PDA

View Full Version : Error with JDBC Security



zach
09-02-2007, 07:00 PM
I have been testing the JDBC security methods mentioned in these instructions:
http://wiki.pentaho.org/display/PentahoDoc/Changing+to+the+JDBC+Security+DAO

I tried first with MySQL and couldn't get it to work I then tried with hypersonic in a couple of different scenarios and couldn't get it to work. The userdb is created, open and I'm able to connect to it with other tools (kettle). It looks like the first step of the authentication process is working, but it blows up somewhere. I have attached the server log below. Basically the error I get on the web page is "Access Denied"

08:58:43,800 WARN [LoggerListener] Authentication event AuthenticationSuccessEvent: suzy; details: org.acegisecurity.ui.WebAuthenticationDetails@ffff6a82: RemoteIpAddress: 127.0.0.1; SessionId: D18388F73B0FBF418D66150059452533
08:58:43,801 WARN [LoggerListener] Authentication event InteractiveAuthenticationSuccessEvent: suzy; details: org.acegisecurity.ui.WebAuthenticationDetails@ffff6a82: RemoteIpAddress: 127.0.0.1; SessionId: D18388F73B0FBF418D66150059452533
08:58:43,849 INFO [RuntimeContext] 0dfb1aa3-59a8-11dc-8858-fb30e0f56f8f:RUNTIME:context-6043534-1188773923821:session-region-list.xaction Output of "response" was present but output handler was null.

I will test this with RC2 when it gets published.

mlowery
09-03-2007, 08:35 PM
Turn on Acegi Security debugging as outlined here (http://wiki.pentaho.org/display/PentahoDoc/Turning+on+Security+Logging). Restart the server. Attempt another login. You should see output in the log showing suzy's roles. What are those roles? For the URL that is returning "access denied" look in the applicationContext-acegi-security.xml to see what roles are allowed to access that particular URL.

zach
09-04-2007, 05:47 PM
Thanks Mat,

I have turned on security logging. It is very helpful... but I am getting the same error on the front-end. The system is authenticating the user, but passing them to the "Access Denied" page. The url that I am trying to access is the "home.jsp" and Suzy has access when using the memory version of security (I have also tried with Joe and get the same results).

The roles that suzy has are: "cto, is, Authenticated" I am using the default applicationContext-acegi-security.xml.

I guess I am trying to figure how I can help to continue to debug and maybe fix. It seems when we are using jdbc security, some connection is missing after the user gets authenticated. I have been through the documentation, but I don't know where to go from here.

Zach

Here is the stack trace:

07:33:42,153 DEBUG [PathBasedFilterInvocationDefinitionMap] Converted URL to lowercase, from: '/j_acegi_security_check'; to: '/j_acegi_security_check'
07:33:42,154 DEBUG [PathBasedFilterInvocationDefinitionMap] Candidate is: '/j_acegi_security_check'; pattern is /**; matched=true
07:33:42,154 DEBUG [FilterChainProxy] /j_acegi_security_check at position 1 of 13 in additional filter chain; firing Filter: 'org.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter@483a3'
07:33:42,155 DEBUG [SavedRequestAwareWrapper] Wrapper not replaced; SavedRequest was: null
07:33:42,155 DEBUG [FilterChainProxy] /j_acegi_security_check at position 2 of 13 in additional filter chain; firing Filter: 'org.acegisecurity.context.HttpSessionContextIntegrationFilter@aba4bb'
07:33:42,155 DEBUG [HttpSessionContextIntegrationFilter] HttpSession returned null object for ACEGI_SECURITY_CONTEXT - new SecurityContext instance associated with SecurityContextHolder
07:33:42,156 DEBUG [FilterChainProxy] /j_acegi_security_check at position 3 of 13 in additional filter chain; firing Filter: 'com.pentaho.security.HttpSessionReuseDetectionFilter@8d1ce2'
07:33:42,156 DEBUG [HttpSessionReuseDetectionFilter] Request is to process authentication
07:33:42,156 DEBUG [FilterChainProxy] /j_acegi_security_check at position 4 of 13 in additional filter chain; firing Filter: 'org.acegisecurity.ui.logout.LogoutFilter@61f48b'
07:33:42,156 DEBUG [FilterChainProxy] /j_acegi_security_check at position 5 of 13 in additional filter chain; firing Filter: 'org.acegisecurity.ui.webapp.AuthenticationProcessingFilter@fdf3b9'
07:33:42,156 DEBUG [AuthenticationProcessingFilter] Request is to process authentication
07:33:42,157 DEBUG [ProviderManager] Authentication attempt using org.acegisecurity.providers.dao.DaoAuthenticationProvider
07:33:42,157 DEBUG [EhCacheBasedUserCache] Cache hit: false; username: suzy
07:33:42,164 DEBUG [EhCacheBasedUserCache] Cache put: suzy
07:33:42,164 WARN [LoggerListener] Authentication event AuthenticationSuccessEvent: suzy; details: org.acegisecurity.ui.WebAuthenticationDetails@fffc7f0c: RemoteIpAddress: 127.0.0.1; SessionId: F91DF4A379E52F1F6C7185C6A10CF4F7
07:33:42,164 DEBUG [AuthenticationProcessingFilter] Authentication success: org.acegisecurity.providers.UsernamePasswordAuthenticationToken@b2612968: Username: org.acegisecurity.userdetails.User@61277800: Username: suzy; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: cto, is, Authenticated; Password: [PROTECTED]; Authenticated: true; Details: org.acegisecurity.ui.WebAuthenticationDetails@fffc7f0c: RemoteIpAddress: 127.0.0.1; SessionId: F91DF4A379E52F1F6C7185C6A10CF4F7; Granted Authorities: cto, is, Authenticated
07:33:42,170 DEBUG [AuthenticationProcessingFilter] Updated SecurityContextHolder to contain the following Authentication: 'org.acegisecurity.providers.UsernamePasswordAuthenticationToken@b2612968: Username: org.acegisecurity.userdetails.User@61277800: Username: suzy; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: cto, is, Authenticated; Password: [PROTECTED]; Authenticated: true; Details: org.acegisecurity.ui.WebAuthenticationDetails@fffc7f0c: RemoteIpAddress: 127.0.0.1; SessionId: F91DF4A379E52F1F6C7185C6A10CF4F7; Granted Authorities: cto, is, Authenticated'
07:33:42,170 DEBUG [AuthenticationProcessingFilter] Redirecting to target URL from HTTP Session (or default): /Home
07:33:42,170 DEBUG [TokenBasedRememberMeServices] Did not send remember-me cookie (principal did not set parameter '_acegi_security_remember_me')
07:33:42,171 WARN [LoggerListener] Authentication event InteractiveAuthenticationSuccessEvent: suzy; details: org.acegisecurity.ui.WebAuthenticationDetails@fffc7f0c: RemoteIpAddress: 127.0.0.1; SessionId: F91DF4A379E52F1F6C7185C6A10CF4F7
07:33:42,172 DEBUG [HttpSessionContextIntegrationFilter] SecurityContext stored to HttpSession: 'org.acegisecurity.context.SecurityContextImpl@b2612968: Authentication: org.acegisecurity.providers.UsernamePasswordAuthenticationToken@b2612968: Username: org.acegisecurity.userdetails.User@61277800: Username: suzy; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: cto, is, Authenticated; Password: [PROTECTED]; Authenticated: true; Details: org.acegisecurity.ui.WebAuthenticationDetails@fffc7f0c: RemoteIpAddress: 127.0.0.1; SessionId: F91DF4A379E52F1F6C7185C6A10CF4F7; Granted Authorities: cto, is, Authenticated'
07:33:42,172 DEBUG [HttpSessionContextIntegrationFilter] SecurityContextHolder set to new context, as request processing completed
07:33:42,179 DEBUG [PathBasedFilterInvocationDefinitionMap] Converted URL to lowercase, from: '/home'; to: '/home'
07:33:42,180 DEBUG [PathBasedFilterInvocationDefinitionMap] Candidate is: '/home'; pattern is /**; matched=true
07:33:42,181 DEBUG [FilterChainProxy] /Home at position 1 of 13 in additional filter chain; firing Filter: 'org.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter@483a3'
07:33:42,181 DEBUG [SavedRequestAwareWrapper] Wrapper not replaced; SavedRequest was: null
07:33:42,182 DEBUG [FilterChainProxy] /Home at position 2 of 13 in additional filter chain; firing Filter: 'org.acegisecurity.context.HttpSessionContextIntegrationFilter@aba4bb'
07:33:42,182 DEBUG [HttpSessionContextIntegrationFilter] Obtained from ACEGI_SECURITY_CONTEXT a valid SecurityContext and set to SecurityContextHolder: 'org.acegisecurity.context.SecurityContextImpl@b2612968: Authentication: org.acegisecurity.providers.UsernamePasswordAuthenticationToken@b2612968: Username: org.acegisecurity.userdetails.User@61277800: Username: suzy; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: cto, is, Authenticated; Password: [PROTECTED]; Authenticated: true; Details: org.acegisecurity.ui.WebAuthenticationDetails@fffc7f0c: RemoteIpAddress: 127.0.0.1; SessionId: F91DF4A379E52F1F6C7185C6A10CF4F7; Granted Authorities: cto, is, Authenticated'
07:33:42,184 DEBUG [FilterChainProxy] /Home at position 3 of 13 in additional filter chain; firing Filter: 'com.pentaho.security.HttpSessionReuseDetectionFilter@8d1ce2'
07:33:42,184 DEBUG [FilterChainProxy] /Home at position 4 of 13 in additional filter chain; firing Filter: 'org.acegisecurity.ui.logout.LogoutFilter@61f48b'
07:33:42,184 DEBUG [FilterChainProxy] /Home at position 5 of 13 in additional filter chain; firing Filter: 'org.acegisecurity.ui.webapp.AuthenticationProcessingFilter@fdf3b9'
07:33:42,184 DEBUG [FilterChainProxy] /Home at position 6 of 13 in additional filter chain; firing Filter: 'org.acegisecurity.ui.basicauth.BasicProcessingFilter@8c0dc2'
07:33:42,185 DEBUG [BasicProcessingFilter] Authorization header: null
07:33:42,185 DEBUG [FilterChainProxy] /Home at position 7 of 13 in additional filter chain; firing Filter: 'com.pentaho.security.RequestParameterAuthenticationFilter@db66eb'
07:33:42,185 DEBUG [RequestParameterAuthenticationFilter] Authorization userid: null
07:33:42,186 DEBUG [FilterChainProxy] /Home at position 8 of 13 in additional filter chain; firing Filter: 'org.acegisecurity.ui.rememberme.RememberMeProcessingFilter@865e2b'
07:33:42,186 DEBUG [RememberMeProcessingFilter] SecurityContextHolder not populated with remember-me token, as it already contained: 'org.acegisecurity.providers.UsernamePasswordAuthenticationToken@b2612968: Username: org.acegisecurity.userdetails.User@61277800: Username: suzy; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: cto, is, Authenticated; Password: [PROTECTED]; Authenticated: true; Details: org.acegisecurity.ui.WebAuthenticationDetails@fffc7f0c: RemoteIpAddress: 127.0.0.1; SessionId: F91DF4A379E52F1F6C7185C6A10CF4F7; Granted Authorities: cto, is, Authenticated'
07:33:42,187 DEBUG [FilterChainProxy] /Home at position 9 of 13 in additional filter chain; firing Filter: 'org.acegisecurity.providers.anonymous.AnonymousProcessingFilter@906624'
07:33:42,188 DEBUG [AnonymousProcessingFilter] SecurityContextHolder not populated with anonymous token, as it already contained: 'org.acegisecurity.providers.UsernamePasswordAuthenticationToken@b2612968: Username: org.acegisecurity.userdetails.User@61277800: Username: suzy; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: cto, is, Authenticated; Password: [PROTECTED]; Authenticated: true; Details: org.acegisecurity.ui.WebAuthenticationDetails@fffc7f0c: RemoteIpAddress: 127.0.0.1; SessionId: F91DF4A379E52F1F6C7185C6A10CF4F7; Granted Authorities: cto, is, Authenticated'
07:33:42,188 DEBUG [FilterChainProxy] /Home at position 10 of 13 in additional filter chain; firing Filter: 'com.pentaho.security.SecurityStartupFilter@311da5'
07:33:42,226 DEBUG [FilterChainProxy] /Home at position 11 of 13 in additional filter chain; firing Filter: 'org.acegisecurity.ui.switchuser.SwitchUserProcessingFilter@917427'
07:33:42,227 DEBUG [FilterChainProxy] /Home at position 12 of 13 in additional filter chain; firing Filter: 'org.acegisecurity.ui.ExceptionTranslationFilter@60dae5'
07:33:42,245 DEBUG [FilterChainProxy] /Home at position 13 of 13 in additional filter chain; firing Filter: 'org.acegisecurity.intercept.web.FilterSecurityInterceptor@c2f21e'
07:33:42,246 DEBUG [RegExpBasedFilterInvocationDefinitionMap] Converted URL to lowercase, from: '/home'; to: '/home'
07:33:42,248 DEBUG [RegExpBasedFilterInvocationDefinitionMap] Candidate is: '/home'; pattern is \A/login.*\Z; matched=false
07:33:42,248 DEBUG [RegExpBasedFilterInvocationDefinitionMap] Candidate is: '/home'; pattern is \A/j_acegi_security_check.*\Z; matched=false
07:33:42,248 DEBUG [RegExpBasedFilterInvocationDefinitionMap] Candidate is: '/home'; pattern is \A/getmondrianmodel.*\Z; matched=false
07:33:42,248 DEBUG [RegExpBasedFilterInvocationDefinitionMap] Candidate is: '/home'; pattern is \A/getimage.*\Z; matched=false
07:33:42,248 DEBUG [RegExpBasedFilterInvocationDefinitionMap] Candidate is: '/home'; pattern is \A/getresource.*\Z; matched=false
07:33:42,248 DEBUG [RegExpBasedFilterInvocationDefinitionMap] Candidate is: '/home'; pattern is \A/admin.*\Z; matched=false
07:33:42,249 DEBUG [RegExpBasedFilterInvocationDefinitionMap] Candidate is: '/home'; pattern is \A/auditreport.*\Z; matched=false
07:33:42,249 DEBUG [RegExpBasedFilterInvocationDefinitionMap] Candidate is: '/home'; pattern is \A/auditreportlist.*\Z; matched=false
07:33:42,249 DEBUG [RegExpBasedFilterInvocationDefinitionMap] Candidate is: '/home'; pattern is \A/versioncontrol.*\Z; matched=false
07:33:42,249 DEBUG [RegExpBasedFilterInvocationDefinitionMap] Candidate is: '/home'; pattern is \A/propertieseditor.*\Z; matched=false
07:33:42,250 DEBUG [RegExpBasedFilterInvocationDefinitionMap] Candidate is: '/home'; pattern is \A/propertiespanel.*\Z; matched=false
07:33:42,250 DEBUG [RegExpBasedFilterInvocationDefinitionMap] Candidate is: '/home'; pattern is \A/subscriptionadmin.*\Z; matched=false
07:33:42,251 DEBUG [RegExpBasedFilterInvocationDefinitionMap] Candidate is: '/home'; pattern is \A/resetrepository.*\Z; matched=false
07:33:42,251 DEBUG [RegExpBasedFilterInvocationDefinitionMap] Candidate is: '/home'; pattern is \A/viewaction.*solution.admin.*\Z; matched=false
07:33:42,252 DEBUG [RegExpBasedFilterInvocationDefinitionMap] Candidate is: '/home'; pattern is \A/scheduleradmin.*\Z; matched=false
07:33:42,252 DEBUG [RegExpBasedFilterInvocationDefinitionMap] Candidate is: '/home'; pattern is \A/publish.*\Z; matched=false
07:33:42,252 DEBUG [RegExpBasedFilterInvocationDefinitionMap] Candidate is: '/home'; pattern is \A/logout.*\Z; matched=false
07:33:42,252 DEBUG [RegExpBasedFilterInvocationDefinitionMap] Candidate is: '/home'; pattern is \A/.*\Z; matched=true
07:33:42,253 DEBUG [AbstractSecurityInterceptor] Secure object: FilterInvocation: URL: /Home; ConfigAttributes: [ROLE_AUTHENTICATED]
07:33:42,253 DEBUG [AbstractSecurityInterceptor] Previously Authenticated: org.acegisecurity.providers.UsernamePasswordAuthenticationToken@b2612968: Username: org.acegisecurity.userdetails.User@61277800: Username: suzy; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: cto, is, Authenticated; Password: [PROTECTED]; Authenticated: true; Details: org.acegisecurity.ui.WebAuthenticationDetails@fffc7f0c: RemoteIpAddress: 127.0.0.1; SessionId: F91DF4A379E52F1F6C7185C6A10CF4F7; Granted Authorities: cto, is, Authenticated
07:33:42,254 DEBUG [ExceptionTranslationFilter] Access is denied (user is not anonymous); delegating to AccessDeniedHandler
org.acegisecurity.AccessDeniedException: Access is denied
at org.acegisecurity.vote.AffirmativeBased.decide(AffirmativeBased.java:68)
at org.acegisecurity.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:276)
at org.acegisecurity.intercept.web.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:104)
at org.acegisecurity.intercept.web.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:72)
at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274)
at org.acegisecurity.ui.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:110)
at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274)
at org.acegisecurity.ui.switchuser.SwitchUserProcessingFilter.doFilter(SwitchUserProcessingFilter.java:335)
at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274)
at com.pentaho.security.SecurityStartupFilter.doFilter(SecurityStartupFilter.java:71)
at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274)
at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125)
at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274)
at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:142)
at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274)
at com.pentaho.security.RequestParameterAuthenticationFilter.doFilter(RequestParameterAuthenticationFilter.java:160)
at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274)
at org.acegisecurity.ui.basicauth.BasicProcessingFilter.doFilter(BasicProcessingFilter.java:178)
at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274)
at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:217)
at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274)
at org.acegisecurity.ui.logout.LogoutFilter.doFilter(LogoutFilter.java:108)
at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274)
at com.pentaho.security.HttpSessionReuseDetectionFilter.doFilter(HttpSessionReuseDetectionFilter.java:142)
at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274)
at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:193)
at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274)
at org.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:81)
at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274)
at org.acegisecurity.util.FilterChainProxy.doFilter(FilterChainProxy.java:148)
at org.acegisecurity.util.FilterToBeanProxy.doFilter(FilterToBeanProxy.java:98)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at org.pentaho.core.system.SystemStatusFilter.doFilter(SystemStatusFilter.java:53)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at org.pentaho.ui.servlet.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:112)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:175)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:432)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
at java.lang.Thread.run(Thread.java:613)
07:33:42,258 DEBUG [HttpSessionContextIntegrationFilter] SecurityContextHolder set to new context, as request processing completed

mlowery
09-05-2007, 10:05 AM
Open applicationContext-acegi-security.xml. Find the bean with id of filterInvocationInterceptor. Find the objectDefinitionSource property. For each line (after CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON), there is an equation. The left hand side is a regular expression specifying URLs to match. The right hand side lists the roles that are allowed to access the matching URL. For all roles except ROLE_ANONYMOUS, remove the ROLE_ prefix and modify the case of the role such that the result looks like this:



<property name="objectDefinitionSource">

<value>

<![CDATA[

CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
\A/login.*\Z=ROLE_ANONYMOUS,Authenticated
\A/j_acegi_security_check.*\Z=ROLE_ANONYMOUS,Authenticated
\A/getmondrianmodel.*\Z=ROLE_ANONYMOUS,Authenticated
\A/getimage.*\Z=ROLE_ANONYMOUS,Authenticated
\A/getresource.*\Z=ROLE_ANONYMOUS,Authenticated
\A/admin.*\Z=Admin
\A/auditreport.*\Z=Admin
\A/auditreportlist.*\Z=Admin
\A/versioncontrol.*\Z=Admin
\A/propertieseditor.*\Z=Admin
\A/propertiespanel.*\Z=Admin
\A/subscriptionadmin.*\Z=Admin
\A/resetrepository.*\Z=Admin
\A/viewaction.*solution.admin.*\Z=Admin
\A/scheduleradmin.*\Z=Admin
\A/publish.*\Z=Admin
\A/logout.*\Z=ROLE_ANONYMOUS
\A/.*\Z=Authenticated
]]>

</value>

</property>


I will modify the default settings so that this step is not necessary in the future.

zach
09-08-2007, 01:39 AM
I have attempted this several times and I'm getting new errors. See below:

15:38:27,327 ERROR [ContextLoader] Context initialization failed
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'filterInvocationInterceptor' defined in ServletContext resource [/WEB-INF/applicationContext-acegi-security.xml]: Invocation of init method failed; nested exception is java.lang.IllegalArgumentException: Unsupported configuration attributes: [Admin, Authenticated]
Caused by:
java.lang.IllegalArgumentException: Unsupported configuration attributes: [Admin, Authenticated]

I have tried this with 1.6 rc1 and 1.6 rc2 and get the same results.

Zach

mlowery
09-10-2007, 09:39 AM
In applicationContext-common-authorization.xml, make roleVoter look like this:



<bean id="roleVoter" class="org.acegisecurity.vote.RoleVoter">
<property name="rolePrefix" value="" />
</bean>


The default rolePrefix is "ROLE_" which means that a roleVoter configured with the default will not "support" any roles that don't begin with "ROLE_". And since Admin and Authenticated don't begin with "ROLE_", you get the exception.

By the way, all of these fixes have been made in the trunk.

zach
09-11-2007, 06:19 PM
Thanks Matt!

I have validated against both a Hyerpsonic and MySQL database with the changes you have outlined. I will pull from source and see that the trunk changes work over the next several days!

Zach