Acegi Security Framework
Each time I looked at Acegi framework I got a headache. There is a lot of configuration. Until now I never had the opportunity to actually use it on a project.
I started out building my own security framework. A Webwork interceptor that would check if user was authenticated and then do the needful. Then I realized that my filter had to block all JSP pages but not the login.jsp. So I made that change and so on. Until it reached a point where I realized this was an absolute waste of my time. So with a fresh set of eyes I went back to Acegi. I was immediately faced with the usual tons of configuration. I resisted the instinct to drop it and plowed on.
It finally worked.
I would like to point you to a few resources that helped me get it working. Of course it goes without saying that you need to visit http://www.acegisecurity.org and check docs there.
A few pointers. Do not remove the anonymousProcessingFilter. Thats what allows not-yet-logged in users to get to your login page. Without it all resources including your login page could become secure. Now thats probably not what you want I am sure. An application thats so secure no one can get to even the gate.
Also in the web.xml I prefer explicitly configuring the URL patterns to apply security to. Check out the javaworld article for sample mappings. Most cases you do not want to apply filters for images, javascript or css files. If you need that then by all means map /* to the filter.
Finally make sure to either reuse or read the details in the login page provided in the Acegi sample war. The login page is configured in the applicationContext-acegi-security.xml as accessabile by anonymous users (not-logged-in-yet).
I am purposely not going into the actual details since between the resources listed above you should be able to get your information.
Finally here are my configuration files so you can refer:
I started out building my own security framework. A Webwork interceptor that would check if user was authenticated and then do the needful. Then I realized that my filter had to block all JSP pages but not the login.jsp. So I made that change and so on. Until it reached a point where I realized this was an absolute waste of my time. So with a fresh set of eyes I went back to Acegi. I was immediately faced with the usual tons of configuration. I resisted the instinct to drop it and plowed on.
It finally worked.
I would like to point you to a few resources that helped me get it working. Of course it goes without saying that you need to visit http://www.acegisecurity.org and check docs there.
- Most important. The Acegi download jar has a basic configuration war file (acegi-security-samples-tutorial-1.0.5.war). I used the Spring configuration in there as my starting point.
- http://www.acegisecurity.org/articles.html
- One recent article on the web http://www.javaworld.com/javaworld/jw-10-2007/jw-10-acegi2.html.
A few pointers. Do not remove the anonymousProcessingFilter. Thats what allows not-yet-logged in users to get to your login page. Without it all resources including your login page could become secure. Now thats probably not what you want I am sure. An application thats so secure no one can get to even the gate.
Also in the web.xml I prefer explicitly configuring the URL patterns to apply security to. Check out the javaworld article for sample mappings. Most cases you do not want to apply filters for images, javascript or css files. If you need that then by all means map /* to the filter.
Finally make sure to either reuse or read the details in the login page provided in the Acegi sample war. The login page is configured in the applicationContext-acegi-security.xml as accessabile by anonymous users (not-logged-in-yet).
I am purposely not going into the actual details since between the resources listed above you should be able to get your information.
Finally here are my configuration files so you can refer:
Finally my user.properties contains sample userids and passwords and user roles. I am using the in-memory DAO for now...implementing a database DAO will be a later step for me...and thats the easy work).
admin=admin,ROLE_ADMIN testuser=testpassword,ROLE_USER |
Once the configuration is in place access to the web site will take you to the login page and things should work as expected. After this I was able to use the Acegi jsp taglibs to implement some basic role based authorization. In my case show certain links only if user is of certain roles.
| <authz:authorizeifAnyGranted="ROLE_ADMIN"> some role specificcontent here </authz:authorize> |
Comments