Help me convert my PreAuth config to 2.0 namespace

[jozeph78]

Hello.

I manged to configure my application to my needs using the preAuth sample. I removed a bunch of beans and consolidated some others but still have a pretty huge conifig (+100 lines and 17 beans). I've been trying to reconfigure it to use the Spring 2.0 namespace configuration but I can't seem to get it to run. Here is my functioning config:

Code:

<?xml version="1.0" encoding="UTF-8"?>
	
<beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:sec="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd">
	
	<bean id="springSecurityFilterChain" class="org.springframework.security.util.FilterChainProxy">
		 <sec:filter-chain-map path-type="ant">
			<sec:filter-chain pattern="/**"
				filters="sif,myPreAuthFilter,logoutFilter,anonymousProcessingFilter,etf,fsi" />
		</sec:filter-chain-map>
	</bean>
	
	<bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
		<property name="providers">
			<list>
				<ref local="preAuthenticatedAuthenticationProvider" />
			</list>
		</property>
	</bean>
	
	<bean id="preAuthenticatedAuthenticationProvider"
		class="org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationProvider">
		<property name="preAuthenticatedUserDetailsService" ref="preAuthenticatedUserDetailsService" />
	</bean>
	
	<bean id="preAuthenticatedUserDetailsService" class="com.xxx.security.userdetails.MyUserDetails" />
	
	<bean id="myPreAuthFilter"
		class="org.springframework.security.ui.preauth.j2ee.J2eePreAuthenticatedProcessingFilter">
		<property name="authenticationManager" ref="authenticationManager" />
	</bean>
	
	<bean id="preAuthenticatedProcessingFilterEntryPoint"
		class="org.springframework.security.ui.preauth.PreAuthenticatedProcessingFilterEntryPoint" />
	
	<bean id="logoutFilter" class="org.springframework.security.ui.logout.LogoutFilter">
		<constructor-arg value="/" />
		<constructor-arg>
			<list>
				<bean
					class="org.springframework.security.ui.logout.SecurityContextLogoutHandler" />
			</list>
		</constructor-arg>
	</bean>
	
	<bean id="sif"
		class="org.springframework.security.context.HttpSessionContextIntegrationFilter" />
		
	<bean id="servletContext"
		class="org.springframework.web.context.support.ServletContextFactoryBean" />
	
	<bean id="etf"
		class="org.springframework.security.ui.ExceptionTranslationFilter">
		<property name="authenticationEntryPoint" ref="preAuthenticatedProcessingFilterEntryPoint" />
	</bean>
	
	<bean id="fsi"
		class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
		<property name="authenticationManager" ref="authenticationManager" />
		<property name="accessDecisionManager" ref="httpRequestAccessDecisionManager" />
		<property name="objectDefinitionSource">
			<sec:filter-invocation-definition-source>
				<sec:intercept-url pattern="/secure/**" access="ROLE_ADMIN" />
				<sec:intercept-url pattern="/insecure/**" access="IS_AUTHENTICATED_FULLY" />
        <sec:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
			</sec:filter-invocation-definition-source>
		</property>
	</bean>
	
	<bean id="httpRequestAccessDecisionManager" class="org.springframework.security.vote.AffirmativeBased">
		<property name="allowIfAllAbstainDecisions" value="false" />
		<property name="decisionVoters">
			<list>
				<ref bean="authenticatedVoter" />
				<ref bean="roleVoter" />
			</list>
		</property>
	</bean>
	
	<bean id="roleVoter" class="org.springframework.security.vote.RoleVoter" />
	<bean id="authenticatedVoter" class="org.springframework.security.vote.AuthenticatedVoter" />
		
	<bean id="securityContextHolderAwareRequestFilter"
		class="org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter">
		<property name="wrapperClass"
			value="org.springframework.security.wrapper.SecurityContextHolderAwareRequestWrapper" />
	</bean>
	
	<bean id="anonymousProcessingFilter"
		class="org.springframework.security.providers.anonymous.AnonymousProcessingFilter">
		<property name="key" value="foobar" />
		<property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS" />
	</bean>
	
	<bean id="anonymousAuthenticationProvider"
		class="org.springframework.security.providers.anonymous.AnonymousAuthenticationProvider">
		<property name="key" value="foobar" />
	</bean>
	
</beans>

And here is my attempt at converting it to namespace. This runs but I only get authenticated anonymous, never through the J2EE Preauth:

Code:

<?xml version="1.0" encoding="UTF-8"?>
	
<b:beans xmlns="http://www.springframework.org/schema/security"
	xmlns:b="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.2.xsd">
	
	<http auto-config="false" entry-point-ref="preAuthenticatedProcessingFilterEntryPoint" >
		<intercept-url pattern="/secure/**" access="ROLE_ADMIN" />
		<intercept-url pattern="/insecure/**" access="IS_AUTHENTICATED_FULLY" />
		<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
		<anonymous />
		<logout />
		<concurrent-session-control max-sessions="1"
			exception-if-maximum-exceeded="true" />
	</http>
	
	<b:bean id="preAuthenticatedUserDetailsService" class="com.XXX.security.userdetails.MyUserDetails" />
	
	<b:bean id="preAuthenticatedProcessingFilterEntryPoint"
		class="org.springframework.security.ui.preauth.PreAuthenticatedProcessingFilterEntryPoint" />
		
	<b:bean id="preAuthenticatedAuthenticationProvider"
		class="org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationProvider">
		<custom-authentication-provider />
		<b:property name="preAuthenticatedUserDetailsService" ref="preAuthenticatedUserDetailsService" />
	</b:bean>
	
</b:beans>

Can anyone help me get this working? I'm not really interested in selling a 100+ 17 bean configuration as "simple" and something everyone in my organization should do.

[jozeph78]

Ok I got this working. What I needed to do was add my j2eePreAuthenticatedProcessingFilter with the custom-filter position set to PRE_AUTH_FILTER. Here is my new namespace based security configuration:

Code:

<?xml version="1.0" encoding="UTF-8"?>

<b:beans xmlns="http://www.springframework.org/schema/security"
	xmlns:b="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.2.xsd">
	
	<http auto-config="false" entry-point-ref="preAuthenticatedProcessingFilterEntryPoint" >
		<intercept-url pattern="/secure/**" access="ROLE_ADMIN" />
		<intercept-url pattern="/insecure/**" access="IS_AUTHENTICATED_FULLY" />
		<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
		<anonymous />
		<logout />
		<concurrent-session-control max-sessions="1"
			exception-if-maximum-exceeded="true" />
	</http>
	
	<b:bean id="myPreAuthFilter"
		class="org.springframework.security.ui.preauth.j2ee.J2eePreAuthenticatedProcessingFilter">
		<custom-filter position="PRE_AUTH_FILTER"/>
		<b:property name="authenticationManager" ref="authenticationManager" />
	</b:bean>
	
	<b:bean id="preAuthenticatedProcessingFilterEntryPoint"
		class="org.springframework.security.ui.preauth.PreAuthenticatedProcessingFilterEntryPoint" />
		
	<b:bean id="preAuthenticatedAuthenticationProvider"
		class="org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationProvider">
		<custom-authentication-provider />
		<b:property name="preAuthenticatedUserDetailsService" ref="preAuthenticatedUserDetailsService" />
	</b:bean>
	
	<b:bean id="preAuthenticatedUserDetailsService" class="com.XXX.security.userdetails.MyUserDetails" />
	
	<authentication-manager alias="authenticationManager"/>
	
</b:beans>

I've attached my web.xml as well:

Code:

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_5.xsd"
	version="2.4">
	<context-param>
		<param-name>contextConfigLocation</param-name>
		<param-value>classpath*:applicationContext-*.xml
		</param-value>
		<!--
			<param-value>/WEB-INF/classes/applicationContext*.xml</param-value>
		-->
	</context-param>
	<mime-mapping>
		<extension>htc</extension>
		<mime-type>text/x-component</mime-type>
	</mime-mapping>
	
	<listener>
      <listener-class>org.springframework.security.ui.session.HttpSessionEventPublisher</listener-class>
    </listener>
    
	<listener> 
		<listener-class> org.springframework.web.context.ContextLoaderListener
		</listener-class>
	</listener>
	
	<login-config>
		<auth-method>FORM</auth-method>
		<realm-name>MyRealm</realm-name>
		<form-login-config>
			<form-login-page>/login.htm</form-login-page>
			<form-error-page>/login.htm?retry=true</form-error-page>
		</form-login-config>
	</login-config>
	
	<security-role>
		<role-name>ROLE_CONTAINER_AUTH</role-name>
	</security-role>
	
	<security-constraint>
		<web-resource-collection>
			<web-resource-name>All areas</web-resource-name>
			<url-pattern>*.htm</url-pattern>
		</web-resource-collection>
		<auth-constraint>
			<role-name>ROLE_CONTAINER_AUTH</role-name>
		</auth-constraint>
	</security-constraint>
	
	<servlet>
		<servlet-name>realm</servlet-name>
		<servlet-class>org.springframework.web.servlet.DispatcherServlet
		</servlet-class>
		<load-on-startup>1</load-on-startup>
	</servlet>
	<servlet-mapping>
		<servlet-name>realm</servlet-name>
		<url-pattern>*.htm</url-pattern>
	</servlet-mapping>
	
	<filter>
		<filter-name>springSecurityFilterChain
		</filter-name>
		<filter-class>org.springframework.web.filter.DelegatingFilterProxy
		</filter-class>
	</filter>
	
	<filter-mapping>
		<filter-name>springSecurityFilterChain
		</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>
	
	<welcome-file-list>
		<welcome-file>index.jsp</welcome-file>
	</welcome-file-list>
</web-app>

Here is the code for MyUserDetails.java if anyone is interested. I didn't want any container roles coming into the ACEGI security. That's just to get past the container to ACEGI can do its thing.

Code:

package com.cme.security.userdetails;

import java.util.ArrayList;
import java.util.List;

import org.springframework.security.Authentication;
import org.springframework.security.AuthenticationException;
import org.springframework.security.GrantedAuthority;
import org.springframework.security.GrantedAuthorityImpl;
import org.springframework.security.userdetails.AuthenticationUserDetailsService;
import org.springframework.security.userdetails.User;
import org.springframework.security.userdetails.UserDetails;
import org.springframework.util.Assert;

public class MyUserDetails implements AuthenticationUserDetailsService {

	public final UserDetails loadUserDetails(Authentication token) throws AuthenticationException {
		Assert.notNull(token.getDetails());
		UserDetails ud = createuserDetails(token);
		return ud;
	}
	
	/**
	 * Creates the final <tt>UserDetails</tt> object. Can be overridden to customize the contents.
	 * 
	 * @param token the authentication request token
	 * @param authorities the pre-authenticated authorities.
	 */
	protected UserDetails createuserDetails(Authentication token) {
		List<GrantedAuthority> gaList = new ArrayList<GrantedAuthority>();
		gaList.add(new GrantedAuthorityImpl("ROLE_USER"));
		gaList.add(new GrantedAuthorityImpl("ROLE_CONTAINER_AUTH"));
		if (token.getName().toUpperCase().contains("ADMIN")){
			gaList.add(new GrantedAuthorityImpl("ROLE_ADMIN"));
		}
		return new User(token.getName(), "N/A", true, true, true, true, gaList.toArray(new GrantedAuthority[0]));
	}
	
	
}

If anyone sees a way to improve on this approach I'd be glad to hear it. I'd still like to avoid any security-role or auth-constraints in the web.xml, but ACEGI doesn't redirect to the container login page (at least I don't know how configure it to do so). I hate having to add the ROLE_CONTAINER_AUTH to the realm authenticator (in this case the jetty hash realm) just to get past the container. It's a silly requirement because my enterprise wants us to use the container's security realm for authorization.

Thanks!

[davidxia]

Hi, Joe.

Where did you downloaded the sample application? Could you post the url?


Thank you very much.


David

[jozeph78]

The sample application is only available though the svn/cvs site for spring security.

[Luke Taylor]

The sample application is only available though the svn/cvs site for spring security.

This isn't strictly true. You can also download the pre-built sample war files from the maven central repo:

http://repo1.maven.org/maven2/org/sp...auth-2.0.4.war

We'd recommend you use the source though.