Jonathan Barker schrieb:
Actually, there are two problems. In the configuration for tapestry5-acegi
and presumably spring security, there is an AnonymousAuthenticationProvider.
The AnonymousAuthenticationProvider only assures that there is an
Authentication at any time. So don't take it away or all you security
leaks and you have to check for null all the time.
Did you read the Spring/ Acegi Security Reference? I've no time right
now but think to remember that the order of the filters is crucial. So
take a look at it and be sure to contribute the your filter at the right
position.
I think that should be omitted by default, but right now it will fill in the
Authentication object if your regular authentication fails. Either omit it,
or change the test to fail for the AnonymousAuthnticationToken.
-----Original Message-----
From: Ulrich Stärk [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 07, 2008 17:14
To: Tapestry users
Subject: Re: tapestry-spring-security and openid
Thanks Jonathan, but this not the root cause. The Authentication object
stored in the
SecurityContext is an AnonymousAuthenticationToken instead of an
OpenIDAuthenticationToken. That
tells me that somehow the Authentication doesn't get stored...
Uli
Jonathan Barker schrieb:
I'm assuming this hasn't changed since tapestry5-acegi. The IfLoggedIn
component uses the following test:
private boolean test() {
Principal principal =
requestGlobals.getHTTPServletRequest().getUserPrincipal();
return principal != null && principal.getName() != "";
}
Unfortunately, you really need to have a test based on the
SecurityContext:
Authentication currentAuth = null;
currentAuth =
SecurityContextHolder.getContext().getAuthentication();
return (currentAuth !=null)
Either that, or you need to populate the UserPrincipal in the
HttpSession.
Jonathan
-----Original Message-----
From: Ulrich Stärk [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 07, 2008 16:38
To: Tapestry users
Subject: tapestry-spring-security and openid
Hi,
I'm trying to authenticate my users against an openid provider. Spring
security provides an
OpenIDAuthenticationProcessingFilter and an
OpenIDAuthenticationProvider
for this purpose. I set up
the filter and the provider and contributed them to the
HttpServletRequestHandler service and the
ProviderManager service. Additionally I've got an UserDetailsService,
that
queries a database for
the user's role (or throws an exception if the user is not allowed to
log
in).
Logging in works fine and I get redirected to ${spring-
security.target.url} afterwards and not to
the ${spring-security.failure.url} which tells me that everything is
working. But when I place the
security/ifloggedin component on a page, the else block gets rendered,
telling me that I'm not
logged in. I also can't access pages secured with the @Secured
annotation.
When I try, I see an
AccessDeniedException and are redirected to the login page.
Here are the relevant parts of my AppModule:
public static void contributeHttpServletRequestHandler(
OrderedConfiguration<HttpServletRequestFilter> configuration,
@InjectService("OpenIDAuthenticationProcessingFilter")
HttpServletRequestFilter openIDAuthenticationProcessingFilter)
{
configuration.add(
"openIDAuthenticationProcessingFilter",
openIDAuthenticationProcessingFilter,
"before:springSecurityAuthenticationProcessingFilter");
}
public static OpenIDAuthenticationProcessingFilter
buildRealOpenIDAuthenticationProcessingFilter(
@SpringSecurityServices final AuthenticationManager manager,
@SpringSecurityServices final RememberMeServices
rememberMeServices,
@Inject @Value("${spring-security.check.url}") final String
authUrl,
@Inject @Value("${spring-security.target.url}") final String
targetUrl,
@Inject @Value("${spring-security.failure.url}") final String
failureUrl) throws Exception
{
OpenIDAuthenticationProcessingFilter filter = new
OpenIDAuthenticationProcessingFilter();
filter.setAuthenticationManager(manager);
filter.setAuthenticationFailureUrl(failureUrl);
filter.setDefaultTargetUrl(targetUrl);
filter.setFilterProcessesUrl(authUrl);
filter.setRememberMeServices(rememberMeServices);
filter.afterPropertiesSet();
return filter;
}
public static HttpServletRequestFilter
buildOpenIDAuthenticationProcessingFilter(
final OpenIDAuthenticationProcessingFilter filter)
{
return new HttpServletRequestFilterWrapper(filter);
}
public static OpenIDAuthenticationProvider
buildOpenIDAuthenticationProvider(
@InjectService("UserDetailsService")
UserDetailsService userDetailsService) throws Exception
{
OpenIDAuthenticationProvider provider = new
OpenIDAuthenticationProvider();
provider.setUserDetailsService(userDetailsService);
provider.afterPropertiesSet();
return provider;
}
public static void contributeProviderManager(
OrderedConfiguration<AuthenticationProvider> configuration,
@InjectService("OpenIDAuthenticationProvider")
AuthenticationProvider openIdAuthenticationProvider)
{
configuration.add("openIDAuthenticationProvider",
openIdAuthenticationProvider);
}
public static UserDetailsService buildUserDetailsService(Logger logger,
@InjectService("HibernateSessionManager")
HibernateSessionManager sessionManager)
{
return new UserDetailsServiceImpl(sessionManager, logger);
}
Thanks for any help.
Uli
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
