Raible's Wiki

Raible Designs
Wiki Home
News
Recent Changes

AppFuse

Homepage
  - Korean
  - Chinese
  - Italian
  - Japanese

QuickStart Guide
  - Chinese
  - French
  - German
  - Italian
  - Korean
  - Portuguese
  - Spanish
  - Japanese

User Guide
  - Korean
  - Chinese

Tutorials
  - Chinese
  - German
  - Italian
  - Korean
  - Portuguese
  - Spanish

FAQ
  - Korean

Latest Downloads

Other Applications

Struts Resume
Security Example
Struts Menu

Set your name in
UserPreferences


Referenced by
AppFuseSecurity
AppFuseSecurityMetho...
AppFuseSecuritySetti...




JSPWiki v2.2.33

[RSS]


Hide Menu

AppFuseAuthentication


Difference between version 29 and version 3:

At line 3 changed 1 line.
The purpose of this page is to describe what I did to integrate Acegi Security into 1.8. Hopefull you can use this to change your pre-1.8 applications to Acegi Security if you like. The nice thing about migrating to Acegi Security is your application becomes more portable and you don't have to worry about configuring your application server. Also, there weren't many code changes involved in the integration process - which proves Acegi Security works very well with all the existing code that talks to the security methods of the Servlet API (i.e. request.isUserInRole(), etc.)
The purpose of this page is to describe what we did to integrate Acegi Security into 1.8. Hopefully you can use this to change your pre-1.8 applications to Acegi Security if you like. The nice thing about migrating to Acegi Security is your application becomes more portable and you don't have to worry about configuring your application server. Also, there weren't many code changes involved in the integration process - which proves Acegi Security works very well with all the existing code that talks to the security methods of the Servlet API (i.e. request.isUserInRole(), etc.)
At line 5 changed 1 line.
Part II of this tutorial __still needs to be written__. It will show you how to remove Acegi Security from AppFuse and revert back to Container-Managed Authentication.
<a href="#part2">Part II</a> of this tutorial shows you how to remove Acegi Security from AppFuse and revert back to Container-Managed Authentication (CMA). However, this might not be a necessary step if you want to use CMA because Acegi Security has a number of [Container Adapters|http://acegisecurity.sourceforge.net/docbook/acegi.html#security-container-adapters] available.
At line 7 changed 8 lines.
!Table of Contents
* [1] Add Acegi Security JARs to your project
* [2] Create applicationContext-security.xml
* [3] Configure filters and filter-mappings
* [4] Remove web-security.xml from metadata/web
* [5] Add an "enabled" variable to the User object
* [6] Configure logging for Acegi Security
* [7] Remove setting from LoginServlet.java to prevent duplicate logins
<div class="note" style="background-color: #fcc">__WARNING:__ It's likely that AppFuse will use more of Acegi Security features (i.e. Remember Me and Password Encryption) in 1.9+. Therefore, the instructions in Part II only apply to AppFuse 1.8.</div>
At line 9 added 12 lines.
!Table of Contents - Part I
* [1.1|1] Add Acegi Security JARs to your project
* [1.2|2] Create applicationContext-security.xml
* [1.3|3] Configure filter and its filter-mapping
* [1.4|4] Remove web-security.xml from metadata/web
* [1.5|5] Add an "enabled" variable to the User object (optional)
* [1.6|6] Configure logging for Acegi Security
* [1.7|7] Remove setting from LoginServlet.java to prevent duplicate logins
* [1.8|8] Add code to logout.jsp so logout succeeds
<!-- I left steps #9-19 out of the sequence to give room for additional steps -->
At line 17 changed 1 line.
Download the following two JARs and put them in the lib/spring-1.1.3 directory of your project. If you're on an older version of Spring, that shouldn't matter. The Acegi Security JAR listed below contains a [patch|http://forum.springframework.org/viewtopic.php?p=10396#10396] that allows you to easily exclude URLs. Before the 1.8 release, I hope to fix this so you don't need a patched version.
Download the following two JARs and put them in the lib/spring-1.1.3 directory of your project. If you're on an older version of Spring, that shouldn't matter.
At line 19 changed 2 lines.
* [acegi-security-0.7-SNAPSHOT.jar|https://appfuse.dev.java.net/source/browse/appfuse/lib/spring-1.1.3/acegi-security-0.7-SNAPSHOT.jar?rev=1.1]
* [commons-codec.jar|https://appfuse.dev.java.net/source/browse/appfuse/lib/spring-1.1.3/commons-codec.jar?rev=1.1]
* [acegi-security-0.8.2.jar|https://appfuse.dev.java.net/source/browse/*checkout*/appfuse/lib/spring-1.2/acegi-security-0.8.2.jar]
* [commons-codec.jar|https://appfuse.dev.java.net/source/browse/*checkout*/appfuse/lib/spring-1.2/commons-codec.jar]
At line 23 changed 1 line.
Download [applicationContext-security.xml|https://appfuse.dev.java.net/source/browse/appfuse/web/WEB-INF/applicationContext-security.xml?rev=1.1] and put it in your web/WEB-INF directory. Make sure your metadata/web/web-settings.xml file loads this file as part of the ContextLoaderListener. For AppFuse 1.7+, this should look as follows:
Download [applicationContext-security.xml|https://appfuse.dev.java.net/source/browse/*checkout*/appfuse/web/WEB-INF/applicationContext-security.xml] and put it in your web/WEB-INF directory. Make sure your metadata/web/web-settings.xml file loads this file as part of the ContextLoaderListener. For AppFuse 1.7+, this should look as follows:
At line 32 changed 1 line.
Add Acegi Security's filters to the top of metadata/web/filters.xml:
Add Acegi Security's filter to the top of metadata/web/filters.xml:
At line 35 removed 8 lines.
<filter>
<filter-name>Acegi Authentication Processing Filter</filter-name>
<filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
<init-param>
<param-name>targetClass</param-name>
<param-value>net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilter</param-value>
</init-param>
</filter>
At line 44 changed 5 lines.
<filter-name>acegiSessionFilter</filter-name>
<filter-class>net.sf.acegisecurity.ui.webapp.HttpSessionIntegrationFilter</filter-class>
</filter>
<filter>
<filter-name>Acegi HTTP Request Security Filter</filter-name>
<filter-name>securityFilter</filter-name>
At line 52 changed 1 line.
<param-value>net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter</param-value>
<param-value>net.sf.acegisecurity.util.FilterChainProxy</param-value>
At line 55 removed 4 lines.
<filter>
<filter-name>acegiRemoteUserFilter</filter-name>
<filter-class>net.sf.acegisecurity.ui.wrapper.ContextHolderAwareRequestFilter</filter-class>
</filter>
At line 64 removed 6 lines.
<filter-mapping>
<filter-name>Acegi Authentication Processing Filter</filter-name>
<url-pattern>/j_security_check</url-pattern>
<!--dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher-->
</filter-mapping>
At line 71 changed 1 line.
<filter-name>acegiSessionFilter</filter-name>
<filter-name>securityFilter</filter-name>
At line 73 removed 2 lines.
<!--dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher-->
At line 76 removed 10 lines.
<filter-mapping>
<filter-name>Acegi HTTP Request Security Filter</filter-name>
<url-pattern>*.html</url-pattern>
<!--dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher-->
</filter-mapping>
<filter-mapping>
<filter-name>acegiRemoteUserFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
At line 95 changed 1 line.
In order to hook into Acegi Security without changing much code, I did have to add a "enabled" property to the User object. This affects several areas of an AppFuse application. You will need to modify your code in the following areas to handle this.
One nice feature in Acegi Security is the ability to enable/disable users. In order to use this feature, you'll have to add an "enabled" property to the User object. This affects several areas of an AppFuse application. You will need to modify your code in the following areas to handle this.
At line 76 added 1 line.
At line 128 added 1 line.
log4j.logger.net.sf.acegisecurity.intercept.event.LoggerListener=WARN
At line 151 added 85 lines.
!!Add code to logout.jsp sp logout succeeds [#8]
In ''web/logout.jsp'', add code to invalidate the session (before the redirect). Invalidating the session in ''LoginFilter.java'' should work, but [it doesn't|http://forum.springframework.org/viewtopic.php?p=16882#16882].
{{{<% session.invalidate(); %>
<c:redirect url="/mainMenu.html"/>}}}
Also, Acegi can print out more informative error messages when login fails. To see these messages, add the following to ''web/pages/loginForm.jsp'' - right after the password.mismatch message.
{{{
<c:out value="${sessionScope.ACEGI_SECURITY_LAST_EXCEPTION.message}"/>
}}}
<p>&nbsp;</p>
----
<a name="part2"></a>
<h2 style="background-color: white; border: 0; margin-left: 0">Part II - Removing Acegi and reverting to CMA</h2>
Use the instructions below to change your AppFuse 1.8 application to use CMA. We don't expect many folks will need to do this, but more documentation is better than less. ;-)
!Table of Contents - Part II
* [2.1|20] Remove Acegi Security files from your project
* [2.2|21] Remove filter and its filter-mapping
* [2.3|22] Add web-security.xml to metadata/web
* [2.4|23] Add logic to detect disabled users (optional)
* [2.5|24] Remove Acegi Security's logging settings (optional)
* [2.6|25] Add code to LoginServlet.java to prevent duplicate logins
!!Remove Acegi Security files from your project [#20]
The first step in reverting back to CMA is removing Acegi-specific files. Delete ''acegi-security-*.jar'' and ''commons-codec.jar'' from __lib/spring-*__ and ''applicationContext-security.xml'' from __web/WEB-INF__.
!!Remove securityFilter and its filter-mapping [#21]
Modify __metadata/web/filters.xml__ to remove the "securityFilter" definition and its associated mapping from __metadata/web/filter-mappings.xml__.
!!Add web-security.xml to metadata/web [#23]
[Download the old web-security.xml file|https://appfuse.dev.java.net/source/browse/*checkout*/appfuse/metadata/web/Attic/web-security.xml?content-type=text%2Fplain] from AppFuse CVS's Attic and put it in your __metadata/web__ directory.
!!Add logic to detect disabled users (optional) [#24]
As part of integrating Acegi Security, an option to disable users was added to the User Profile screen. If you'd like to honor this feature in your application after removing Acegi Security, you can do so by modifying ''ActionFilter.java'' in the __src/web/org/appfuse/webapp/filter__ directory.
[{Java2HtmlPlugin
UserManager mgr = (UserManager) ctx.getBean("userManager");
user = mgr.getUser(username);
if (user.getEnabled() == Boolean.FALSE) {
request.getSession().invalidate();
response.sendRedirect(request.getContextPath() + "/loginError.jsp");
return;
}
session.setAttribute(Constants.USER_KEY, user);
}]
!!Remove Acegi Security's logging settings (optional) [#25]
The following lines can be removed from ''web/WEB-INF/classes/log4j.properties'' since they'll no longer be relevant. However, leaving them in won't hurt anything.
{{{
log4j.logger.net.sf.acegisecurity=WARN
log4j.logger.net.sf.acegisecurity.intercept.event.LoggerListener=WARN
}}}
!!Add code to LoginServlet.java to prevent duplicate logins [#26]
In LoginServet.java, add the following ''if statement'' at the beginning of the execute method. This prevents duplicate logins that can occur with CMA.
[{Java2HtmlPlugin
// if user is already authenticated, it means they probably bookmarked
// or typed in the URL to login.jsp directly, route them to the main
// menu is this is the case
if (request.getRemoteUser() != null) {
if (log.isDebugEnabled()) {
log.debug("User '" + request.getRemoteUser() +
"' already logged in, routing to mainMenu");
}
response.sendRedirect(request.getContextPath() + "/mainMenu.html");
return;
}
}]
''Issues or problems with these instructions? If so, please send your questions to [users-AT-appfuse.dev.java.net|mailto:[email protected]?subject=AppFuse Authentication Problems].''

Back to AppFuseAuthentication, or to the Page History.