[Acegisecurity-developer] Re: problem with FilterSecurityInterceptor

Wed, 05 Apr 2006 18:16:32 -0700

Actually I’m a bit confused with this mail list, since I didn’t accept mail, except the topic’s digest. I hope I send reply to the right topic (the one that I start before)

 

Before, thanks Vikas Sasidharan for responding my problem

 

Here I send my Security context configuration

 

Please, I really need your advice

 

 

Vikas wrote

> Hi,
> 
> Could you please attach your accessDecisionManager and *Voter bean 
> definitions ?
 
> If you are using the default accessDecisionManager and RoleVoter, I 
> can't see any reason why it should happen. Any way, the bean definition 
> should help us in figuring that out.
> 
> Rgds,
> Vikas.
 
> I Gede Putu Sutarsa Giri Putra wrote:
> 
> Hi.
> 
> I'm currently new with acegi.
> 
> We develop our application using webwork+free marker, and acegi for 
> the security. It's deal with NTLM.
> 
> I have a problem with FilterSecurityInterceptor bean.
> 
> I'm try to secure my application URLs by entering filtering pattern on
> 
> ObjectDefinition source property.
> 
> 
> Here is my filter
> 
> <bean id="filterInvocationInterceptor"
> 
>       class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
> 
>       <property name="authenticationManager">
> 
>         <ref bean="authenticationManager"/>
> 
>       </property>
> 
>       <property name="accessDecisionManager">
> 
>         <ref bean="accessDecisionManager"/>
> 
>       </property>
> 
>       <!--
> 
>       <property name="runAsManager">
> 
>       <ref bean="runAsManager"/>
> 
>       </property>
> 
>       -->
> 
>       <property name="objectDefinitionSource">
> 
>         <value>
> 
>              CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
> 
>           PATTERN_TYPE_APACHE_ANT
> 
>           /index.jsp=ANONYMOUS,USER
> 
>           /hello.htm=ANONYMOUS,USER
> 
>           /logoff.jsp=ANONYMOUS,USER
> 
>           /acegilogin.jsp*=ANONYMOUS,USER
> 
>                                       /kimap/**=HBI_ADMIN
> 
>                                       /location/**=HBI_ADMIN, ADMIN
> 
>                                       /user/**=ADMIN
> 
>                                     /**=USER                     
> 
> 
>         </value>
> 
>       </property>
> 
>     </bean>
> 
> 
>  Well it works well when there is just one role specified for the 
> package. For example on package /kimap, it works well. The user that 
> not in role HBI_ADMIN is rejected when the are trying to access the 
> URL under
> 
> /kimap package. But the problem arise when the role that specified for 
> some package or URL more than one. For example package location. I 
> specify that URL allowed for user that have role HBI_ADMIN or ADMIN.
> 
> But it's not work. It will reject the user that *just *have role 
> HBI_ADMIN *or just *ADMIN. It only accept user with both ROLE.
> 
> 
> Does anyone ever deal with this problem?
> 
> Please tell me in which part the mistake that I made.
> 
> 
> Regards, gede sutarsa
> 
> 


 



<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd";>
  <!-- $Id$ -->
  <beans>
    <!-- we use FilterChainProxy, so we could chain any filter that acegi could provide -->
    <bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">
      <property name="filterInvocationDefinitionSource">
        <value>
          CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
          PATTERN_TYPE_APACHE_ANT
          /**=httpSessionContextIntegrationFilter,httpRequestIntegrationFilter,ntlmFilter,contextHolderAwareRequestFilter,securityEnforcementFilter
        </value>
      <!--
change authenticationEntryPoint property in securityEnforcementFilter if you would use basicProcessingFilter
          /**=httpSessionContextIntegrationFilter,httpRequestIntegrationFilter,basicProcessingFilter,contextHolderAwareRequestFilter,securityEnforcementFilter
        <value>
          CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
          PATTERN_TYPE_APACHE_ANT
          /do/**=httpSessionContextIntegrationFilter,httpRequestIntegrationFilter,basicProcessingFilter,authenticationProcessingFilter,anonymousProcessingFilter,contextHolderAwareRequestFilter,securityEnforcementFilter
          /j_acegi_security_check=httpSessionContextIntegrationFilter,httpRequestIntegrationFilter,authenticationProcessingFilter,contextHolderAwareRequestFilter,securityEnforcementFilter
        </value>
      -->
      </property>
    </bean>

    <!-- here is authentication manager -->
    <bean id="authenticationManager" 
      class="org.acegisecurity.providers.ProviderManager">
      <property name="providers">
        <list>
<!--
          <ref bean="anonymousAuthenticationProvider"/>
-->
          <ref bean="smbAuthenticationProvider"/>
          <ref bean="daoAuthenticationProvider"/>
<!--
          <ref bean="sampleAuthenticationProvider"/>
          <ref local="rememberMeAuthenticationProvider"/>
          <ref bean="someOtherAuthenticationProvider"/>
          -->
        </list>
      </property>
    </bean>

	<bean id="ntlmEntryPoint" class="org.acegisecurity.ui.ntlm.NtlmProcessingFilterEntryPoint"/>

	<bean id="ntlmFilter" class="org.acegisecurity.ui.ntlm.NtlmProcessingFilter">
		<property name="defaultDomain"><value>${security.defaultDomain}</value></property>
		<property name="domainController"><value>${security.domainController}</value></property>
		<property name="authenticationManager" ref="authenticationManager"/>
		<property name="authenticationEntryPoint" ref="ntlmEntryPoint"/>
	</bean>

	<bean id="smbAuthenticationProvider"
		class="org.acegisecurity.providers.smb.SmbNtlmAuthenticationProvider">
		<property name="authorizationProvider">
			<ref local="daoAuthenticationProvider"/>
		</property>
	</bean>

    <bean id="httpSessionContextIntegrationFilter"
      class="org.acegisecurity.context.HttpSessionContextIntegrationFilter">
      <property name="allowSessionCreation"><value>true</value></property>
      <property name="context"><value>org.acegisecurity.context.SecurityContextImpl</value></property>
    </bean>
    
    <!-- this bean enable request.getRemoteUser, isUserInRole, etc... -->
    <bean id="contextHolderAwareRequestFilter"
      class="org.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter" />

    <bean id="httpRequestIntegrationFilter"
      class="org.acegisecurity.adapters.HttpRequestIntegrationFilter" />

    <bean id="openSessionInViewFilter"
      class="org.springframework.orm.hibernate3.support.OpenSessionInViewFilter">
		<property name="singleSession">
			<value>true</value>
		</property>
		<property name="sessionFactoryBeanName">
			<value>sessionFactory</value>
		</property>
    </bean>

	<bean id="securityEnforcementFilter" class="org.acegisecurity.intercept.web.SecurityEnforcementFilter">
		<property name="filterSecurityInterceptor">
			<ref bean="filterInvocationInterceptor"/>
		</property>
		<property name="authenticationEntryPoint">
			<ref bean="ntlmEntryPoint"/>
		</property>
	</bean>
<!--
    <bean id="securityEnforcementFilter"
      class="org.acegisecurity.intercept.web.SecurityEnforcementFilter">
      <property name="filterSecurityInterceptor">
        <ref bean="filterInvocationInterceptor"/>
      </property>
      <property name="authenticationEntryPoint">
        <ref bean="authenticationEntryPoint"/>
      </property>
    </bean>
    <bean id="authenticationEntryPoint"
      class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
      <property name="loginFormUrl">
        <value>/acegilogin.jsp</value>
      </property>
      < ! - -
      <property name="forceHttps">
        <value>false</value>
      </property>
      - - >
    </bean>
-->
    <!-- we use used for Form based Auth -->
<!--
    <bean id="authenticationProcessingFilter"
      class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
      <property name="authenticationManager">
        <ref bean="authenticationManager"/>
      </property>
      <property name="defaultTargetUrl">
        <value>/observe.action</value>
      </property>
      <property name="authenticationFailureUrl">
        <value>/acegilogin.jsp?login_error=1</value>
      </property>
      <property name="filterProcessesUrl">
        <value>/j_acegi_security_check</value>
      </property>
    </bean>
-->
    
    <!-- for basic auth -->

    <bean id="basicProcessingFilter"
      class="org.acegisecurity.ui.basicauth.BasicProcessingFilter">
      <property name="authenticationManager">
        <ref bean="authenticationManager"/>
      </property>
      <property name="authenticationEntryPoint">
        <ref bean="basicAuthenticationEntryPoint"/>
      </property>
    </bean>
    <bean id="basicAuthenticationEntryPoint"
      class="org.acegisecurity.ui.basicauth.BasicProcessingFilterEntryPoint">
      <property name="realmName">
        <value>${web.title}</value>
      </property>
    </bean>
    
    <!-- for digest auth, should be chosen as replacement for basic auth -->
<!--
    <bean id="digestProcessingFilter"
      class="org.acegisecurity.ui.digestauth.DigestProcessingFilter">
      <property name="authenticationDao">
        <ref local="authenticationDao"/>
      </property>
      <property name="authenticationEntryPoint">
        <ref local="digestProcessingFilterEntryPoint"/>
      </property>
      <property name="userCache">
        <ref local="userCache"/>
      </property>
    </bean>
    <bean id="digestProcessingFilterEntryPoint"
      class="org.acegisecurity.ui.digestauth.DigestProcessingFilterEntryPoint">
      <property name="realmName">
        <value>${web.title}</value>
      </property>
      <property name="key">
        <value>${web.title}</value>
      </property>
      <property name="nonceValiditySeconds">
        <value>10</value>
      </property>
    </bean>
-->
    <bean id="anonymousProcessingFilter"
      class="org.acegisecurity.providers.anonymous.AnonymousProcessingFilter">
      <property name="key">
        <value>anonymous</value>
      </property>
      <property name="userAttribute">
        <value>anonymousUser,ANONYMOUS</value>
      </property>
    </bean>

    <!-- should we use remember me feature? -->
    <!--
    <bean id="rememberMeProcessingFilter"
    class="org.acegisecurity.ui.rememberme.RememberMeProcessingFilter">
    <property name="rememberMeServices"><ref local="rememberMeServices"/></property>
    </bean>
    <bean id="rememberMeServices"
    class="org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices">
    <property name="authenticationDao"><ref local="jdbcDaoImpl"/></property>
    <property name="key"><value>springRocks</value></property>
    </bean>
    <bean id="rememberMeAuthenticationProvider"
    class="org.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider">
    <property name="key"><value>springRocks</value></property>
    </bean>
    -->
    <bean id="filterInvocationInterceptor"
      class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
      <property name="authenticationManager">
        <ref bean="authenticationManager"/>
      </property>
      <property name="accessDecisionManager">
        <ref bean="accessDecisionManager"/>
      </property>
      <!--
      <property name="runAsManager">
      <ref bean="runAsManager"/>
      </property>
      -->
      <property name="objectDefinitionSource">
        <value>
		CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
          	PATTERN_TYPE_APACHE_ANT
          	/kimap/**=HBI_ADMIN			
                /location/**=HBI_ADMIN, ADMIN
		/user/**=ADMIN
		/**=USER
        </value>
      </property>
    </bean>
    
    <!-- still dunno what role voter & decisionmanager beans for :(-->

    <bean id="roleVoter"
      class="org.acegisecurity.vote.RoleVoter">
      <property name="rolePrefix"><value /></property>
    </bean>


      
    <bean id="accessDecisionManager"
      class="org.acegisecurity.vote.UnanimousBased">
      <property name="decisionVoters">
        <list>
          <ref bean="roleVoter"/>
        </list>
      </property>
      <property name="allowIfAllAbstainDecisions">
        <value>true</value>
      </property>
    </bean>


<bean id="memoryAuthenticationDao" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl">
	<property name="userMap">
		<value>
			abyher=PASSWORD,USER
		</value>
	</property>
</bean>

    <!-- provider for authentication -->
<bean id="daoAuthenticationProvider"      class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
      <property name="userDetailsService">
        <!--
		<ref bean="memoryAuthenticationDao"/>
		-->
        	<ref bean="authenticationDao"/>
      </property>
      <property name="userCache"><ref bean="userCache"/></property>
 </bean>

    <!--
    <bean id="passwordEncoder" class="org.acegisecurity.providers.encoding.Md5PasswordEncoder"/>
    -->
    
    <!-- using cache to avoid repetitive access to database -->
    <bean id="cacheManager" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean">
    <!--
      <property name="configLocation">
        <value>/WEB-INF/defs/ehcache-failsafe.xml</value>
      </property>
    -->
    </bean>
    <bean id="userCacheBackend" class="org.springframework.cache.ehcache.EhCacheFactoryBean">
      <property name="cacheManager">
        <ref local="cacheManager"/>
      </property>
      <property name="cacheName">
        <value>userCache</value>
      </property>
    </bean>
    <bean id="userCache" class="org.acegisecurity.providers.dao.cache.EhCacheBasedUserCache">
      <property name="cache"><ref local="userCacheBackend"/></property>
    </bean>    
    
    <!--for anonymous user -->
<!--
    <bean id="anonymousAuthenticationProvider" 
      class="org.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider">
      <property name="key">
        <value>anonymous</value>
      </property>      
    </bean>
-->
    
    <!-- use it only in debugging environment -->
<!--
    <bean id="sampleAuthenticationProvider"
      class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
      <property name="authenticationDao"><ref bean="inMemoryDaoImpl"/></property>
    </bean>
    <bean id="inMemoryDaoImpl" class="org.acegisecurity.providers.dao.memory.InMemoryDaoImpl">
      <property name="userMap">
      <value>
        admin=admin,USER,ADMIN
        guest=,disabled,USER
      </value>
      </property>
    </bean>
-->
  </beans>

Reply via email to