I'm attempting to integrate the Commons metadata functionality into my application and noticed that Method Security doesn't appear to have an Advice. Is there any particular reason for this or am I missing something? If I wrote one would the Acegi team be interested in a patch?
Mike > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Thursday, July 15, 2004 9:16 PM > To: [EMAIL PROTECTED] > Subject: Acegisecurity-developer digest, Vol 1 #83 - 7 msgs > > Send Acegisecurity-developer mailing list submissions to > [EMAIL PROTECTED] > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer > or, via email, send a message with subject or body 'help' to > [EMAIL PROTECTED] > > You can reach the person managing the list at > [EMAIL PROTECTED] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Acegisecurity-developer digest..." > > > Today's Topics: > > 1. Re: Newbie Questions... ([EMAIL PROTECTED]) > 2. RE: Re: [Acegisecurity-developer] Followup: Why am I getting extra > requests with Sitemesh? (Travis) > 3. Re: Followup: Why am I getting extra requests > with Sitemesh? (Ben Alex) > 4. Re: Newbie Questions... (Ben Alex) > 5. Re: Newbie Questions... ([EMAIL PROTECTED]) > 6. Re: Newbie Questions... (Ben Alex) > > --__--__-- > > Message: 1 > Date: Thu, 15 Jul 2004 15:21:46 -0400 (EDT) > Subject: Re: [Acegisecurity-developer] Newbie Questions... > From: [EMAIL PROTECTED] > To: [EMAIL PROTECTED] > Reply-To: [EMAIL PROTECTED] > > Ben, > > I am still having troubles getting messages to the developer list. My > messages keep bouncing back. Hopefully, you can put this into the list. > However... > > I had to force Basic authentication by modifying the BasicProcessingFilter > class so that the doFilter method sets the header field is set to "Basic " > if header is null. I know this is ugly, but the SOAP client (Flash > component) is not sending this value when the request is made. I do not > understand this. > > Anyways, here is what I had to code to force this to happen. If you know > a better way then I would like to know about it. I think that the Flash > client is not setting this header field correctly to indicate that it is > Basic auth, but I am not sure. If I do not use this code then a > subsequent Acegi filter will try to redirect to a login page. Please > advise. > > public void doFilter(ServletRequest request, ServletResponse response, > FilterChain chain) > throws IOException, ServletException { > if (!(request instanceof HttpServletRequest)) { > throw new ServletException("Can only process > HttpServletRequest"); > } > > if (!(response instanceof HttpServletResponse)) { > throw new ServletException("Can only process > HttpServletResponse"); > } > > HttpServletRequest httpRequest = (HttpServletRequest) request; > HttpServletResponse httpResponse = (HttpServletResponse) response; > > String header = httpRequest.getHeader("Authorization"); > > if (logger.isDebugEnabled()) { > logger.debug("Authorization header: " + header); > } > > // ADDED CODE START - YUCK.... > //if ((header != null) && header.startsWith("Basic ")) { > if(header == null){ > header = "Basic "; > } > > // ADDED CODE END - YUCK.... > > String base64Token = header.substring(6); > String token = new > String(Base64.decodeBase64(base64Token.getBytes())); > > String username = ""; > String password = ""; > int delim = token.indexOf(":"); > > if (delim != -1) { > username = token.substring(0, delim); > password = token.substring(delim + 1); > } > > UsernamePasswordAuthenticationToken authRequest = new > UsernamePasswordAuthenticationToken(username, > password); > authRequest.setDetails(httpRequest.getRemoteAddr()); > > Authentication authResult; > > try { > authResult = authenticationManager.authenticate(authRequest); > } catch (AuthenticationException failed) { > // Authentication failed > if (logger.isDebugEnabled()) { > logger > .debug("Authentication request for user: " + > username + " failed: " > + failed.toString()); > } > > authenticationEntryPoint.commence(request, response); > > return; > } > > // Authentication success > if (logger.isDebugEnabled()) { > logger.debug("Authentication success: " + > authResult.toString()); > } > > > httpRequest.getSession().setAttribute(HttpSessionIntegrationFilter.ACEGI _S > ECURITY_AUTHENTICATION_KEY, > authResult); > // if } > > chain.doFilter(request, response); > } > > Thanks, > > Mark Eagle > > > [EMAIL PROTECTED] wrote: > > > >>First, thanks to Ben for helping me understand some of the Acegi > >> internals. > >>My question revolves around using BASIC authentication with Acegi. > >> First, > >>let me start by stating that I am not using HTML. I am using Flex which > >>uses a Flash client with SOAP requests. What I want to know is if I use > >>BASIC authentication will Acegi still be able to use the notion of a > >>ContextHolder to store authentication credentials such as roles? I want > >> to > >>use the roles for my Spring managed business objects of course. > >>Furthermore, is there a filter that I should be using that will not > >>redirect to a page if authentication fails? Instead of the filter > >>redirecting to a JSP, or other page, I would like to just send a > >>response.sendError(HttpServlet.SC_UNAUTHORIZED) back to the client. > >> Should > >>I just write my own filter that is similar to the BasicProcessingFilter > >> and > >>append it in the chain of filters? The Flash client is expecting a 401 > >>HTTP error to notice a Client.Authentication fault/exception. The > >> current > >>filter tries to redirect to the custom login form which does not apply > in > >>my context. > >> > >> > >> > > Hi Mark > > > > The normal approach to BASIC authentication is to use > > SecurityEnforcementFilter, which detects any Acegi Security related > > exceptions. If the user is not logged in, the AuthenticationEntryPoint > > implementation will be called, which is usually > > BasicProcessingFilterEntryPoint in this case. If the user is logged in, > > a straight 403 (access denied) will be thrown. > > BasicProcessingFilterEntryPoint will throw a 401 (unauthorised) which > > will cause the calling browser to attempt login. > > > > Whilst SecurityEnforcementFilter can provide HTTP URL security, you > > don't _have_ to use it for this. The main value in your case is it > > detects security exceptions thrown by later executed code (namely the > > MethodSecurityInterceptor), meaning it can send the 403 or redirect to > > the AuthenticationEntryPoint accordingly. > > > > Does that answer your questions, as I think these classes will provide > > the behaviour you need? > > > > Best regards > > Ben > > > > > > > > ------------------------------------------------------- > > This SF.Net email is sponsored by BEA Weblogic Workshop > > FREE Java Enterprise J2EE developer tools! > > Get your free copy of BEA WebLogic Workshop 8.1 today. > > http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click > > _______________________________________________ > > Acegisecurity-developer mailing list > > [EMAIL PROTECTED] > > https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer > > > > > > --__--__-- > > Message: 2 > From: "Travis" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Subject: RE: Re: [Acegisecurity-developer] Followup: Why am I getting > extra requests with Sitemesh? > Date: Thu, 15 Jul 2004 14:37:25 -0500 > Reply-To: [EMAIL PROTECTED] > > Patrick and Ben, > > This patch fixed the BEA issues I had with my application as well as the > sample contacts application. > > Thanks! > Travis > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Patrick Burleson > Sent: Thursday, July 15, 2004 10:00 AM > To: [EMAIL PROTECTED] > Subject: Re: Re: [Acegisecurity-developer] Followup: Why am I getting > extra > requests with Sitemesh? > > On Thu, 15 Jul 2004 15:49:56 +1000, Ben Alex <[EMAIL PROTECTED]> > wrote: > > > > Hi Patrick > > > > Thanks for the info. > > > > People should only be running one AbstractIntegrationFilter subclass, > > although they might run more than one processing filter, such as > > BasicProcessingFilter and AuthenticationProcessingFilter (for form-based > > authentication) in the same web application. > > > > If you wouldn't mind submitting a patch, I'd be happy to apply it to > > CVS. I'd write it myself, but don't have access to Weblogic to give it a > > full test. > > > > Best regards > > Ben > > > Ben, > > Ok, I've got it fixed I think. It passes all the Junit Tests (you'll > see that I had to add in a check for request != null since some of the > tests pass in a null request) and my app now works as expected. > > Attached is the patch. I borrrowed the idea from the WebWork project > (including the Variable name ) and wanted to give them full credit. > > Let me know if this isn't going to work or if it needs adjustments. > > As a side note, as a developer, you can get a 1 year free use of > Weblogic just by downloading the server. That's how I'm able to test > on it. > > Thanks, > Patrick > > > > > --__--__-- > > Message: 3 > Date: Fri, 16 Jul 2004 09:28:13 +1000 > From: Ben Alex <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Re: [Acegisecurity-developer] Followup: Why am I getting extra > requests > with Sitemesh? > Reply-To: [EMAIL PROTECTED] > > Travis wrote: > > >Patrick and Ben, > > > >This patch fixed the BEA issues I had with my application as well as the > >sample contacts application. > > > >Thanks! > >Travis > > > > > > > > > > > Travis, I'm pleased this fixed your problem. > > Patrick, thanks very much for your patch and help. I've applied it to > CVS HEAD. > > Thanks again > Ben > > > > --__--__-- > > Message: 4 > Date: Fri, 16 Jul 2004 10:00:13 +1000 > From: Ben Alex <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Re: [Acegisecurity-developer] Newbie Questions... > Reply-To: [EMAIL PROTECTED] > > [EMAIL PROTECTED] wrote: > > >Ben, > > > >I had to force Basic authentication by modifying the > BasicProcessingFilter > >class so that the doFilter method sets the header field is set to "Basic > " > >if header is null. I know this is ugly, but the SOAP client (Flash > >component) is not sending this value when the request is made. I do not > >understand this. > > > >Anyways, here is what I had to code to force this to happen. If you know > >a better way then I would like to know about it. I think that the Flash > >client is not setting this header field correctly to indicate that it is > >Basic auth, but I am not sure. If I do not use this code then a > >subsequent Acegi filter will try to redirect to a login page. Please > >advise. > > > > > > > > > Mark > > What is supposed to happen is: > > 1. SOAP request received, and attempted to be executed. > 2. MethodSecurityInterceptor throws AuthenticationException. > 3. Wrapping SecurityEnforcementFilter detects AuthenticationException > and calls AuthenticationEntryPoint (which must be > BasicProcessingFilterEntryPoint). > 4. BasicProcessingFilterEntryPoint responds with a challenge like this: > WWW-Authenticate: Basic realm="WallyWorld" > 5. SOAP client reads challenge, and retries request but this time with a > header like this: Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== > 6. SOAP request received, and attempted to be executed. > 7. BasicProcessingFilter detects header and attempts authentication, > placing successful Authentication into the HttpSession. > 8. AutoIntegrationFilter grabs Authentication from HttpSession and onto > ContextHolder. > 9. MethodSecurityInterceptor successful this time, as an Authentication > object on ContextHolder. > > Your code change seems to suggest to me your SecurityEnforcementFilter > isn't configured properly. It seems as if your BasicProcessingFilter is > being used to simulate an attempted authentication, which will cause > BasicProcessingFilter to launch BasicProcessingFilterEntryPoint right > away (it's designed to do this, as the user might have presented invalid > credentials, so they're given a chance to try again). Would you mind > copying your application context XML into an email showing the > configuration of the security objects? It should look something like this: > > <bean id="securityEnforcementFilter" > class="net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter"> > <property name="filterSecurityInterceptor"><ref > bean="filterInvocationInterceptor"/></property> > <property name="authenticationEntryPoint"><ref > bean="basicProcessingFilterEntryPoint"/></property> <------ NB this > line ---> > </bean> > > <bean id="basicProcessingFilter" > class="net.sf.acegisecurity.ui.basicauth.BasicProcessingFilter"> > <property name="authenticationManager"><ref > bean="authenticationManager"/></property> > <property name="authenticationEntryPoint"><ref > bean="basicProcessingFilterEntryPoint"/></property> > </bean> > > <bean id="basicProcessingFilterEntryPoint" > class="net.sf.acegisecurity.ui.basicauth.BasicProcessingFilterEntryPoint "> > <property name="realmName"><value>My Company's > Realm</value></property> > </bean> > > Thanks > Ben > > > > --__--__-- > > Message: 5 > Date: Thu, 15 Jul 2004 21:20:44 -0400 (EDT) > Subject: Re: [Acegisecurity-developer] Newbie Questions... > From: [EMAIL PROTECTED] > To: [EMAIL PROTECTED] > Reply-To: [EMAIL PROTECTED] > > Ben, > > You were right. It was a problem with my securityEnforcementFilter bean > configuration. I see it now. Once I changed to the > basicProcessingFilterEntryPoint bean reference it worked. I also needed > your great explaination about SOAP authorization. I will be giving a > presentation about Spring at AJUG (Atlanta User Group) next Tuesday. I > will definitely mention this security plugin for Spring. My next > challenge will be to get SSL Basic authentication configured with Acegi. > Thank you so much for your attention about this problem. > > Mark > > > [EMAIL PROTECTED] wrote: > > > >>Ben, > >> > >>I had to force Basic authentication by modifying the > >> BasicProcessingFilter > >>class so that the doFilter method sets the header field is set to "Basic > >> " > >>if header is null. I know this is ugly, but the SOAP client (Flash > >>component) is not sending this value when the request is made. I do not > >>understand this. > >> > >>Anyways, here is what I had to code to force this to happen. If you > know > >>a better way then I would like to know about it. I think that the Flash > >>client is not setting this header field correctly to indicate that it is > >>Basic auth, but I am not sure. If I do not use this code then a > >>subsequent Acegi filter will try to redirect to a login page. Please > >>advise. > >> > >> > >> > >> > > Mark > > > > What is supposed to happen is: > > > > 1. SOAP request received, and attempted to be executed. > > 2. MethodSecurityInterceptor throws AuthenticationException. > > 3. Wrapping SecurityEnforcementFilter detects AuthenticationException > > and calls AuthenticationEntryPoint (which must be > > BasicProcessingFilterEntryPoint). > > 4. BasicProcessingFilterEntryPoint responds with a challenge like this: > > WWW-Authenticate: Basic realm="WallyWorld" > > 5. SOAP client reads challenge, and retries request but this time with a > > header like this: Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== > > 6. SOAP request received, and attempted to be executed. > > 7. BasicProcessingFilter detects header and attempts authentication, > > placing successful Authentication into the HttpSession. > > 8. AutoIntegrationFilter grabs Authentication from HttpSession and onto > > ContextHolder. > > 9. MethodSecurityInterceptor successful this time, as an Authentication > > object on ContextHolder. > > > > Your code change seems to suggest to me your SecurityEnforcementFilter > > isn't configured properly. It seems as if your BasicProcessingFilter is > > being used to simulate an attempted authentication, which will cause > > BasicProcessingFilter to launch BasicProcessingFilterEntryPoint right > > away (it's designed to do this, as the user might have presented invalid > > credentials, so they're given a chance to try again). Would you mind > > copying your application context XML into an email showing the > > configuration of the security objects? It should look something like > this: > > > > <bean id="securityEnforcementFilter" > > class="net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter"> > > <property name="filterSecurityInterceptor"><ref > > bean="filterInvocationInterceptor"/></property> > > <property name="authenticationEntryPoint"><ref > > bean="basicProcessingFilterEntryPoint"/></property> <------ NB this > > line ---> > > </bean> > > > > <bean id="basicProcessingFilter" > > class="net.sf.acegisecurity.ui.basicauth.BasicProcessingFilter"> > > <property name="authenticationManager"><ref > > bean="authenticationManager"/></property> > > <property name="authenticationEntryPoint"><ref > > bean="basicProcessingFilterEntryPoint"/></property> > > </bean> > > > > <bean id="basicProcessingFilterEntryPoint" > > > class="net.sf.acegisecurity.ui.basicauth.BasicProcessingFilterEntryPoint "> > > <property name="realmName"><value>My Company's > > Realm</value></property> > > </bean> > > > > Thanks > > Ben > > > > > > > > ------------------------------------------------------- > > This SF.Net email is sponsored by BEA Weblogic Workshop > > FREE Java Enterprise J2EE developer tools! > > Get your free copy of BEA WebLogic Workshop 8.1 today. > > http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click > > _______________________________________________ > > Acegisecurity-developer mailing list > > [EMAIL PROTECTED] > > https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer > > > > > > --__--__-- > > Message: 6 > Date: Fri, 16 Jul 2004 11:24:43 +1000 > From: Ben Alex <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Re: [Acegisecurity-developer] Newbie Questions... > Reply-To: [EMAIL PROTECTED] > > [EMAIL PROTECTED] wrote: > > >Ben, > > > >You were right. It was a problem with my securityEnforcementFilter bean > >configuration. I see it now. Once I changed to the > >basicProcessingFilterEntryPoint bean reference it worked. I also needed > >your great explaination about SOAP authorization. I will be giving a > >presentation about Spring at AJUG (Atlanta User Group) next Tuesday. I > >will definitely mention this security plugin for Spring. My next > >challenge will be to get SSL Basic authentication configured with Acegi. > >Thank you so much for your attention about this problem. > > > >Mark > > > > > > Hi Mark > > Pleased it was resolved. With your next challenge, do you meaning using > BASIC authentication over HTTPS? If so, there's no reason it shouldn't > simply work by using https:// as the target URL rather than http://. > > Best regards > Ben > > > > > --__--__-- > > _______________________________________________ > Acegisecurity-developer mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer > > > End of Acegisecurity-developer Digest --- [This E-mail scanned for viruses by Declude Virus] ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click _______________________________________________ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
