Avatar of temj
temj

asked on 

Acegi enabled Spring MVC application, problem checking if user is logged in

I'm using Acegi (version 1.0) and would like to ckeck if the user is logged in.

The problem is when using anonymousAuthenticationProvider, the user is always authenticated (isAuthenticated=true).
It is possible to check which role the user has, but that does not seem very secure?

What I would like to have is an interface which is available in all my controllers
which had the following booleans methods:

isLoggedIn(), isAuthenticated(), isAuthorized().

Another solution is to retrieve the username from getPrinsiple() and then try to fetch the user from the
database and cath the exception. This will result in alot of db-traffic, which also is not a good idea.

Does anybody have any good ideas how to do this?

I've attached code snippets of applicationContext.xml and web.xml below, which contains my Acegi configuration.

applicationContext.xml
 
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:aop="http://www.springframework.org/schema/aop"
       xsi:schemaLocation="http://www.springframework.org/schema/beans 
        http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
        http://www.springframework.org/schema/aop 
        http://www.springframework.org/schema/aop/spring-aop-2.0.xsd">
        
   
        
	<!-- START ACEGI CONFIGURATION -->
	<bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">
		<property name="filterInvocationDefinitionSource">
			<value>
				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
				PATTERN_TYPE_APACHE_ANT
				/**=httpSessionContextIntegrationFilter, authenticationProcessingFilter, anonymousProcessingFilter, ExceptionTranslationFilter, filterInvocationInterceptor
			</value>
		</property>
	</bean>
 
	<bean id="passwordEncoder" class="org.acegisecurity.providers.encoding.Md5PasswordEncoder" />
    
	<!-- The first item in the Chain: httpSessionContextIntegrationFilter -->
	<bean id="httpSessionContextIntegrationFilter" class="org.acegisecurity.context.HttpSessionContextIntegrationFilter">
		<property name="context">
			<value>org.acegisecurity.context.SecurityContextImpl</value>
		</property>
	</bean>
  
	<!-- the second item in the chain: authenticationProcessingFilter -->
	<bean id="authenticationProcessingFilter" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
		<property name="authenticationManager"><ref bean="authenticationManager"/></property>
		<property name="authenticationFailureUrl"><value>/login.jsp?login_error=1</value></property>
		<property name="defaultTargetUrl"><value>/go/main/index</value></property>
		<property name="filterProcessesUrl"><value>/go/main/j_acegi_security_check</value></property>
	</bean>
 
	<bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">
		<property name="providers">
			<list>
				<ref bean="daoAuthenticationProvider"/>
				<ref local="anonymousAuthenticationProvider"/>
			</list>
		</property>
	</bean>
  
	<bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
		<property name="userDetailsService">
			<ref local="userDetailsService"/>
		</property>
		<property name="passwordEncoder">
			<ref local="passwordEncoder" />
		</property>
		<!-- 
		<property name="saltSource">
		<bean class="org.acegisecurity.providers.dao.salt.SystemWideSaltSource">
		<property name="systemWideSalt">
		<value>Hy688Gkih76876HKHkjhk</value>
		</property>
		</bean>
		</property> 
		 -->
		
	</bean>
 
	<bean id="anonymousAuthenticationProvider" class="org.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider">
		<property name="key"><value>foobar</value></property>
	</bean>
 
	<!-- the third item in the chain: anonymousProcessingFilter -->   
	<bean id="anonymousProcessingFilter" class="org.acegisecurity.providers.anonymous.AnonymousProcessingFilter">
		<property name="key">
			<value>foobar</value>
		</property>
		<property name="userAttribute">
			<value>anonymousUser,ROLE_ANONYMOUS</value>
		</property>
   </bean>
 
	<!-- the fourth item in the chain: ExceptionTranslationFilter -->  
	<bean id="ExceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter">
		<property name="authenticationEntryPoint"><ref local="authenticationProcessingFilterEntryPoint"/></property>
	</bean>
 
	<bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
		<property name="authenticationManager"><ref bean="authenticationManager"/></property>
		<property name="accessDecisionManager"><ref local="httpRequestAccessDecisionManager"/></property>
		<property name="objectDefinitionSource">
			<value>
				PATTERN_TYPE_APACHE_ANT
				/login.jsp*=ROLE_ANONYMOUS,ROLE_USER,ROLE_ADMIN
				/go/application/forside*=ROLE_USER
				/go/application/admin*=ROLE_ADMIN
			</value>
		</property>
	</bean>
 
	<!-- authenticationManager defined above -->
	<bean id="httpRequestAccessDecisionManager" class="org.acegisecurity.vote.AffirmativeBased">
		<property name="allowIfAllAbstainDecisions"><value>false</value></property>
		<property name="decisionVoters">
			<list>
				<ref bean="roleVoter"/>
			</list>
		</property>
	</bean>
 
	<bean id="roleVoter" class="org.acegisecurity.vote.RoleVoter"/>
 
	<bean id="authenticationProcessingFilterEntryPoint" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
		<property name="loginFormUrl"><value>/login.jsp</value></property>
		<property name="forceHttps"><value>false</value></property>
	</bean>
 
	<!-- Authentication using JDBC Dao -->
	<bean id="userDetailsService" class="org.acegisecurity.userdetails.jdbc.JdbcDaoImpl">
		<property name="dataSource">
			<ref bean="dataSource"/>
		</property>
	</bean>
	<!-- END ACEGI CONFIGURATION -->
 
	<!-- This bean automatically receives AuthenticationEvent messages from DaoAuthenticationProvider -->
	<bean id="loggerListener" class="org.acegisecurity.event.authentication.LoggerListener"/>
    
</beans>
 
 
web.xml
 
<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="2.4"
	xmlns="http://java.sun.com/xml/ns/j2ee"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
	<display-name>springjpa</display-name>
 
	<context-param>
		<param-name>contextConfigLocation</param-name>
		<param-value>
		  /WEB-INF/applicationContext.xml 
		  /WEB-INF/applicationContext-jpa.xml</param-value>
	</context-param>
	
	<context-param>
		<param-name>
			log4jConfigLocation
		</param-name>
		<param-value>
			/WEB-INF/log4j.properties
		</param-value>
   </context-param>
	
	<filter>
        <filter-name>Acegi Filter Chain Proxy</filter-name>
        <filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>
        <init-param>
            <param-name>targetClass</param-name>
            <param-value>org.acegisecurity.util.FilterChainProxy</param-value>
        </init-param>
   </filter>
	
	<filter-mapping>
      <filter-name>Acegi Filter Chain Proxy</filter-name>
      <url-pattern>/go/*</url-pattern>
    </filter-mapping>
    
    <listener>
		<listener-class>
			org.springframework.web.util.Log4jConfigListener
		</listener-class>
    </listener>
    
	<listener>
		<listener-class>
			org.springframework.web.context.ContextLoaderListener
		</listener-class>
	</listener>
	
    <listener>
        <listener-class>
        	org.acegisecurity.ui.session.HttpSessionEventPublisher
        </listener-class>
    </listener>
 
	<servlet>
		<servlet-name>dispatch</servlet-name>
		<servlet-class>
			org.springframework.web.servlet.DispatcherServlet
		</servlet-class>
		<load-on-startup>1</load-on-startup>
	</servlet>
	
	<servlet-mapping>
		<servlet-name>dispatch</servlet-name>
		<url-pattern>/go/*</url-pattern>
	</servlet-mapping>
	
	
		
	<welcome-file-list>
		<welcome-file>index.jsp</welcome-file>
	</welcome-file-list>
	
		
</web-app>

Open in new window

Java App ServersWeb ApplicationsJava EE

Avatar of undefined
Last Comment
Mick Barry

8/22/2022 - Mon