Spring Acegi notes

tutorial  

1. what happens when you access a secured web application resource?

1) check if the resource is secured;
2) check if the requesting user has been authenticated;
3) check if the authenticated user is properly authorized to access the requested resource 
4) serve the requested resource.

To make a long story short, security is implemented by these Four Checks:

1. the Restricted Access Check (is the resource secured?);

2. the Existing Authentication Check (has the user been authenticated?);

3. if there is no valid login for the user: the Authentication Request Check (are the correct username and password provided?);

4. the Authorization Check (does the user have the required roles?);

2 Acegi uses a chain of (at least) three filters to enable webapplication security

1. The AuthenticationProcessingFilter handles the Authentication Request Check (“logging into the application”). It uses the AuthenticationManager to do its work.
   

2. The HttpSessionContextIntegrationFilter maintains the Authentication object between various requests and passes it around to the AuthenticationManager and the AccessDecisionManager when needed;
   

3. The ExceptonTranslationFilter performs the Existing Authentication Check, handles security exceptions and takes the appropriate action. This action can be either spawning the authentication dialog (a.k.a. the login form) or returning the appropriate HTTP security error code. ExceptonTranslationFilter depends on the next filter, FilterSecurityInterceptor, to do its work.
   

4. FilterSecurityInterceptor manages the Restricted Acces Check,and the Authorisation check. It knows which resources are secure and which roles have access to them. FilterSecurityInterceptor uses the AuthenticationManager and  AccessDecisionManager to do its work.

 

 

 

3. The Filter Chain

 filters are “chained” together by an object called the “filterChainProxy”, which in turn creates and starts the three filters

< bean  id ="filterChainProxy"  class ="org.acegisecurity.util.FilterChainProxy" >

< property  name ="filterInvocationDefinitionSource" >

< value >

CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON

PATTERN_TYPE_APACHE_ANT

/**=httpSessionContextIntegrationFilter,formAuthenticationProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor

</ value >

</ property >

</ bean >

3.1 The HttpSessionContextIntegrationFilter

HttpSessionContextIntegrationFilter is very specialized and therefor very easy to configure. The only thing this filter does, is propagating the established authentication object through all requests. The filter wraps the authentication object a ThreadLocal [thread safe] and hands that wrapper over to the other filters in the chain.

< bean  id ="httpSessionContextIntegrationFilter"

class ="org.acegisecurity.context.HttpSessionContextIntegrationFilter" >

</ bean >

3.2 The AuthenticationProcessingFilter

< bean  id ="formAuthenticationProcessingFilter"  

     class ="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter" >

< property  name ="filterProcessesUrl" >

< value > /j_acegi_security_check </ value >

</ property >

< property  name ="authenticationFailureUrl" >

< value > /loginFailed.html </ value >

</ property >

< property  name ="defaultTargetUrl" >

< value > / </ value >

</ property >

< property  name ="authenticationManager" >

< ref  bean ="authenticationManager"   />

</ property >

</ bean >

This filter class is specifically used for Form logins, which is why the form-submit URL (“filterProcessUrl”), the login-failed page (“authenticationFailureUrl”) are configured with this bean.

AuthenticationProcessingFilter specialised in handling authentication requests. Spawning a login dialog is enables a user to log in, but has nothing to do with actually validating the provided username/password combination and is therefore not configured in this filter.

3.3 The ExceptionTranslationFilter

ExceptionTranslationFilter catches any authentication or authorization error (in the form of an AcegiSecurityException) and may do  following two things.

If the exception was caused by the absence of an Authentication object (i.e. the user has not logged in yet), it spawns the configured AuthenticationEntryPoint  to prompt the user for login.

If the exception was caused by an authorization exception thrown by FilterSecurityInterceptor (i.e. the user is logged in but is not authorized for the resource requested), ExceptionTranslationFilter will send an SC_FORBIDDEN (HTTP 403) error to the browser, which will display it’s built-in version of an ‘unauthorized access’ page.

< bean  id ="exceptionTranslationFilter"

class ="org.acegisecurity.ui.ExceptionTranslationFilter" >

< property  name ="authenticationEntryPoint" >

< ref  bean ="formLoginAuthenticationEntryPoint"   />

</ property >

</ bean >

The filter leaves all the hard work to it's collaborators: FilterSecurityInterceptor (to which it is linked through the filter chain) and authenticationEntryPoint.

3.4 FilterSecurityInterceptor - definitions of the secured resources

< bean  id ="filterSecurityInterceptor"

class ="org.acegisecurity.intercept.web.FilterSecurityInterceptor" >

< property  name ="authenticationManager" >

< ref  bean ="authenticationManager"   />

</ property >

< property  name ="accessDecisionManager" >

< ref  bean ="accessDecisionManager"   />

</ property >

< property  name ="objectDefinitionSource" >

< value >

CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON

PATTERN_TYPE_APACHE_ANT 

/secure/admin/*=ROLE_ADMIN

/secure/app/*=ROLE_USER

</ value >

</ property >

</ bean >

two bean references here, “authenticationManager” and “accessDecisionManager”and a property “objectDefinitionSource”.

In Acegi security, “secured resources” are called “object definitions”

• CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON  convert the request URL to lowercase

• PATTERN_TYPE_APACHE_ANT makes it easier to define the URL patterns to be secured (there is also a different notation style, which looks more like regular expressions and less like the standard J2EE notation so I will not go into that here, mainly because I do not really understand that notation myself ;-) ).

 AccessDecisionManager - authorized

< bean  id ="accessDecisionManager"

class ="org.acegisecurity.vote.UnanimousBased" >

< property  name ="decisionVoters" >

< list >

< ref  bean ="roleVoter"   />

</ list >

</ property >

</ bean >


< bean  id ="roleVoter"  class ="org.acegisecurity.vote.RoleVoter" >

< property  name ="rolePrefix" >

< value > ROLE_ </ value >

</ property >

</ bean >

AuthenticationEntryPoint

< bean  id ="formLoginAuthenticationEntryPoint"

class ="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint" >

< property  name ="loginFormUrl" >

< value > /login.jsp </ value >

</ property >

< property  name ="forceHttps" >

< value > false </ value >

</ property >

</ bean >