Most of this article and degist from Ageci User Guide.
CORE
- SecurityContextHolder, to provide any type access to the SecurityContext.
- SecurityContext, to hold the Authentication and possibly request- specific security information.
- HttpSessionContextIntegrationFilter, to store the SecurityContext in the HttpSession between web requests.
- Authentication, to represent the principal in an Acegi Security-specific manner.
- GrantedAuthority, to reflect the application-wide permissions granted to a principal.
- UserDetails, to provide the necessary information to build an Authentication object from your application’s DAOs.
- UserDetailsService, to create a UserDetails when passed in a String-based username (or certificate ID
or alike).
Last but not least, sometimes you will need to store the
SecurityContext between HTTP requests. Other times the principal will
re-authenticate on every request, although most of the time it will be
stored. The HttpSessionContextIntegrationFilter is responsible for
storing a SecurityContext between HTTP requests. As suggested by the
name of the class, the HttpSession is used to store this information.
You should
never interact directly with the HttpSession for security
purposes. There is simply no justification for doing so - always use
the SecurityContextHolder instead.
Configuration
WEB.xml Configuration
Add Ageci Filter: To Bean Proxy -> To Chain Proxy, Spring listener.
1 <?xml version=”1.0″ encoding=”UTF-8″?>
2 <!DOCTYPE web-app PUBLIC ‘-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN’
‘http://java.sun.com/dtd/web-app_2_3.dtd’>
3
4 <!–
5 - Contacts web application
6 -
7 - web.xml for “filter” artifact only.
8 -
9 - $Id: web.xml 1513 2006-05-29 13:32:12Z benalex $
10 –>
11
12 <web-app>
13
14 <display-name>Acegi Security Tutorial Application</display-name>
15 <!–
16 - Location of the XML file that defines the root application context
17 - Applied by ContextLoaderListener.
18 –>
19 <context-param>
20 <param-name>contextConfigLocation</param-name>
21 <param-value>
22 /WEB-INF/applicationContext-acegi-security.xml
23 </param-value>
24 </context-param>
25
26 <filter>
27 <filter-name>Acegi Filter Chain Proxy</filter-name>
28 <filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>
29 <init-param>
30 <param-name>targetClass</param-name>
31 <param-value>org.acegisecurity.util.FilterChainProxy</param-value>
32 </init-param>
33 </filter>
34
35 <filter-mapping>
36 <filter-name>Acegi Filter Chain Proxy</filter-name>
37 <url-pattern>/*</url-pattern>
38 </filter-mapping>
39 <!–
40 - Loads the root application context of this web app at startup.
41 - The application context is then available via
42 - WebApplicationContextUtils.getWebApplicationContext(servletContext).
43 –>
44 <listener>
45 <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
46 </listener>
47
48 <welcome-file-list>
49 <welcome-file>index.jsp</welcome-file>
50 </welcome-file-list>
51
52 </web-app>
53
application-Context Configuration
1 <?xml version=”1.0″ encoding=”UTF-8″?>
2 <!DOCTYPE beans PUBLIC “-//SPRING//DTD BEAN//EN”
“http://www.springframework.org/dtd/spring-beans.dtd”>
3
4 <!–
5 - A simple “base bones” Acegi Security configuration.
6 -
7 - The sample includes the “popular” features that people tend to use.
8 - Specifically, form authentication, remember-me, and anonymous processing.
9 - Other features aren’t setup, as these can be added later by inserting
10 - the relevant XML fragments as specified in the Reference Guide.
11 -
12 - To assist new users, the filters specified in the FilterChainProxy are
13 - declared in the application context in the same order. Collaborators
14 - required by those filters are placed at the end of the file.
15 -
16 - $Id: applicationContext-acegi-security.xml 1513 2006-05-29 13:32:12Z benalex $
17 –>
18
19 <beans>
20
21 <bean
22 id=”filterChainProxy”
23 class=”org.acegisecurity.util.FilterChainProxy“>
24 <property name=”filterInvocationDefinitionSource”>
25 <value>
26 CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
27 PATTERN_TYPE_APACHE_ANT
28 /**=httpSessionContextIntegrationFilter,
29 logoutFilter,authenticationProcessingFilter,
30 securityContextHolderAwareRequestFilter,
31 rememberMeProcessingFilter,
32 anonymousProcessingFilter,
33 exceptionTranslationFilter,
34 filterInvocationInterceptor
35 </value>
36 </property>
37 </bean>
38
39 <bean
40 id=”httpSessionContextIntegrationFilter”
41 class=”org.acegisecurity.context.HttpSessionContextIntegrationFilter” />
42
43 <bean
44 id=”logoutFilter”
45 class=”org.acegisecurity.ui.logout.LogoutFilter“>
46 <constructor-arg value=”/index.jsp” />
47 <!– URL redirected to after logout –>
48 <constructor-arg>
49 <list>
50 <ref bean=”rememberMeServices” />
51 <bean
52 class=”org.acegisecurity.ui.logout.SecurityContextLogoutHandler” />
53 </list>
54 </constructor-arg>
55 </bean>
56
57 <bean
58 id=”authenticationProcessingFilter”
59 class=”org.acegisecurity.ui.webapp.AuthenticationProcessingFilter“>
60 <property
61 name=”authenticationManager”
62 ref=”authenticationManager” />
63 <property
64 name=”authenticationFailureUrl”
65 value=”/acegilogin.jsp?login_error=1″ />
66 <property
67 name=”defaultTargetUrl”
68 value=”/” />
69 <property
70 name=”filterProcessesUrl”
71 value=”/j_acegi_security_check” />
72 <property
73 name=”rememberMeServices”
74 ref=”rememberMeServices” />
75 </bean>
76
77 <bean
78 id=”securityContextHolderAwareRequestFilter”
79 class=”org.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter” />
80
81 <bean
82 id=”rememberMeProcessingFilter”
83 class=”org.acegisecurity.ui.rememberme.RememberMeProcessingFilter“>
84 <property
85 name=”authenticationManager”
86 ref=”authenticationManager” />
87 <property
88 name=”rememberMeServices”
89 ref=”rememberMeServices” />
90 </bean>
91
92 <bean
93 id=”anonymousProcessingFilter”
94 class=”org.acegisecurity.providers.anonymous.AnonymousProcessingFilter“>
95 <property
96 name=”key”
97 value=”changeThis” />
98 <property
99 name=”userAttribute”
100 value=”anonymousUser,ROLE_ANONYMOUS” />
101 </bean>
102
103 <bean
104 id=”exceptionTranslationFilter”
105 class=”org.acegisecurity.ui.ExceptionTranslationFilter”>
106 <property name=”authenticationEntryPoint”>
107 <bean
108 class=”org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint“>
109 <property
110 name=”loginFormUrl”
111 value=”/acegilogin.jsp” />
112 <property
113 name=”forceHttps”
114 value=”false” />
115 </bean>
116 </property>
117 <property name=”accessDeniedHandler”>
118 <bean
119 class=”org.acegisecurity.ui.AccessDeniedHandlerImpl”>
120 <property
121 name=”errorPage”
122 value=”/accessDenied.jsp” />
123 </bean>
124 </property>
125 </bean>
126
127 <bean
128 id=”filterInvocationInterceptor”
129 class=”org.acegisecurity.intercept.web.FilterSecurityInterceptor“>
130 <property
131 name=”authenticationManager”
132 ref=”authenticationManager” />
133 <property name=”accessDecisionManager”>
134 <bean class=”org.acegisecurity.vote.AffirmativeBased”>
135 <property
136 name=”allowIfAllAbstainDecisions”
137 value=”false” />
138 <property name=”decisionVoters”>
139 <list>
140 <bean class=”org.acegisecurity.vote.RoleVoter” />
141 <bean
142 class=”org.acegisecurity.vote.AuthenticatedVoter” />
143 </list>
144 </property>
145 </bean>
146 </property>
147 <property name=”objectDefinitionSource”>
148 <value>
149 CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
150 PATTERN_TYPE_APACHE_ANT
151 /secure/extreme/**=ROLE_SUPERVISOR
152 /secure/**=IS_AUTHENTICATED_REMEMBERED
153 /**=IS_AUTHENTICATED_ANONYMOUSLY
154 </value>
155 </property>
156 </bean>
157
158 <bean
159 id=”rememberMeServices”
160 class=”org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices“>
161 <property
162 name=”userDetailsService”
163 ref=”userDetailsService” />
164 <property
165 name=”key”
166 value=”changeThis” />
167 </bean>
168
169 <bean
170 id=”authenticationManager”
171 class=”org.acegisecurity.providers.ProviderManager“>
172 <property name=”providers”>
173 <list>
174 <ref local=”daoAuthenticationProvider” />
175 <bean
176 class=”org.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider”>
177 <property
178 name=”key”
179 value=”changeThis” />
180 </bean>
181 <bean
182 class=”org.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider”>
183 <property
184 name=”key”
185 value=”changeThis” />
186 </bean>
187 </list>
188 </property>
189 </bean>
190
191 <bean
192 id=”daoAuthenticationProvider”
193 class=”org.acegisecurity.providers.dao.DaoAuthenticationProvider“>
194 <property
195 name=”userDetailsService”
196 ref=”userDetailsService” />
197 <property name=”userCache”>
198 <bean
199 class=”org.acegisecurity.providers.dao.cache.EhCacheBasedUserCache”>
200 <property name=”cache”>
201 <bean
202 class=”org.springframework.cache.ehcache.EhCacheFactoryBean”>
203 <property name=”cacheManager”>
204 <bean
205 class=”org.springframework.cache.ehcache.EhCacheManagerFactoryBean” />
206 </property>
207 <property
208 name=”cacheName”
209 value=”userCache” />
210 </bean>
211 </property>
212 </bean>
213 </property>
214 </bean>
215
216 <!– UserDetailsService is the most commonly frequently Acegi Security interface implemented by end users –>
217 <bean
218 id=”userDetailsService”
219 class=”org.acegisecurity.userdetails.memory.InMemoryDaoImpl“>
220 <property name=”userProperties”>
221 <bean
222 class=”org.springframework.beans.factory.config.PropertiesFactoryBean”>
223 <property
224 name=”location”
225 value=”/WEB-INF/users.properties” />
226 </bean>
227 </property>
228 </bean>
229
230 <!– This bean is optional; it isn’t used by any other bean as it only listens and logs –>
231 <bean
232 id=”loggerListener”
233 class=”org.acegisecurity.event.authentication.LoggerListener” />
234
235 </beans>
236
Be awared of the relationships of all the beans above.
Ageci using a fliter chain pattern, and some fliter must follow special order (Defined by the first bean’s properity)
For the simplist useful sample, we have to change the interaction with userDetail service.
daoAuthenticationProvider
1 <bean id=”daoAuthenticationProvider”
2 class=”org.acegisecurity.providers.dao.DaoAuthenticationProvider”>
3 <property name=”userDetailsService“><ref bean=”inMemoryDaoImpl”/></property>
4 <property name=”saltSource”><ref bean=”saltSource”/></property>
5 <property name=”passwordEncoder”><ref bean=”passwordEncoder”/></property>
6 </bean>
The PasswordEncoder and SaltSource are optional. A PasswordEncoder
provides encoding and decoding of passwords presented in the
UserDetails object that is returned from the configured
UserDetailsService. A SaltSource enables the passwords to be populated
with a “salt”, which enhances the security of the passwords in the
authentication repository. PasswordEncoder implementations are provided
with Acegi Security covering MD5, SHA and cleartext encodings. Two
SaltSource implementations are also provided: SystemWideSaltSource
which encodes all passwords with the same salt, and
ReflectionSaltSource, which inspects a given property of the returned
UserDetails object to obtain the salt. Please refer to the JavaDocs for
further details on these optional features.
UserDetailsService Interface can be implemented to intergarate with ORM Tool and so on.
public UserDetails loadUserByUsername(String username)
throws UsernameNotFoundException,
DataAccessException;
Big Diagram