Add support for HTTP Basic Authentication.
This commit is contained in:
parent
670d007630
commit
f1abf780b5
|
@ -1,6 +1,8 @@
|
||||||
Changes in version 0.5 (2004-xx-xx)
|
Changes in version 0.5 (2004-xx-xx)
|
||||||
-----------------------------------
|
-----------------------------------
|
||||||
|
|
||||||
|
* Added support for HTTP Basic Authentication
|
||||||
|
* Added Burlap and Hessian remoting to Contacts sample application
|
||||||
* AuthenticationProcessingFilter by default finds configuration context using Spring's WebApplicationContextUtils.getWebApplicationContext()
|
* AuthenticationProcessingFilter by default finds configuration context using Spring's WebApplicationContextUtils.getWebApplicationContext()
|
||||||
* AuthenticationProcessingFilter context may optionally be specified with 'contextConfigLocation' param (was previously 'appContextLocation')
|
* AuthenticationProcessingFilter context may optionally be specified with 'contextConfigLocation' param (was previously 'appContextLocation')
|
||||||
* SecurityEnforcementFilter by default finds configuration context using Spring's WebApplicationContextUtils.getWebApplicationContext()
|
* SecurityEnforcementFilter by default finds configuration context using Spring's WebApplicationContextUtils.getWebApplicationContext()
|
||||||
|
|
|
@ -0,0 +1,249 @@
|
||||||
|
/* Copyright 2004 Acegi Technology Pty Limited
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package net.sf.acegisecurity.ui.basicauth;
|
||||||
|
|
||||||
|
import net.sf.acegisecurity.Authentication;
|
||||||
|
import net.sf.acegisecurity.AuthenticationException;
|
||||||
|
import net.sf.acegisecurity.AuthenticationManager;
|
||||||
|
import net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken;
|
||||||
|
import net.sf.acegisecurity.ui.webapp.HttpSessionIntegrationFilter;
|
||||||
|
|
||||||
|
import org.apache.commons.codec.binary.Base64;
|
||||||
|
import org.apache.commons.logging.Log;
|
||||||
|
import org.apache.commons.logging.LogFactory;
|
||||||
|
|
||||||
|
import org.springframework.context.ApplicationContext;
|
||||||
|
import org.springframework.context.ConfigurableApplicationContext;
|
||||||
|
import org.springframework.context.support.ClassPathXmlApplicationContext;
|
||||||
|
|
||||||
|
import org.springframework.web.context.support.WebApplicationContextUtils;
|
||||||
|
|
||||||
|
import java.io.IOException;
|
||||||
|
|
||||||
|
import java.util.Map;
|
||||||
|
|
||||||
|
import javax.servlet.Filter;
|
||||||
|
import javax.servlet.FilterChain;
|
||||||
|
import javax.servlet.FilterConfig;
|
||||||
|
import javax.servlet.ServletException;
|
||||||
|
import javax.servlet.ServletRequest;
|
||||||
|
import javax.servlet.ServletResponse;
|
||||||
|
import javax.servlet.http.HttpServletRequest;
|
||||||
|
import javax.servlet.http.HttpServletResponse;
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Processes a HTTP request's BASIC authorization headers, putting the result
|
||||||
|
* into the <code>HttpSession</code>.
|
||||||
|
*
|
||||||
|
* <P>
|
||||||
|
* For a detailed background on what this filter is designed to process, refer
|
||||||
|
* to <A HREF="http://www.faqs.org/rfcs/rfc1945.html">RFC 1945, Section
|
||||||
|
* 11.1</A>. Any realm name presented in the HTTP request is ignored.
|
||||||
|
* </p>
|
||||||
|
*
|
||||||
|
* <p>
|
||||||
|
* In summary, this filter is responsible for processing any request that has a
|
||||||
|
* HTTP request header of <code>Authorization</code> with an authentication
|
||||||
|
* scheme of <code>Basic</code> and a Base64-encoded
|
||||||
|
* <code>username:password</code> token. For example, to authenticate user
|
||||||
|
* "Aladdin" with password "open sesame" the following header would be
|
||||||
|
* presented:
|
||||||
|
* </p>
|
||||||
|
*
|
||||||
|
* <p>
|
||||||
|
* <code>Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==</code>.
|
||||||
|
* </p>
|
||||||
|
*
|
||||||
|
* <p>
|
||||||
|
* Requests containing BASIC authentication headers are generally created by
|
||||||
|
* remoting protocol libraries. This filter is intended to process requests
|
||||||
|
* made by such libraries.
|
||||||
|
* </p>
|
||||||
|
*
|
||||||
|
* <P>
|
||||||
|
* If authentication is successful, the resulting {@link Authentication} object
|
||||||
|
* will be placed into the <code>HttpSession</code> with the attribute defined
|
||||||
|
* by {@link HttpSessionIntegrationFilter#ACEGI_SECURITY_AUTHENTICATION_KEY}.
|
||||||
|
* </p>
|
||||||
|
*
|
||||||
|
* <p>
|
||||||
|
* If authentication fails, a <code>HttpServletResponse.SC_FORBIDDEN</code>
|
||||||
|
* (403 error) response is sent. This is consistent with RFC 1945, Section 11,
|
||||||
|
* which states, "<I>If the server does not wish to accept the credentials
|
||||||
|
* sent with a request, it should return a 403 (forbidden) response.</I>".
|
||||||
|
* </p>
|
||||||
|
*
|
||||||
|
* <p>
|
||||||
|
* This filter works with an {@link AuthenticationManager} which is used to
|
||||||
|
* process each authentication request. By default, at init time, the filter
|
||||||
|
* will use Spring's {@link
|
||||||
|
* WebApplicationContextUtils#getWebApplicationContext(ServletContext sc)}
|
||||||
|
* method to obtain an ApplicationContext instance, inside which must be a
|
||||||
|
* configured AuthenticationManager instance. In the case where it is
|
||||||
|
* desirable for this filter to instantiate its own ApplicationContext
|
||||||
|
* instance from which to obtain the AuthenticationManager, the location of
|
||||||
|
* the config for this context may be specified with the optional
|
||||||
|
* <code>contextConfigLocation</code> init param.
|
||||||
|
* </p>
|
||||||
|
*
|
||||||
|
* <p>
|
||||||
|
* To use this filter, it is necessary to specify the following filter
|
||||||
|
* initialization parameters:
|
||||||
|
* </p>
|
||||||
|
*
|
||||||
|
* <ul>
|
||||||
|
* <li>
|
||||||
|
* <code>contextConfigLocation</code> (optional, normally not used), indicates
|
||||||
|
* the path to an application context that contains an {@link
|
||||||
|
* AuthenticationManager} which should be used to process each authentication
|
||||||
|
* request. If not specified, {@link
|
||||||
|
* WebApplicationContextUtils#getWebApplicationContext(ServletContext sc)}
|
||||||
|
* will be used to obtain the context.
|
||||||
|
* </li>
|
||||||
|
* </ul>
|
||||||
|
*
|
||||||
|
*
|
||||||
|
* @author Ben Alex
|
||||||
|
* @version $Id$
|
||||||
|
*/
|
||||||
|
public class BasicProcessingFilter implements Filter {
|
||||||
|
//~ Static fields/initializers =============================================
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Name of (optional) servlet filter parameter that can specify the config
|
||||||
|
* location for a new ApplicationContext used to config this filter.
|
||||||
|
*/
|
||||||
|
public static final String CONFIG_LOCATION_PARAM = "contextConfigLocation";
|
||||||
|
private static final Log logger = LogFactory.getLog(BasicProcessingFilter.class);
|
||||||
|
|
||||||
|
//~ Instance fields ========================================================
|
||||||
|
|
||||||
|
private ApplicationContext ctx;
|
||||||
|
private AuthenticationManager authenticationManager;
|
||||||
|
private boolean ourContext = false;
|
||||||
|
|
||||||
|
//~ Methods ================================================================
|
||||||
|
|
||||||
|
public void destroy() {
|
||||||
|
if (ourContext && ctx instanceof ConfigurableApplicationContext) {
|
||||||
|
((ConfigurableApplicationContext) ctx).close();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
public void doFilter(ServletRequest request, ServletResponse response,
|
||||||
|
FilterChain chain) throws IOException, ServletException {
|
||||||
|
if (!(request instanceof HttpServletRequest)) {
|
||||||
|
throw new ServletException("Can only process HttpServletRequest");
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!(response instanceof HttpServletResponse)) {
|
||||||
|
throw new ServletException("Can only process HttpServletResponse");
|
||||||
|
}
|
||||||
|
|
||||||
|
HttpServletRequest httpRequest = (HttpServletRequest) request;
|
||||||
|
HttpServletResponse httpResponse = (HttpServletResponse) response;
|
||||||
|
|
||||||
|
String header = httpRequest.getHeader("Authorization");
|
||||||
|
|
||||||
|
if (logger.isDebugEnabled()) {
|
||||||
|
logger.debug("Authorization header: " + header);
|
||||||
|
}
|
||||||
|
|
||||||
|
if ((header != null) && header.startsWith("Basic ")) {
|
||||||
|
String base64Token = header.substring(6);
|
||||||
|
String token = new String(Base64.decodeBase64(
|
||||||
|
base64Token.getBytes()));
|
||||||
|
|
||||||
|
String username = "";
|
||||||
|
String password = "";
|
||||||
|
int delim = token.indexOf(":");
|
||||||
|
|
||||||
|
if (delim != -1) {
|
||||||
|
username = token.substring(0, delim);
|
||||||
|
password = token.substring(delim + 1);
|
||||||
|
}
|
||||||
|
|
||||||
|
UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username,
|
||||||
|
password);
|
||||||
|
|
||||||
|
Authentication authResult;
|
||||||
|
|
||||||
|
try {
|
||||||
|
authResult = authenticationManager.authenticate(authRequest);
|
||||||
|
} catch (AuthenticationException failed) {
|
||||||
|
// Authentication failed
|
||||||
|
if (logger.isDebugEnabled()) {
|
||||||
|
logger.debug("Authentication request for user: " + username
|
||||||
|
+ " failed: " + failed.toString());
|
||||||
|
}
|
||||||
|
|
||||||
|
((HttpServletResponse) response).sendError(HttpServletResponse.SC_FORBIDDEN); // 403
|
||||||
|
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Authentication success
|
||||||
|
if (logger.isDebugEnabled()) {
|
||||||
|
logger.debug("Authentication success: " + authResult.toString());
|
||||||
|
}
|
||||||
|
|
||||||
|
httpRequest.getSession().setAttribute(HttpSessionIntegrationFilter.ACEGI_SECURITY_AUTHENTICATION_KEY,
|
||||||
|
authResult);
|
||||||
|
}
|
||||||
|
|
||||||
|
chain.doFilter(request, response);
|
||||||
|
}
|
||||||
|
|
||||||
|
public void init(FilterConfig filterConfig) throws ServletException {
|
||||||
|
String appContextLocation = filterConfig.getInitParameter(CONFIG_LOCATION_PARAM);
|
||||||
|
|
||||||
|
if ((appContextLocation != null) && (appContextLocation.length() > 0)) {
|
||||||
|
ourContext = true;
|
||||||
|
|
||||||
|
if (Thread.currentThread().getContextClassLoader().getResource(appContextLocation) == null) {
|
||||||
|
throw new ServletException("Cannot locate "
|
||||||
|
+ appContextLocation);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
try {
|
||||||
|
if (!ourContext) {
|
||||||
|
ctx = WebApplicationContextUtils
|
||||||
|
.getRequiredWebApplicationContext(filterConfig
|
||||||
|
.getServletContext());
|
||||||
|
} else {
|
||||||
|
ctx = new ClassPathXmlApplicationContext(appContextLocation);
|
||||||
|
}
|
||||||
|
} catch (RuntimeException e) {
|
||||||
|
throw new ServletException(
|
||||||
|
"Error obtaining/creating ApplicationContext for config. Must be stored in ServletContext, or optionally '"
|
||||||
|
+ CONFIG_LOCATION_PARAM
|
||||||
|
+ "' param may be used to allow creation of new context by this filter. See root error for additional details",
|
||||||
|
e);
|
||||||
|
}
|
||||||
|
|
||||||
|
Map beans = ctx.getBeansOfType(AuthenticationManager.class, true, true);
|
||||||
|
|
||||||
|
if (beans.size() == 0) {
|
||||||
|
throw new ServletException(
|
||||||
|
"Bean context must contain at least one bean of type AuthenticationManager");
|
||||||
|
}
|
||||||
|
|
||||||
|
String beanName = (String) beans.keySet().iterator().next();
|
||||||
|
authenticationManager = (AuthenticationManager) beans.get(beanName);
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,5 @@
|
||||||
|
<html>
|
||||||
|
<body>
|
||||||
|
Authenticates HTTP BASIC authentication requests.
|
||||||
|
</body>
|
||||||
|
</html>
|
|
@ -48,7 +48,8 @@ public class MockHttpServletRequest implements HttpServletRequest {
|
||||||
//~ Instance fields ========================================================
|
//~ Instance fields ========================================================
|
||||||
|
|
||||||
private HttpSession session;
|
private HttpSession session;
|
||||||
private Map map = new HashMap();
|
private Map paramMap = new HashMap();
|
||||||
|
private Map headersMap = new HashMap();
|
||||||
private Principal principal;
|
private Principal principal;
|
||||||
private String contextPath = "";
|
private String contextPath = "";
|
||||||
private String queryString = null;
|
private String queryString = null;
|
||||||
|
@ -69,6 +70,12 @@ public class MockHttpServletRequest implements HttpServletRequest {
|
||||||
super();
|
super();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public MockHttpServletRequest(Map headers, Principal principal, HttpSession session) {
|
||||||
|
this.headersMap = headers;
|
||||||
|
this.principal = principal;
|
||||||
|
this.session = session;
|
||||||
|
}
|
||||||
|
|
||||||
//~ Methods ================================================================
|
//~ Methods ================================================================
|
||||||
|
|
||||||
public void setAttribute(String arg0, Object arg1) {
|
public void setAttribute(String arg0, Object arg1) {
|
||||||
|
@ -120,7 +127,13 @@ public class MockHttpServletRequest implements HttpServletRequest {
|
||||||
}
|
}
|
||||||
|
|
||||||
public String getHeader(String arg0) {
|
public String getHeader(String arg0) {
|
||||||
throw new UnsupportedOperationException("mock method not implemented");
|
Object result = headersMap.get(arg0);
|
||||||
|
|
||||||
|
if (result != null) {
|
||||||
|
return (String) headersMap.get(arg0);
|
||||||
|
} else {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public Enumeration getHeaderNames() {
|
public Enumeration getHeaderNames() {
|
||||||
|
@ -152,14 +165,14 @@ public class MockHttpServletRequest implements HttpServletRequest {
|
||||||
}
|
}
|
||||||
|
|
||||||
public void setParameter(String arg0, String value) {
|
public void setParameter(String arg0, String value) {
|
||||||
map.put(arg0, value);
|
paramMap.put(arg0, value);
|
||||||
}
|
}
|
||||||
|
|
||||||
public String getParameter(String arg0) {
|
public String getParameter(String arg0) {
|
||||||
Object result = map.get(arg0);
|
Object result = paramMap.get(arg0);
|
||||||
|
|
||||||
if (result != null) {
|
if (result != null) {
|
||||||
return (String) map.get(arg0);
|
return (String) paramMap.get(arg0);
|
||||||
} else {
|
} else {
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,376 @@
|
||||||
|
/* Copyright 2004 Acegi Technology Pty Limited
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package net.sf.acegisecurity.ui.basicauth;
|
||||||
|
|
||||||
|
import junit.framework.TestCase;
|
||||||
|
|
||||||
|
import net.sf.acegisecurity.Authentication;
|
||||||
|
import net.sf.acegisecurity.MockFilterConfig;
|
||||||
|
import net.sf.acegisecurity.MockHttpServletRequest;
|
||||||
|
import net.sf.acegisecurity.MockHttpServletResponse;
|
||||||
|
import net.sf.acegisecurity.MockHttpSession;
|
||||||
|
import net.sf.acegisecurity.ui.webapp.HttpSessionIntegrationFilter;
|
||||||
|
|
||||||
|
import org.apache.commons.codec.binary.Base64;
|
||||||
|
|
||||||
|
import java.io.IOException;
|
||||||
|
|
||||||
|
import java.util.HashMap;
|
||||||
|
import java.util.Map;
|
||||||
|
|
||||||
|
import javax.servlet.Filter;
|
||||||
|
import javax.servlet.FilterChain;
|
||||||
|
import javax.servlet.FilterConfig;
|
||||||
|
import javax.servlet.ServletException;
|
||||||
|
import javax.servlet.ServletRequest;
|
||||||
|
import javax.servlet.ServletResponse;
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Tests {@link BasicProcessingFilter}.
|
||||||
|
*
|
||||||
|
* @author Ben Alex
|
||||||
|
* @version $Id$
|
||||||
|
*/
|
||||||
|
public class BasicProcessingFilterTests extends TestCase {
|
||||||
|
//~ Constructors ===========================================================
|
||||||
|
|
||||||
|
public BasicProcessingFilterTests() {
|
||||||
|
super();
|
||||||
|
}
|
||||||
|
|
||||||
|
public BasicProcessingFilterTests(String arg0) {
|
||||||
|
super(arg0);
|
||||||
|
}
|
||||||
|
|
||||||
|
//~ Methods ================================================================
|
||||||
|
|
||||||
|
public final void setUp() throws Exception {
|
||||||
|
super.setUp();
|
||||||
|
}
|
||||||
|
|
||||||
|
public static void main(String[] args) {
|
||||||
|
junit.textui.TestRunner.run(BasicProcessingFilterTests.class);
|
||||||
|
}
|
||||||
|
|
||||||
|
public void testDoFilterWithNonHttpServletRequestDetected()
|
||||||
|
throws Exception {
|
||||||
|
BasicProcessingFilter filter = new BasicProcessingFilter();
|
||||||
|
|
||||||
|
try {
|
||||||
|
filter.doFilter(null, new MockHttpServletResponse(),
|
||||||
|
new MockFilterChain());
|
||||||
|
fail("Should have thrown ServletException");
|
||||||
|
} catch (ServletException expected) {
|
||||||
|
assertEquals("Can only process HttpServletRequest",
|
||||||
|
expected.getMessage());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
public void testDoFilterWithNonHttpServletResponseDetected()
|
||||||
|
throws Exception {
|
||||||
|
BasicProcessingFilter filter = new BasicProcessingFilter();
|
||||||
|
|
||||||
|
try {
|
||||||
|
filter.doFilter(new MockHttpServletRequest(null, null), null,
|
||||||
|
new MockFilterChain());
|
||||||
|
fail("Should have thrown ServletException");
|
||||||
|
} catch (ServletException expected) {
|
||||||
|
assertEquals("Can only process HttpServletResponse",
|
||||||
|
expected.getMessage());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
public void testFilterIgnoresRequestsContainingNoAuthorizationHeader()
|
||||||
|
throws Exception {
|
||||||
|
// Setup our HTTP request
|
||||||
|
Map headers = new HashMap();
|
||||||
|
MockHttpServletRequest request = new MockHttpServletRequest(headers,
|
||||||
|
null, new MockHttpSession());
|
||||||
|
request.setServletPath("/some_file.html");
|
||||||
|
|
||||||
|
// Setup our filter configuration
|
||||||
|
MockFilterConfig config = new MockFilterConfig();
|
||||||
|
config.setInitParmeter("contextConfigLocation",
|
||||||
|
"net/sf/acegisecurity/ui/webapp/filtertest-valid.xml");
|
||||||
|
|
||||||
|
// Setup our expectation that the filter chain will be invoked
|
||||||
|
MockFilterChain chain = new MockFilterChain(true);
|
||||||
|
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||||
|
|
||||||
|
// Test
|
||||||
|
BasicProcessingFilter filter = new BasicProcessingFilter();
|
||||||
|
executeFilterInContainerSimulator(config, filter, request, response,
|
||||||
|
chain);
|
||||||
|
|
||||||
|
assertTrue(request.getSession().getAttribute(HttpSessionIntegrationFilter.ACEGI_SECURITY_AUTHENTICATION_KEY) == null);
|
||||||
|
}
|
||||||
|
|
||||||
|
public void testInvalidBasicAuthorizationTokenIsIgnored()
|
||||||
|
throws Exception {
|
||||||
|
// Setup our HTTP request
|
||||||
|
Map headers = new HashMap();
|
||||||
|
String token = "NOT_A_VALID_TOKEN_AS_MISSING_COLON";
|
||||||
|
headers.put("Authorization",
|
||||||
|
"Basic " + new String(Base64.encodeBase64(token.getBytes())));
|
||||||
|
|
||||||
|
MockHttpServletRequest request = new MockHttpServletRequest(headers,
|
||||||
|
null, new MockHttpSession());
|
||||||
|
request.setServletPath("/some_file.html");
|
||||||
|
|
||||||
|
// Setup our filter configuration
|
||||||
|
MockFilterConfig config = new MockFilterConfig();
|
||||||
|
config.setInitParmeter("contextConfigLocation",
|
||||||
|
"net/sf/acegisecurity/ui/webapp/filtertest-valid.xml");
|
||||||
|
|
||||||
|
// Setup our expectation that the filter chain will be invoked
|
||||||
|
MockFilterChain chain = new MockFilterChain(true);
|
||||||
|
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||||
|
|
||||||
|
// Test
|
||||||
|
BasicProcessingFilter filter = new BasicProcessingFilter();
|
||||||
|
executeFilterInContainerSimulator(config, filter, request, response,
|
||||||
|
chain);
|
||||||
|
|
||||||
|
assertTrue(request.getSession().getAttribute(HttpSessionIntegrationFilter.ACEGI_SECURITY_AUTHENTICATION_KEY) == null);
|
||||||
|
}
|
||||||
|
|
||||||
|
public void testNormalOperation() throws Exception {
|
||||||
|
// Setup our HTTP request
|
||||||
|
Map headers = new HashMap();
|
||||||
|
String token = "marissa:koala";
|
||||||
|
headers.put("Authorization",
|
||||||
|
"Basic " + new String(Base64.encodeBase64(token.getBytes())));
|
||||||
|
|
||||||
|
MockHttpServletRequest request = new MockHttpServletRequest(headers,
|
||||||
|
null, new MockHttpSession());
|
||||||
|
request.setServletPath("/some_file.html");
|
||||||
|
|
||||||
|
// Setup our filter configuration
|
||||||
|
MockFilterConfig config = new MockFilterConfig();
|
||||||
|
config.setInitParmeter("contextConfigLocation",
|
||||||
|
"net/sf/acegisecurity/ui/webapp/filtertest-valid.xml");
|
||||||
|
|
||||||
|
// Setup our expectation that the filter chain will be invoked
|
||||||
|
MockFilterChain chain = new MockFilterChain(true);
|
||||||
|
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||||
|
|
||||||
|
// Test
|
||||||
|
BasicProcessingFilter filter = new BasicProcessingFilter();
|
||||||
|
executeFilterInContainerSimulator(config, filter, request, response,
|
||||||
|
chain);
|
||||||
|
|
||||||
|
assertTrue(request.getSession().getAttribute(HttpSessionIntegrationFilter.ACEGI_SECURITY_AUTHENTICATION_KEY) != null);
|
||||||
|
assertEquals("marissa",
|
||||||
|
((Authentication) request.getSession().getAttribute(HttpSessionIntegrationFilter.ACEGI_SECURITY_AUTHENTICATION_KEY)).getPrincipal()
|
||||||
|
.toString());
|
||||||
|
}
|
||||||
|
|
||||||
|
public void testOtherAuthorizationSchemeIsIgnored()
|
||||||
|
throws Exception {
|
||||||
|
// Setup our HTTP request
|
||||||
|
Map headers = new HashMap();
|
||||||
|
headers.put("Authorization", "SOME_OTHER_AUTHENTICATION_SCHEME");
|
||||||
|
|
||||||
|
MockHttpServletRequest request = new MockHttpServletRequest(headers,
|
||||||
|
null, new MockHttpSession());
|
||||||
|
request.setServletPath("/some_file.html");
|
||||||
|
|
||||||
|
// Setup our filter configuration
|
||||||
|
MockFilterConfig config = new MockFilterConfig();
|
||||||
|
config.setInitParmeter("contextConfigLocation",
|
||||||
|
"net/sf/acegisecurity/ui/webapp/filtertest-valid.xml");
|
||||||
|
|
||||||
|
// Setup our expectation that the filter chain will be invoked
|
||||||
|
MockFilterChain chain = new MockFilterChain(true);
|
||||||
|
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||||
|
|
||||||
|
// Test
|
||||||
|
BasicProcessingFilter filter = new BasicProcessingFilter();
|
||||||
|
executeFilterInContainerSimulator(config, filter, request, response,
|
||||||
|
chain);
|
||||||
|
|
||||||
|
assertTrue(request.getSession().getAttribute(HttpSessionIntegrationFilter.ACEGI_SECURITY_AUTHENTICATION_KEY) == null);
|
||||||
|
}
|
||||||
|
|
||||||
|
public void testStartupDetectsInvalidContextConfigLocation()
|
||||||
|
throws Exception {
|
||||||
|
MockFilterConfig config = new MockFilterConfig();
|
||||||
|
config.setInitParmeter("contextConfigLocation",
|
||||||
|
"net/sf/acegisecurity/ui/webapp/filtertest-invalid.xml");
|
||||||
|
|
||||||
|
BasicProcessingFilter filter = new BasicProcessingFilter();
|
||||||
|
|
||||||
|
try {
|
||||||
|
filter.init(config);
|
||||||
|
fail("Should have thrown ServletException");
|
||||||
|
} catch (ServletException expected) {
|
||||||
|
assertEquals("Bean context must contain at least one bean of type AuthenticationManager",
|
||||||
|
expected.getMessage());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
public void testStartupDetectsMissingAppContext() throws Exception {
|
||||||
|
MockFilterConfig config = new MockFilterConfig();
|
||||||
|
|
||||||
|
BasicProcessingFilter filter = new BasicProcessingFilter();
|
||||||
|
|
||||||
|
try {
|
||||||
|
filter.init(config);
|
||||||
|
fail("Should have thrown ServletException");
|
||||||
|
} catch (ServletException expected) {
|
||||||
|
assertTrue(expected.getMessage().startsWith("Error obtaining/creating ApplicationContext for config."));
|
||||||
|
}
|
||||||
|
|
||||||
|
config.setInitParmeter("contextConfigLocation", "");
|
||||||
|
|
||||||
|
try {
|
||||||
|
filter.init(config);
|
||||||
|
fail("Should have thrown ServletException");
|
||||||
|
} catch (ServletException expected) {
|
||||||
|
assertTrue(expected.getMessage().startsWith("Error obtaining/creating ApplicationContext for config."));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
public void testStartupDetectsMissingInvalidContextConfigLocation()
|
||||||
|
throws Exception {
|
||||||
|
MockFilterConfig config = new MockFilterConfig();
|
||||||
|
config.setInitParmeter("contextConfigLocation", "DOES_NOT_EXIST");
|
||||||
|
|
||||||
|
BasicProcessingFilter filter = new BasicProcessingFilter();
|
||||||
|
|
||||||
|
try {
|
||||||
|
filter.init(config);
|
||||||
|
fail("Should have thrown ServletException");
|
||||||
|
} catch (ServletException expected) {
|
||||||
|
assertTrue(expected.getMessage().startsWith("Cannot locate"));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
public void testSuccessLoginThenFailureLoginResultsInSessionLoosingToken()
|
||||||
|
throws Exception {
|
||||||
|
// Setup our HTTP request
|
||||||
|
Map headers = new HashMap();
|
||||||
|
String token = "marissa:koala";
|
||||||
|
headers.put("Authorization",
|
||||||
|
"Basic " + new String(Base64.encodeBase64(token.getBytes())));
|
||||||
|
|
||||||
|
MockHttpServletRequest request = new MockHttpServletRequest(headers,
|
||||||
|
null, new MockHttpSession());
|
||||||
|
request.setServletPath("/some_file.html");
|
||||||
|
|
||||||
|
// Setup our filter configuration
|
||||||
|
MockFilterConfig config = new MockFilterConfig();
|
||||||
|
config.setInitParmeter("contextConfigLocation",
|
||||||
|
"net/sf/acegisecurity/ui/webapp/filtertest-valid.xml");
|
||||||
|
|
||||||
|
// Setup our expectation that the filter chain will be invoked
|
||||||
|
MockFilterChain chain = new MockFilterChain(true);
|
||||||
|
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||||
|
|
||||||
|
// Test
|
||||||
|
BasicProcessingFilter filter = new BasicProcessingFilter();
|
||||||
|
executeFilterInContainerSimulator(config, filter, request, response,
|
||||||
|
chain);
|
||||||
|
|
||||||
|
assertTrue(request.getSession().getAttribute(HttpSessionIntegrationFilter.ACEGI_SECURITY_AUTHENTICATION_KEY) != null);
|
||||||
|
assertEquals("marissa",
|
||||||
|
((Authentication) request.getSession().getAttribute(HttpSessionIntegrationFilter.ACEGI_SECURITY_AUTHENTICATION_KEY)).getPrincipal()
|
||||||
|
.toString());
|
||||||
|
|
||||||
|
// NOW PERFORM FAILED AUTHENTICATION
|
||||||
|
// Setup our HTTP request
|
||||||
|
headers = new HashMap();
|
||||||
|
token = "marissa:WRONG_PASSWORD";
|
||||||
|
headers.put("Authorization",
|
||||||
|
"Basic " + new String(Base64.encodeBase64(token.getBytes())));
|
||||||
|
request = new MockHttpServletRequest(headers, null,
|
||||||
|
new MockHttpSession());
|
||||||
|
request.setServletPath("/some_file.html");
|
||||||
|
|
||||||
|
// Setup our expectation that the filter chain will not be invoked, as we get a 403 forbidden response
|
||||||
|
chain = new MockFilterChain(false);
|
||||||
|
response = new MockHttpServletResponse();
|
||||||
|
|
||||||
|
// Test
|
||||||
|
filter = new BasicProcessingFilter();
|
||||||
|
executeFilterInContainerSimulator(config, filter, request, response,
|
||||||
|
chain);
|
||||||
|
|
||||||
|
assertTrue(request.getSession().getAttribute(HttpSessionIntegrationFilter.ACEGI_SECURITY_AUTHENTICATION_KEY) == null);
|
||||||
|
assertEquals(403, response.getError());
|
||||||
|
}
|
||||||
|
|
||||||
|
public void testWrongPasswordReturnsForbidden() throws Exception {
|
||||||
|
// Setup our HTTP request
|
||||||
|
Map headers = new HashMap();
|
||||||
|
String token = "marissa:WRONG_PASSWORD";
|
||||||
|
headers.put("Authorization",
|
||||||
|
"Basic " + new String(Base64.encodeBase64(token.getBytes())));
|
||||||
|
|
||||||
|
MockHttpServletRequest request = new MockHttpServletRequest(headers,
|
||||||
|
null, new MockHttpSession());
|
||||||
|
request.setServletPath("/some_file.html");
|
||||||
|
|
||||||
|
// Setup our filter configuration
|
||||||
|
MockFilterConfig config = new MockFilterConfig();
|
||||||
|
config.setInitParmeter("contextConfigLocation",
|
||||||
|
"net/sf/acegisecurity/ui/webapp/filtertest-valid.xml");
|
||||||
|
|
||||||
|
// Setup our expectation that the filter chain will not be invoked, as we get a 403 forbidden response
|
||||||
|
MockFilterChain chain = new MockFilterChain(false);
|
||||||
|
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||||
|
|
||||||
|
// Test
|
||||||
|
BasicProcessingFilter filter = new BasicProcessingFilter();
|
||||||
|
executeFilterInContainerSimulator(config, filter, request, response,
|
||||||
|
chain);
|
||||||
|
|
||||||
|
assertTrue(request.getSession().getAttribute(HttpSessionIntegrationFilter.ACEGI_SECURITY_AUTHENTICATION_KEY) == null);
|
||||||
|
assertEquals(403, response.getError());
|
||||||
|
}
|
||||||
|
|
||||||
|
private void executeFilterInContainerSimulator(FilterConfig filterConfig,
|
||||||
|
Filter filter, ServletRequest request, ServletResponse response,
|
||||||
|
FilterChain filterChain) throws ServletException, IOException {
|
||||||
|
filter.init(filterConfig);
|
||||||
|
filter.doFilter(request, response, filterChain);
|
||||||
|
filter.destroy();
|
||||||
|
}
|
||||||
|
|
||||||
|
//~ Inner Classes ==========================================================
|
||||||
|
|
||||||
|
private class MockFilterChain implements FilterChain {
|
||||||
|
private boolean expectToProceed;
|
||||||
|
|
||||||
|
public MockFilterChain(boolean expectToProceed) {
|
||||||
|
this.expectToProceed = expectToProceed;
|
||||||
|
}
|
||||||
|
|
||||||
|
private MockFilterChain() {
|
||||||
|
super();
|
||||||
|
}
|
||||||
|
|
||||||
|
public void doFilter(ServletRequest request, ServletResponse response)
|
||||||
|
throws IOException, ServletException {
|
||||||
|
if (expectToProceed) {
|
||||||
|
assertTrue(true);
|
||||||
|
} else {
|
||||||
|
fail("Did not expect filter chain to proceed");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -281,15 +281,6 @@
|
||||||
custom request contexts implement the <literal>SecureContext</literal>
|
custom request contexts implement the <literal>SecureContext</literal>
|
||||||
interface.</para>
|
interface.</para>
|
||||||
</sect2>
|
</sect2>
|
||||||
|
|
||||||
<sect2 id="security-contexts-future-work">
|
|
||||||
<title>Future Work</title>
|
|
||||||
|
|
||||||
<para>Over time it is hoped that the Spring remoting classes can be
|
|
||||||
extended to support propagation of the <literal>Context</literal>
|
|
||||||
between <literal>ContextHolder</literal>s on the client and
|
|
||||||
server.</para>
|
|
||||||
</sect2>
|
|
||||||
</sect1>
|
</sect1>
|
||||||
|
|
||||||
<sect1 id="security-interception">
|
<sect1 id="security-interception">
|
||||||
|
@ -642,8 +633,8 @@
|
||||||
pattern appears higher than the less specific
|
pattern appears higher than the less specific
|
||||||
<literal>/super/</literal> pattern. If they were reversed, the
|
<literal>/super/</literal> pattern. If they were reversed, the
|
||||||
<literal>/super/</literal> pattern would always match and the
|
<literal>/super/</literal> pattern would always match and the
|
||||||
<literal>/secure/super/</literal> pattern would never be evaluated.
|
<literal>/secure/super/</literal> pattern would never be
|
||||||
</para>
|
evaluated.</para>
|
||||||
|
|
||||||
<para>The special keyword
|
<para>The special keyword
|
||||||
<literal>CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON</literal> causes
|
<literal>CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON</literal> causes
|
||||||
|
@ -1477,13 +1468,17 @@ public boolean supports(Class clazz);</programlisting></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist></para>
|
</itemizedlist></para>
|
||||||
|
|
||||||
<para>Several alternatives are available for the first step. The two
|
<para>There are several alternatives are available for the first step,
|
||||||
most supported approaches are HTTP Session Authentication, which uses
|
which will be briefly discussed in this chapter. The most popular
|
||||||
the <literal>HttpSession</literal> object and filters to authenticate
|
approach is HTTP Session Authentication, which uses the
|
||||||
the user. The other is via Container Adapters, which allow supported
|
<literal>HttpSession</literal> object and filters to authenticate the
|
||||||
web containers to perform the authentication themselves. HTTP Session
|
user. Another approach is HTTP Basic Authentication, which allows
|
||||||
Authentication is discussed below, whilst Container Adapters are
|
clients to use HTTP headers to present authentication information to
|
||||||
discussed in a separate section.</para>
|
the Acegi Security System for Spring. The final approach is via
|
||||||
|
Container Adapters, which allow supported web containers to perform
|
||||||
|
the authentication themselves. HTTP Session Authentication is
|
||||||
|
discussed below, whilst Container Adapters are discussed in a separate
|
||||||
|
section.</para>
|
||||||
</sect2>
|
</sect2>
|
||||||
|
|
||||||
<sect2 id="security-ui-http-session">
|
<sect2 id="security-ui-http-session">
|
||||||
|
@ -1569,11 +1564,74 @@ public boolean supports(Class clazz);</programlisting></para>
|
||||||
be used instead of Container Adapters.</para>
|
be used instead of Container Adapters.</para>
|
||||||
</sect2>
|
</sect2>
|
||||||
|
|
||||||
|
<sect2 id="security-ui-http-session">
|
||||||
|
<title>HTTP Basic Authentication</title>
|
||||||
|
|
||||||
|
<para>Primarily to cater for the needs of remoting protocols such as
|
||||||
|
Hessian and Burlap, the Acegi Security System for Spring provides a
|
||||||
|
<literal>BasicProcessingFilter</literal> which is capable of
|
||||||
|
processing authentication credentials presented in HTTP headers (for
|
||||||
|
standard authentication of web browser users, we recommend HTTP
|
||||||
|
Session Authentication). The standard governing HTTP Basic
|
||||||
|
Authentication is defined by RFC 1945, Section 11, and the
|
||||||
|
<literal>BasicProcessingFilter</literal> conforms with this RFC. To
|
||||||
|
implement HTTP Basic Authentication, it is necessary to add the
|
||||||
|
following filter to <literal>web.xml</literal>:</para>
|
||||||
|
|
||||||
|
<para><programlisting><filter>
|
||||||
|
<filter-name>Acegi HTTP BASIC Authorization Filter</filter-name>
|
||||||
|
<filter-class>net.sf.acegisecurity.ui.basicauth.BasicProcessingFilter</filter-class>
|
||||||
|
</filter>
|
||||||
|
|
||||||
|
<filter-mapping>
|
||||||
|
<filter-name>Acegi HTTP BASIC Authorization Filter</filter-name>
|
||||||
|
<url-pattern>/*</url-pattern>
|
||||||
|
</filter-mapping></programlisting></para>
|
||||||
|
|
||||||
|
<para>Like the <literal>AuthenticationProcessingFilter</literal>
|
||||||
|
discussed above, the <literal>BasicProcessingFilter</literal> will
|
||||||
|
need to delegate to a properly configured
|
||||||
|
<literal>AuthenticationManager</literal>. To do this it requires
|
||||||
|
access to a Spring application context, which is usually obtained from
|
||||||
|
<literal>WebApplicationContextUtils.getWebApplicationContext(ServletContext)</literal>.
|
||||||
|
This is usually made available by using Spring's
|
||||||
|
<literal>ContextLoaderListener</literal> in
|
||||||
|
<literal>web.xml</literal>. Alternatively, the
|
||||||
|
<literal>web.xml</literal> can be used to define a filter
|
||||||
|
<literal><init-param></literal> named
|
||||||
|
<literal>contextConfigLocation</literal>. This initialization
|
||||||
|
parameter will represent a path to a Spring XML application context
|
||||||
|
that the <literal>AuthenticationProcessingFilter</literal> will load
|
||||||
|
during startup.</para>
|
||||||
|
|
||||||
|
<para>The <literal>AuthenticationManager</literal> processes each
|
||||||
|
authentication request. If authentication fails, a 403 (forbidden)
|
||||||
|
response will be returned in response to the HTTP request. If
|
||||||
|
authentication is successful, the resulting
|
||||||
|
<literal>Authentication</literal> object will be placed into the
|
||||||
|
<literal>HttpSession</literal> attribute indicated by
|
||||||
|
<literal>HttpSessionIntegrationFilter.ACEGI_SECURITY_AUTHENTICATION_KEY</literal>.
|
||||||
|
This becomes the "well-known location" from which the
|
||||||
|
<literal>Authentication</literal> object is later extracted.</para>
|
||||||
|
|
||||||
|
<para>If the authentication event was successful, or authentication
|
||||||
|
was not attempted because the HTTP header did not contain a supported
|
||||||
|
authentication request, the filter chain will continue as normal. The
|
||||||
|
only time the filter chain will be interrupted is if authentication
|
||||||
|
fails and a 403 response is returned, as discussed in the previous
|
||||||
|
paragraph.</para>
|
||||||
|
|
||||||
|
<para>HTTP Basic Authentication is recommended to be used instead of
|
||||||
|
Container Adapters. It can be used in conjunction with HTTP Session
|
||||||
|
Authentication, as demonstrated in the Contacts sample
|
||||||
|
application.</para>
|
||||||
|
</sect2>
|
||||||
|
|
||||||
<sect2 id="security-ui-well-known">
|
<sect2 id="security-ui-well-known">
|
||||||
<title>Well-Known Location Integration</title>
|
<title>Well-Known Location Integration</title>
|
||||||
|
|
||||||
<para>Once a web application has used either HTTP Session
|
<para>Once a web application has used either HTTP Session
|
||||||
Authentication or a Container Adapter, an
|
Authentication, HTTP Basic Authentication, or a Container Adapter, an
|
||||||
<literal>Authentication</literal> object will exist in a well-known
|
<literal>Authentication</literal> object will exist in a well-known
|
||||||
location. The final step in automatically integrating the user
|
location. The final step in automatically integrating the user
|
||||||
interface with the backend security interceptor is to extract this
|
interface with the backend security interceptor is to extract this
|
||||||
|
@ -1597,9 +1655,10 @@ public boolean supports(Class clazz);</programlisting></para>
|
||||||
<para><itemizedlist>
|
<para><itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><literal>HttpSessionIntegrationFilter</literal> is used
|
<para><literal>HttpSessionIntegrationFilter</literal> is used
|
||||||
with HTTP Session Authentication, or any other approach that
|
with HTTP Session Authentication, HTTP Basic Authentication, or
|
||||||
populates the <literal>HttpSession</literal> accordingly. It
|
any other approach that populates the
|
||||||
extracts the <literal>Authentication</literal> object from the
|
<literal>HttpSession</literal> accordingly. It extracts the
|
||||||
|
<literal>Authentication</literal> object from the
|
||||||
<literal>HttpSession</literal> attribute indicated by
|
<literal>HttpSession</literal> attribute indicated by
|
||||||
<literal>HttpSessionIntegrationFilter.ACEGI_SECURITY_AUTHENTICATION_KEY</literal>.</para>
|
<literal>HttpSessionIntegrationFilter.ACEGI_SECURITY_AUTHENTICATION_KEY</literal>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
@ -1663,8 +1722,8 @@ public boolean supports(Class clazz);</programlisting></para>
|
||||||
with end users. Whilst this worked well, it required considerable time
|
with end users. Whilst this worked well, it required considerable time
|
||||||
to support multiple container versions and the configuration itself
|
to support multiple container versions and the configuration itself
|
||||||
was relatively time-consuming for developers. For this reason the HTTP
|
was relatively time-consuming for developers. For this reason the HTTP
|
||||||
Session Authentication approach was developed, and is today
|
Session Authentication and HTTP Basic Authentication approaches were
|
||||||
recommended for most applications.</para>
|
developed, and are today recommended for most applications.</para>
|
||||||
|
|
||||||
<para>Container Adapters enable the Acegi Security System for Spring
|
<para>Container Adapters enable the Acegi Security System for Spring
|
||||||
to integrate directly with the containers used to host end user
|
to integrate directly with the containers used to host end user
|
||||||
|
@ -1789,6 +1848,18 @@ public boolean supports(Class clazz);</programlisting></para>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><literal>acegi-security-catalina-common.jar</literal></para>
|
<para><literal>acegi-security-catalina-common.jar</literal></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><literal>commons-codec.jar</literal></para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><literal>burlap.jar</literal></para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><literal>hessian.jar</literal></para>
|
||||||
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
<para>None of the above JAR files (or
|
<para>None of the above JAR files (or
|
||||||
|
@ -1851,6 +1922,18 @@ $CATALINA_HOME/bin/startup.sh</programlisting></para>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><literal>acegi-security-jetty-ext.jar</literal></para>
|
<para><literal>acegi-security-jetty-ext.jar</literal></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><literal>commons-codec.jar</literal></para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><literal>burlap.jar</literal></para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><literal>hessian.jar</literal></para>
|
||||||
|
</listitem>
|
||||||
</itemizedlist></para>
|
</itemizedlist></para>
|
||||||
|
|
||||||
<para>None of the above JAR files (or
|
<para>None of the above JAR files (or
|
||||||
|
@ -1904,6 +1987,18 @@ $CATALINA_HOME/bin/startup.sh</programlisting></para>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><literal>acegi-security-jboss-lib.jar</literal></para>
|
<para><literal>acegi-security-jboss-lib.jar</literal></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><literal>commons-codec.jar</literal></para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><literal>burlap.jar</literal></para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><literal>hessian.jar</literal></para>
|
||||||
|
</listitem>
|
||||||
</itemizedlist></para>
|
</itemizedlist></para>
|
||||||
|
|
||||||
<para>None of the above JAR files (or
|
<para>None of the above JAR files (or
|
||||||
|
@ -1954,6 +2049,18 @@ $CATALINA_HOME/bin/startup.sh</programlisting></para>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><literal>acegi-security-resin-lib.jar</literal></para>
|
<para><literal>acegi-security-resin-lib.jar</literal></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><literal>commons-codec.jar</literal></para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><literal>burlap.jar</literal></para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><literal>hessian.jar</literal></para>
|
||||||
|
</listitem>
|
||||||
</itemizedlist></para>
|
</itemizedlist></para>
|
||||||
|
|
||||||
<para>Unlike the container-wide <literal>acegisecurity.xml</literal>
|
<para>Unlike the container-wide <literal>acegisecurity.xml</literal>
|
||||||
|
@ -2066,6 +2173,22 @@ $CATALINA_HOME/bin/startup.sh</programlisting></para>
|
||||||
visiting <literal>http://localhost:8080/contacts/secure/super</literal>,
|
visiting <literal>http://localhost:8080/contacts/secure/super</literal>,
|
||||||
which will demonstrate access being denied by the
|
which will demonstrate access being denied by the
|
||||||
<literal>SecurityEnforcementFilter</literal>.</para>
|
<literal>SecurityEnforcementFilter</literal>.</para>
|
||||||
|
|
||||||
|
<para>The Contacts sample application also include a
|
||||||
|
<literal>client</literal> directory. Inside you will find a small
|
||||||
|
application that queries the backend business objects using the Hessian
|
||||||
|
and Burlap protocols. This demonstrates how to use the Acegi Security
|
||||||
|
System for Spring for authentication with Spring remoting protocols. To
|
||||||
|
try this client, ensure your servlet container is still running the
|
||||||
|
Contacts sample application, and then execute <literal>client
|
||||||
|
marissa</literal>. This will use the remoting protocols to obtain the
|
||||||
|
list of contacts with the owner specified (in this case
|
||||||
|
<literal>marissa</literal>). Note you will be need to edit
|
||||||
|
<literal>client.properties</literal> to use a different username,
|
||||||
|
password, or target URL. To see that security does indeed work, try
|
||||||
|
running <literal>client scott</literal> before changing
|
||||||
|
<literal>client.properties</literal> to use <literal>scott</literal>'s
|
||||||
|
authentication details.</para>
|
||||||
</sect1>
|
</sect1>
|
||||||
|
|
||||||
<sect1 id="security-become-involved">
|
<sect1 id="security-become-involved">
|
||||||
|
|
|
@ -0,0 +1,56 @@
|
||||||
|
/*
|
||||||
|
* ====================================================================
|
||||||
|
*
|
||||||
|
* The Apache Software License, Version 1.1
|
||||||
|
*
|
||||||
|
* Copyright (c) 2001-2003 The Apache Software Foundation. All rights
|
||||||
|
* reserved.
|
||||||
|
*
|
||||||
|
* Redistribution and use in source and binary forms, with or without
|
||||||
|
* modification, are permitted provided that the following conditions
|
||||||
|
* are met:
|
||||||
|
*
|
||||||
|
* 1. Redistributions of source code must retain the above copyright
|
||||||
|
* notice, this list of conditions and the following disclaimer.
|
||||||
|
*
|
||||||
|
* 2. Redistributions in binary form must reproduce the above copyright
|
||||||
|
* notice, this list of conditions and the following disclaimer in
|
||||||
|
* the documentation and/or other materials provided with the
|
||||||
|
* distribution.
|
||||||
|
*
|
||||||
|
* 3. The end-user documentation included with the redistribution,
|
||||||
|
* if any, must include the following acknowledgement:
|
||||||
|
* "This product includes software developed by the
|
||||||
|
* Apache Software Foundation (http://www.apache.org/)."
|
||||||
|
* Alternately, this acknowledgement may appear in the software itself,
|
||||||
|
* if and wherever such third-party acknowledgements normally appear.
|
||||||
|
*
|
||||||
|
* 4. The names "Apache", "The Jakarta Project", "Commons", and "Apache Software
|
||||||
|
* Foundation" must not be used to endorse or promote products derived
|
||||||
|
* from this software without prior written permission. For written
|
||||||
|
* permission, please contact apache@apache.org.
|
||||||
|
*
|
||||||
|
* 5. Products derived from this software may not be called "Apache",
|
||||||
|
* "Apache" nor may "Apache" appear in their name without prior
|
||||||
|
* written permission of the Apache Software Foundation.
|
||||||
|
*
|
||||||
|
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
|
||||||
|
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||||
|
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
||||||
|
* DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
|
||||||
|
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||||
|
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||||
|
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
|
||||||
|
* USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
|
||||||
|
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
||||||
|
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
|
||||||
|
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||||
|
* SUCH DAMAGE.
|
||||||
|
* ====================================================================
|
||||||
|
*
|
||||||
|
* This software consists of voluntary contributions made by many
|
||||||
|
* individuals on behalf of the Apache Software Foundation. For more
|
||||||
|
* information on the Apache Software Foundation, please see
|
||||||
|
* <http://www.apache.org/>.
|
||||||
|
*
|
||||||
|
*/
|
|
@ -9,8 +9,6 @@ to the project have some ideas on where they could potentially add value.
|
||||||
- Extend integration tests to support Resin (Ant startup/shutdown approach
|
- Extend integration tests to support Resin (Ant startup/shutdown approach
|
||||||
needed)
|
needed)
|
||||||
|
|
||||||
- Extend Spring remoting classes to transparently transport the Context
|
|
||||||
|
|
||||||
- Sample application that demonstrates EJB remote method invocation with Acegi
|
- Sample application that demonstrates EJB remote method invocation with Acegi
|
||||||
security system as login module on server side
|
security system as login module on server side
|
||||||
|
|
||||||
|
|
|
@ -2,8 +2,7 @@
|
||||||
ACEGI SECURITY SYSTEM FOR SPRING - UPGRADING FROM 0.4 TO 0.5
|
ACEGI SECURITY SYSTEM FOR SPRING - UPGRADING FROM 0.4 TO 0.5
|
||||||
===============================================================================
|
===============================================================================
|
||||||
|
|
||||||
Unfortunately, changes to the API and package locations were required. The
|
The following should help most casual users of the project update their
|
||||||
following should help most casual users of the project update their
|
|
||||||
applications:
|
applications:
|
||||||
|
|
||||||
- By default, AuthenticationProcessingFilter and SecurityEnforcementFilter now
|
- By default, AuthenticationProcessingFilter and SecurityEnforcementFilter now
|
||||||
|
@ -17,6 +16,9 @@ applications:
|
||||||
If you do still want to use this approach, just rename your param from
|
If you do still want to use this approach, just rename your param from
|
||||||
'appContextLocation' to 'contextConfigLocation'.
|
'appContextLocation' to 'contextConfigLocation'.
|
||||||
|
|
||||||
|
- If you're using container adapters, please refer to the reference
|
||||||
|
documentation as additional JARs are now required in your container
|
||||||
|
classloader.
|
||||||
|
|
||||||
We hope you find the new features useful in your projects.
|
We hope you find the new features useful in your projects.
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue