Spring : Acegi security in a web application

This page last changed on Oct 06, 2007 by Kees de Kooter

Under construction

This page is a work in progress.

• user gebruiken binnen business object "We generally recommend SecurityContextHolder.getContext().getAuthentication() because you can call this code from anywhere (ie web view, web controller, services layer, persistence layer, AOP etc)." - Ben Alex
• Unit testen in deze opzet: AuthenticationProvider provider = (AuthenticationProvider) ctx.getBean("authenticationProvider"); Authentication auth = provider.authenticate(new UsernamePasswordAuthenticationToken(username, password)); SecurityContextHolder.getContext().setAuthentication(auth);
• Digest authentication

        http://acegisecurity.org/docbook/acegi.html#security-ui-http-digest

Here is a report of the migration form the standard web.xml security to Acegi.

1. I implemented the required users and authorities tables as views on existing tables in my PostgreSQL database. Fortunately all necessary fields were available .

   CREATE OR REPLACE VIEW users AS SELECT resource.username, resource."password", 1 AS enabled

   FROM resource;
   

   CREATE OR REPLACE VIEW authorities AS SELECT r.username, ro.rolecode AS authority

   FROM resource r
   JOIN resourcerole rr ON rr.resourceid = r.resourceid
   JOIN "role" ro ON ro.roleid = rr.roleid;
   

2. I copied the bean configuration from the spring book and the acegi site http://acegisecurity.org/docbook/acegi.html.

<bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">
  <property name="providers">
    <list>
      <ref bean="daoAuthenticationProvider"/>
    </list>
  </property>
</bean>

<bean id="daoAuthenticationProvider" 
    class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
  <property name="userDetailsService" ref="acegiJdbcDaoImpl"/>
</bean>

<bean id="acegiJdbcDaoImpl"
    class="org.acegisecurity.userdetails.jdbc.JdbcDaoImpl">  
    <property name="dataSource" ref="dataSource"/>        
</bean>

3. In the web.xml I added the following filter:

<filter>
  <filter-name>Acegi HTTP Request Security Filter</filter-name>
  <filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>
  <init-param>
    <param-name>targetClass</param-name>
    <param-value>org.acegisecurity.intercept.web.FilterSecurityInterceptor</param-value>
  </init-param>
</filter>

<filter-mapping>
  <filter-name>Acegi HTTP Request Security Filter</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

4. To support the filter the following beans are added to the application context:

<bean id="securityEnforcementFilter"
    class="org.acegisecurity.intercept.web.SecurityEnforcementFilter">    
    <property name="filterSecurityInterceptor" 
        ref="filterInvocationInterceptor"/>
    <property name="authenticationEntryPoint" 
        ref="authenticationProcessingFilterEntryPoint"/>
</bean>

<bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter">
  <property name="authenticationEntryPoint"><ref local="authenticationEntryPoint"/></property>
</bean>

<bean id="authenticationEntryPoint" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
  <property name="loginFormUrl"><value>/acegilogin.jsp</value></property>
  <property name="forceHttps"><value>false</value></property>
</bean>
      
<bean id="filterSecurityInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
  <property name="authenticationManager"><ref bean="authenticationManager"/></property>
  <property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property>
  <property name="objectDefinitionSource">
    <value>
      CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
      \A/secure/super/.*\Z=ROLE_WE_DONT_HAVE
      \A/secure/.*\Z=ROLE_SUPERVISOR,ROLE_TELLER
    </value>
  </property>
</bean>