Spring : Acegi security in a web application

This page last changed on Oct 06, 2007 by Kees de Kooter

Under construction

This page is a work in progress.

  • user gebruiken binnen business object "We generally recommend SecurityContextHolder.getContext().getAuthentication() because you can call this code from anywhere (ie web view, web controller, services layer, persistence layer, AOP etc)." - Ben Alex
  • Unit testen in deze opzet: AuthenticationProvider provider = (AuthenticationProvider) ctx.getBean("authenticationProvider"); Authentication auth = provider.authenticate(new UsernamePasswordAuthenticationToken(username, password)); SecurityContextHolder.getContext().setAuthentication(auth);
  • Digest authentication

    <a href="http://acegisecurity.org/docbook/acegi.html#security-ui-http-digest" class="uri" class="external-link">http://acegisecurity.org/docbook/acegi.html#security-ui-http-digest</a>

Here is a report of the migration form the standard web.xml security to Acegi.

  1. I implemented the required users and authorities tables as views on existing tables in my PostgreSQL database. Fortunately all necessary fields were available (wink).

    CREATE OR REPLACE VIEW users AS SELECT resource.username, resource."password", 1 AS enabled

    FROM resource;

    CREATE OR REPLACE VIEW authorities AS SELECT r.username, ro.rolecode AS authority

    FROM resource r
    JOIN resourcerole rr ON rr.resourceid = r.resourceid
    JOIN "role" ro ON ro.roleid = rr.roleid;
  2. I copied the bean configuration from the spring book and the acegi site http://acegisecurity.org/docbook/acegi.html.

<bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">
  <property name="providers">
    <list>
      <ref bean="daoAuthenticationProvider"/>
    </list>
  </property>
</bean>

<bean id="daoAuthenticationProvider" 
    class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
  <property name="userDetailsService" ref="acegiJdbcDaoImpl"/>
</bean>

<bean id="acegiJdbcDaoImpl"
    class="org.acegisecurity.userdetails.jdbc.JdbcDaoImpl">  
    <property name="dataSource" ref="dataSource"/>        
</bean>
  1. In the web.xml I added the following filter:
<filter>
  <filter-name>Acegi HTTP Request Security Filter</filter-name>
  <filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>
  <init-param>
    <param-name>targetClass</param-name>
    <param-value>org.acegisecurity.intercept.web.FilterSecurityInterceptor</param-value>
  </init-param>
</filter>

<filter-mapping>
  <filter-name>Acegi HTTP Request Security Filter</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>
  1. To support the filter the following beans are added to the application context:
<bean id="securityEnforcementFilter"
    class="org.acegisecurity.intercept.web.SecurityEnforcementFilter">    
    <property name="filterSecurityInterceptor" 
        ref="filterInvocationInterceptor"/>
    <property name="authenticationEntryPoint" 
        ref="authenticationProcessingFilterEntryPoint"/>
</bean>

<bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter">
  <property name="authenticationEntryPoint"><ref local="authenticationEntryPoint"/></property>
</bean>

<bean id="authenticationEntryPoint" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
  <property name="loginFormUrl"><value>/acegilogin.jsp</value></property>
  <property name="forceHttps"><value>false</value></property>
</bean>

<bean id="filterSecurityInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
  <property name="authenticationManager"><ref bean="authenticationManager"/></property>
  <property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property>
  <property name="objectDefinitionSource">
    <value>
      CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
      \A/secure/super/.*\Z=ROLE_WE_DONT_HAVE
      \A/secure/.*\Z=ROLE_SUPERVISOR,ROLE_TELLER
    </value>
  </property>
</bean>