIL USERNAME,PASSWORD, ENABLED
				FROM USERS WHERE EMAIL=?
			</value>
		</property>		
    </bean>
 
    
    <!-- End authentication config -->
    
    <!-- Start authorization config -->
    <bean id="accessDecisionManager"
          class="org.acegisecurity.vote.UnanimousBased">
        <property name="decisionVoters">
            <list>
                <ref bean="roleVoter" />
            </list>
        </property>
    </bean>
    
    <bean id="roleVoter" class="org.acegisecurity.vote.RoleVoter">
        <property name="rolePrefix">
            <value>ROLE_</value>
        </property>
    </bean>

web.xml

Code:

    <listener>
		<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
	</listener>

	
    
    <context-param>		
		<param-name>contextConfigLocation</param-name>
		<param-value>
			/WEB-INF/uptous-spring-hibernate.xml ,/WEB-INF/uptous-security-config.xml 
		</param-value>
	</context-param>
		
	
    
 <!-- ****************** Acegi Filter ***********************-->
    <filter>
        <filter-name>Acegi Filter Chain Proxy</filter-name>
        <filter-class>
            org.acegisecurity.util.FilterToBeanProxy
        </filter-class>
        <init-param>
            <param-name>targetBean</param-name>
            <param-value>filterChainProxy</param-value>
        </init-param>
    </filter>
    <filter-mapping>
        <filter-name>Acegi Filter Chain Proxy</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>  
    <listener>
        <listener-class>org.acegisecurity.ui.session.HttpSessionEventPublisher</listener-class>
    </listener>  
    
    <!-- ************************ End ***************************-->
	
	<servlet>
		<servlet-name>uptous</servlet-name>		
		<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
		<init-param>
			<param-name>contextConfigLocation</param-name>
			<param-value>
				/WEB-INF/uptous-servlet-config.xml
				/WEB-INF/uptous-spring-hibernate.xml
				/WEB-INF/uptous-webflow-config.xml
				/WEB-INF/uptous-validation-config.xml				
			</param-value>
		</init-param>
		<load-on-startup>1</load-on-startup>
	</servlet>
	
	
	
	<welcome-file-list>
		<welcome-file>main.jsp</welcome-file>
	</welcome-file-list>
	
	<servlet-mapping>
		<servlet-name>uptous</servlet-name>
		<url-pattern>*.htm</url-pattern>
	</servlet-mapping>
	
  	<display-name>UpToUs</display-name>

webflow config:

Code:

<flow:executor id="flowExecutor" registry-ref="flowRegistry" repository-type="continuation">
	 	<flow:execution-listeners>	
			<flow:listener ref="flowSecurityListener"/>
		</flow:execution-listeners>  
	</flow:executor>
	
	
	
	<!-- Creates the registry of flow definitions for this application -->
	<flow:registry id="flowRegistry">
		<flow:location path="/WEB-INF/flows/**-flow.xml"/>
	</flow:registry>

I am using spring 2.0.7 with swf 1.0.5 with Acegi 1.0.6

[kobiav]

Anyone has an idea why I have 2 nestedservletexceptions wrapped in my exception???

Please help...