Most of this article and degist from Ageci User Guide.

CORE

  • SecurityContextHolder, to provide any type access to the SecurityContext.
  • SecurityContext, to hold the Authentication and possibly request- specific security information.
  • HttpSessionContextIntegrationFilter, to store the SecurityContext in the HttpSession between web requests.
  • Authentication, to represent the principal in an Acegi Security-specific manner.
  • GrantedAuthority, to reflect the application-wide permissions granted to a principal.
  • UserDetails, to provide the necessary information to build an Authentication object from your application’s DAOs.
  • UserDetailsService, to create a UserDetails when passed in a String-based username (or certificate ID
    or alike).

Last but not least, sometimes you will need to store the SecurityContext between HTTP requests. Other times the principal will re-authenticate on every request, although most of the time it will be stored. The HttpSessionContextIntegrationFilter is responsible for storing a SecurityContext between HTTP requests. As suggested by the name of the class, the HttpSession is used to store this information. You should
never interact directly with the HttpSession for security purposes. There is simply no justification for doing so - always use the SecurityContextHolder instead.

Configuration

WEB.xml Configuration

Add Ageci Filter: To Bean Proxy -> To Chain Proxy, Spring listener.

 1 <?xml version=”1.0″ encoding=”UTF-8″?>
 2 <!DOCTYPE web-app PUBLIC ‘-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN’
        ‘http://java.sun.com/dtd/web-app_2_3.dtd’
>
 3 
 4 <!
 5 - Contacts web application
 6 -
 7 - web.xml for “filter” artifact only.
 8 -
 9 - $Id: web.xml 1513 2006-05-29 13:32:12Z benalex $
10 >
11 
12 <web-app>
13 
14 <display-name>Acegi Security Tutorial Application</display-name>
15 <!
16 - Location of the XML file that defines the root application context
17 - Applied by ContextLoaderListener.
18 >
19 <context-param>
20 <param-name>contextConfigLocation</param-name>
21 <param-value>
22 /WEB-INF/applicationContext-acegi-security.xml
23 </param-value>
24 </context-param>
25 
26 <filter>
27 <filter-name>Acegi Filter Chain Proxy</filter-name>
28 <filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>
29 <init-param>
30 <param-name>targetClass</param-name>
31 <param-value>org.acegisecurity.util.FilterChainProxy</param-value>
32 </init-param>
33 </filter>
34 
35 <filter-mapping>
36 <filter-name>Acegi Filter Chain Proxy</filter-name>
37 <url-pattern>/*</url-pattern>
38 </filter-mapping>
39 <!
40 - Loads the root application context of this web app at startup.
41 - The application context is then available via
42 - WebApplicationContextUtils.getWebApplicationContext(servletContext).
43 >
44 <listener>
45 <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
46 </listener>
47 
48 <welcome-file-list>
49 <welcome-file>index.jsp</welcome-file>
50 </welcome-file-list>
51 
52 </web-app>
53 

application-Context Configuration

  1 <?xml version=”1.0″ encoding=”UTF-8″?>
  2 <!DOCTYPE beans PUBLIC “-//SPRING//DTD BEAN//EN”
    “http://www.springframework.org/dtd/spring-beans.dtd”
>
  3 
  4 <!
  5 - A simple “base bones” Acegi Security configuration.
  6 -
  7 - The sample includes the “popular” features that people tend to use.
  8 - Specifically, form authentication, remember-me, and anonymous processing.
  9 - Other features aren’t setup, as these can be added later by inserting
 10 - the relevant XML fragments as specified in the Reference Guide.
 11 -
 12 - To assist new users, the filters specified in the FilterChainProxy are
 13 - declared in the application context in the same order. Collaborators
 14 - required by those filters are placed at the end of the file.
 15 -
 16 - $Id: applicationContext-acegi-security.xml 1513 2006-05-29 13:32:12Z benalex $
 17 >
 18 
 19 <beans>
 20 
 21 <bean
 22 id=”filterChainProxy”
 23 class=”org.acegisecurity.util.FilterChainProxy“>
 24 <property name=”filterInvocationDefinitionSource”>
 25 <value>
 26 CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
 27 PATTERN_TYPE_APACHE_ANT
 28 /**=httpSessionContextIntegrationFilter,
 29 logoutFilter,authenticationProcessingFilter,
 30 securityContextHolderAwareRequestFilter,
 31 rememberMeProcessingFilter,
 32 anonymousProcessingFilter,
 33 exceptionTranslationFilter,
 34 filterInvocationInterceptor
 35 </value>
 36 </property>
 37 </bean>
 38 
 39 <bean
 40 id=”httpSessionContextIntegrationFilter”
 41 class=”org.acegisecurity.context.HttpSessionContextIntegrationFilter” />
 42 
 43 <bean
 44 id=”logoutFilter”
 45 class=”org.acegisecurity.ui.logout.LogoutFilter“>
 46 <constructor-arg value=”/index.jsp” />
 47 <!– URL redirected to after logout –>
 48 <constructor-arg>
 49 <list>
 50 <ref bean=”rememberMeServices” />
 51 <bean
 52 class=”org.acegisecurity.ui.logout.SecurityContextLogoutHandler” />
 53 </list>
 54 </constructor-arg>
 55 </bean>
 56 
 57 <bean
 58 id=”authenticationProcessingFilter”
 59 class=”org.acegisecurity.ui.webapp.AuthenticationProcessingFilter“>
 60 <property
 61 name=”authenticationManager”
 62 ref=”authenticationManager” />
 63 <property
 64 name=”authenticationFailureUrl”
 65 value=”/acegilogin.jsp?login_error=1″ />
 66 <property
 67 name=”defaultTargetUrl”
 68 value=”/” />
 69 <property
 70 name=”filterProcessesUrl”
 71 value=”/j_acegi_security_check” />
 72 <property
 73 name=”rememberMeServices”
 74 ref=”rememberMeServices” />
 75 </bean>
 76 
 77 <bean
 78 id=”securityContextHolderAwareRequestFilter”
 79 class=”org.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter” />
 80 
 81 <bean
 82 id=”rememberMeProcessingFilter”
 83 class=”org.acegisecurity.ui.rememberme.RememberMeProcessingFilter“>
 84 <property
 85 name=”authenticationManager”
 86 ref=”authenticationManager” />
 87 <property
 88 name=”rememberMeServices”
 89 ref=”rememberMeServices” />
 90 </bean>
 91 
 92 <bean
 93 id=”anonymousProcessingFilter”
 94 class=”org.acegisecurity.providers.anonymous.AnonymousProcessingFilter“>
 95 <property
 96 name=”key”
 97 value=”changeThis” />
 98 <property
 99 name=”userAttribute”
100 value=”anonymousUser,ROLE_ANONYMOUS” />
101 </bean>
102 
103 <bean
104 id=”exceptionTranslationFilter”
105 class=”org.acegisecurity.ui.ExceptionTranslationFilter”>
106 <property name=”authenticationEntryPoint”>
107 <bean
108 class=”org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint“>
109 <property
110 name=”loginFormUrl”
111 value=”/acegilogin.jsp” />
112 <property
113 name=”forceHttps”
114 value=”false” />
115 </bean>
116 </property>
117 <property name=”accessDeniedHandler”>
118 <bean
119 class=”org.acegisecurity.ui.AccessDeniedHandlerImpl”>
120 <property
121 name=”errorPage”
122 value=”/accessDenied.jsp” />
123 </bean>
124 </property>
125 </bean>
126 
127 <bean
128 id=”filterInvocationInterceptor”
129 class=”org.acegisecurity.intercept.web.FilterSecurityInterceptor“>
130 <property
131 name=”authenticationManager”
132 ref=”authenticationManager” />
133 <property name=”accessDecisionManager”>
134 <bean class=”org.acegisecurity.vote.AffirmativeBased”>
135 <property
136 name=”allowIfAllAbstainDecisions”
137 value=”false” />
138 <property name=”decisionVoters”>
139 <list>
140 <bean class=”org.acegisecurity.vote.RoleVoter” />
141 <bean
142 class=”org.acegisecurity.vote.AuthenticatedVoter” />
143 </list>
144 </property>
145 </bean>
146 </property>
147 <property name=”objectDefinitionSource”>
148 <value>
149 CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
150 PATTERN_TYPE_APACHE_ANT
151 /secure/extreme/**=ROLE_SUPERVISOR
152 /secure/**=IS_AUTHENTICATED_REMEMBERED
153 /**=IS_AUTHENTICATED_ANONYMOUSLY
154 </value>
155 </property>
156 </bean>
157 
158 <bean
159 id=”rememberMeServices”
160 class=”org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices“>
161 <property
162 name=”userDetailsService”
163 ref=”userDetailsService” />
164 <property
165 name=”key”
166 value=”changeThis” />
167 </bean>
168 
169 <bean
170 id=”authenticationManager”
171 class=”org.acegisecurity.providers.ProviderManager“>
172 <property name=”providers”>
173 <list>
174 <ref local=”daoAuthenticationProvider” />
175 <bean
176 class=”org.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider”>
177 <property
178 name=”key”
179 value=”changeThis” />
180 </bean>
181 <bean
182 class=”org.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider”>
183 <property
184 name=”key”
185 value=”changeThis” />
186 </bean>
187 </list>
188 </property>
189 </bean>
190 
191 <bean
192 id=”daoAuthenticationProvider”
193 class=”org.acegisecurity.providers.dao.DaoAuthenticationProvider“>
194 <property
195 name=”userDetailsService”
196 ref=”userDetailsService” />
197 <property name=”userCache”>
198 <bean
199 class=”org.acegisecurity.providers.dao.cache.EhCacheBasedUserCache”>
200 <property name=”cache”>
201 <bean
202 class=”org.springframework.cache.ehcache.EhCacheFactoryBean”>
203 <property name=”cacheManager”>
204 <bean
205 class=”org.springframework.cache.ehcache.EhCacheManagerFactoryBean” />
206 </property>
207 <property
208 name=”cacheName”
209 value=”userCache” />
210 </bean>
211 </property>
212 </bean>
213 </property>
214 </bean>
215 
216 <!– UserDetailsService is the most commonly frequently Acegi Security interface implemented by end users –>
217 <bean
218 id=”userDetailsService”
219 class=”org.acegisecurity.userdetails.memory.InMemoryDaoImpl“>
220 <property name=”userProperties”>
221 <bean
222 class=”org.springframework.beans.factory.config.PropertiesFactoryBean”>
223 <property
224 name=”location”
225 value=”/WEB-INF/users.properties” />
226 </bean>
227 </property>
228 </bean>
229 
230 <!– This bean is optional; it isn’t used by any other bean as it only listens and logs –>
231 <bean
232 id=”loggerListener”
233 class=”org.acegisecurity.event.authentication.LoggerListener” />
234 
235 </beans>
236 

Be awared of the relationships of all the beans above.

Ageci using a fliter chain pattern, and some fliter must follow special order (Defined by the first bean’s properity)

For the simplist useful sample, we have to change the interaction with userDetail service.

daoAuthenticationProvider

1 <bean id=”daoAuthenticationProvider”
2 class=”org.acegisecurity.providers.dao.DaoAuthenticationProvider”>
3 <property name=”userDetailsService“><ref bean=”inMemoryDaoImpl”/></property>
4 <property name=”saltSource”><ref bean=”saltSource”/></property>
5 <property name=”passwordEncoder”><ref bean=”passwordEncoder”/></property>
6 </bean>

The PasswordEncoder and SaltSource are optional. A PasswordEncoder provides encoding and decoding of passwords presented in the UserDetails object that is returned from the configured UserDetailsService. A SaltSource enables the passwords to be populated with a “salt”, which enhances the security of the passwords in the authentication repository. PasswordEncoder implementations are provided with Acegi Security covering MD5, SHA and cleartext encodings. Two SaltSource implementations are also provided: SystemWideSaltSource which encodes all passwords with the same salt, and ReflectionSaltSource, which inspects a given property of the returned UserDetails object to obtain the salt. Please refer to the JavaDocs for further details on these optional features.

UserDetailsService Interface can be implemented to intergarate with ORM Tool and so on.


public UserDetails loadUserByUsername(String username)
throws UsernameNotFoundException,
DataAccessException;


Big Diagram