I have been playing with Acegi for a few hours but I`m totally lost in all the filters (and I don`t like that).. Does anyone have a simple example of security for a webapplication?

It would be nice of those simple examples are posted on the website... start simple...

I think I have a basic structure... the main problem was in the order of the filtermappings.


<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">

<beans>

<!-- ================================================== =============================
Security stuff
================================================== ============================== -->

<!-- ======== Authenticatie ================================================== ===-->

<!--
- http://acegisecurity.sourceforge.net/multiproject/acegi-security/apidocs/net/sf/acegisecurity/providers/dao/memory/InMemoryDaoImpl.html
-->
<bean id="memoryAuthenticationDao"
class="net.sf.acegisecurity.providers.dao.memory.InMemory DaoImpl">

<property name="userMap">
<value>
peter=password,ROLE_ADMIN
</value>
</property>
</bean>


<!--
- http://acegisecurity.sourceforge.net/multiproject/acegi-security/apidocs/net/sf/acegisecurity/providers/dao/DaoAuthenticationProvider.html
-->
<bean id="daoAuthenticationProvider"
class="net.sf.acegisecurity.providers.dao.DaoAuthenticati onProvider">

<property name="authenticationDao">
<ref local="memoryAuthenticationDao"/>
</property>
</bean>


<!--
- http://acegisecurity.sourceforge.net/multiproject/acegi-security/apidocs/net/sf/acegisecurity/providers/ProviderManager.html
-->
<bean id="authenticationManager"
class="net.sf.acegisecurity.providers.ProviderManager">

<property name="providers">
<list>
<ref bean="daoAuthenticationProvider"/>
</list>
</property>
</bean>


<!-- ======== Authenticatie ================================================== ===-->


<!--
- Processes an authentication form.
-
- http://acegisecurity.sourceforge.net/multiproject/acegi-security/apidocs/net/sf/acegisecurity/ui/webapp/AuthenticationProcessingFilter.html
-->
<bean id="authenticationProcessingFilter"
class="net.sf.acegisecurity.ui.webapp.AuthenticationProce ssingFilter">

<property name="authenticationManager">
<ref bean="authenticationManager"/>
</property>

<property name="authenticationFailureUrl">
<value>/login.jsp?error=1</value>
</property>

<property name="defaultTargetUrl">
<value>/</value>
</property>

<property name="filterProcessesUrl">
<value>/j_acegi_security_check</value>
</property>
</bean>

<!-- ======== Authorisatie ================================================== ====-->

<!--
- http://acegisecurity.sourceforge.net/multiproject/acegi-security/apidocs/net/sf/acegisecurity/vote/UnanimousBased.html
-->
<bean id="accessDecisionManager"
class="net.sf.acegisecurity.vote.UnanimousBased">

<property name="allowIfAllAbstainDecisions">
<value>false</value>
</property>

<property name="decisionVoters">
<list>
<bean class="net.sf.acegisecurity.vote.RoleVoter"/>
</list>
</property>
</bean>


<!--
- This filter is necessary because it provides the bridge between incoming
- requests and the FilterSecurityInterceptor instance.
-
- http://acegisecurity.sourceforge.net/multiproject/acegi-security/apidocs/net/sf/acegisecurity/intercept/web/SecurityEnforcementFilter.html
-->
<bean id="securityEnforcementFilter"
class="net.sf.acegisecurity.intercept.web.SecurityEnforce mentFilter">

<property name="filterSecurityInterceptor">
<ref bean="filterInvocationInterceptor"/>
</property>

<property name="authenticationEntryPoint">
<ref bean="authenticationEntryPoint"/>
</property>
</bean>


<!--
- Used by the SecurityEnforcementFilter to commence authentication via the
- AuthenticationProcessingFilter. This object holds the location of the login
- form, relative to the web app context path, and is used to commence a redirect
- to that form.
-
- http://acegisecurity.sourceforge.net/multiproject/acegi-security/apidocs/net/sf/acegisecurity/ui/webapp/AuthenticationProcessingFilterEntryPoint.html
-->
<bean id="authenticationEntryPoint"
class="net.sf.acegisecurity.ui.webapp.AuthenticationProce ssingFilterEntryPoint">

<property name="loginFormUrl">
<value>/login.jsp</value>
</property>

<property name="forceHttps">
<value>false</value>
</property>
</bean>


<!--
- Performs security handling of HTTP resources via a filter implementation.
-
- http://acegisecurity.sourceforge.net/multiproject/acegi-security/apidocs/net/sf/acegisecurity/intercept/web/FilterSecurityInterceptor.html
-->
<bean id="filterInvocationInterceptor"
class="net.sf.acegisecurity.intercept.web.FilterSecurityI nterceptor">

<property name="authenticationManager">
<ref bean="authenticationManager"/>
</property>

<property name="accessDecisionManager">
<ref bean="accessDecisionManager"/>
</property>

<!-- hier kan je de patterns van de resources opgeven die gesecured moeten worden -->
<property name="objectDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/secured.html=ROLE_ADMIN
</value>
</property>
</bean>

<!--
- Populates a SecureContext from the HttpSession.
-
- The filter will inspect the HttpSession for an attribute with the name
- indicated by ACEGI_SECURITY_AUTHENTICATION_KEY. If that attribute contains an
- instance of Authentication, it will be placed into the ContextHolder.
-
- http://acegisecurity.sourceforge.net/multiproject/acegi-security/apidocs/net/sf/acegisecurity/ui/webapp/HttpSessionIntegrationFilter.html
-->
<bean id="httpSessionIntegrationFilter"
class="net.sf.acegisecurity.ui.webapp.HttpSessionIntegrat ionFilter"/>


</beans>



<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">

<web-app>

<display-name>Template</display-name>

<description>Termplate Applicatie</description>

<!--
- Location of the XML file that defines the root application context.
- Applied by ContextLoaderServlet.
-->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/applicationContext-database.xml
/WEB-INF/applicationContext-business.xml
/WEB-INF/applicationContext-acegi-security.xml
</param-value>
</context-param>

<!-- context-param>
<param-name>log4jConfigLocation</param-name>
<param-value>/WEB-INF/classes/log4j.properties</param-value>
</context-param -->

<!-- Responds to HTTP POSTs to j_acegi_security_check URI -->
<!-- Processes an authentication form.
- Login forms must present two parameters to this filter:
- a username and password. The parameter names to use are contained
- in the static fields ACEGI_SECURITY_FORM_USERNAME_KEY and
- ACEGI_SECURITY_FORM_PASSWORD_KEY. -->
<filter>
<filter-name>Acegi Authentication Processing Filter</filter-name>
<filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
<init-param>
<param-name>targetClass</param-name>
<param-value>
net.sf.acegisecurity.ui.webapp.AuthenticationProce ssingFilter
</param-value>
</init-param>
</filter>

<!-- Provides HTTP request URL security, and also catches
AcegiSecurityExceptions and sends 403 errors (if access denied)
or commences an authentication mechanism as appropriate -->
<filter>
<filter-name>Acegi HTTP Request Security Filter</filter-name>
<filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>

<init-param>
<param-name>targetClass</param-name>
<param-value>
net.sf.acegisecurity.intercept.web.SecurityEnforce mentFilter
</param-value>
</init-param>
</filter>

<!-- Obtains Authentication from HttpSession attribute, puts it into
ContextHolder for request duration, proceeds with request, then
copies Authentication from ContextHolder back into HttpSession -->
<filter>
<filter-name>Acegi Security System for Spring HttpSession Integration Filter</filter-name>
<filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
<init-param>
<param-name>targetClass</param-name>
<param-value>net.sf.acegisecurity.ui.webapp.HttpSessionIntegrat ionFilter</param-value>
</init-param>
</filter>

<filter-mapping>
<filter-name>Acegi Authentication Processing Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

<filter-mapping>
<filter-name>Acegi Security System for Spring HttpSession Integration Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

<filter-mapping>
<filter-name>Acegi HTTP Request Security Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

<!-- ================================================== ==========
Hierdoor heeft iedere servlet beschikking over de application context.
Default wordt /WEB-INF/applicationContext.xml gebruikt voor het Spring
framework om de applicationcontext op te zetten.
================================================== ========== -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListe ner</listener-class>
</listener>


<welcome-file-list>
<welcome-file>index.htm</welcome-file>
<welcome-file>index.html</welcome-file>
</welcome-file-list>

<taglib>
<taglib-uri>http://java.sun.com/jstl/core</taglib-uri>
<taglib-location>/WEB-INF/c.tld</taglib-location>
</taglib>

</web-app>

Your implementation looks good.

We're working on a consolidate filter utility class that would mean web.xml is significantly simplified. Instead there would be just one bean that polls the needed filters, which should reduce complexity.

Your implementation looks good.

We're working on a consolidate filter utility class that would mean web.xml is significantly simplified. Instead there would be just one bean that polls the needed filters, which should reduce complexity.

Nice.. but a good example would be helpfull too.. Acegi is powerfull but 'complex'. Everything makes sence after a while, but in the beginning it feels like an information overload.

I totally agree! Acegi (to me at least) has a very steep learning curve.

Anyways, I still haven't gotten any response on how to redirect 403 response to a user friendly page. Also I've tried securing access to a particular URL and I am still able to access it. I probably (or definitely) missed out something.

I have the following defined in my application context:

<bean id="filterInvocationInterceptor" class="net.sf.acegisecurity.intercept.web.FilterSecurityI nterceptor">
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref local="httpRequestAccessDecisionManager"/></property>
<property name="objectDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
\A/jsp/mainMenu.*\Z=ROLE_USER
\A/lead/.*\Z=ROLE_ADMIN
</value>
</property>
</bean>

when I try accessing http://localhost:8080/myApp/jsp/mainMenu.jsp without being authenticated, I still get the page. I assume that is shouldn't. It says in the documentation that it should redirect to AuthenticationProcessingFilterEntryPoint's loginFormUrl. Apparently it doesn't. I am missing something?

Anyways, I still haven't gotten any response on how to redirect 403 response to a user friendly page.

Yes, sorry, I have been very busy with other things these past few days.


CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
\A/jsp/mainMenu.*\Z=ROLE_USER


You are comparing with lowercase, but your mainMenu has an uppercase letter. Try "mainmenu".

[quote="mlim"]I totally agree! Acegi (to me at least) has a very steep learning curve.


I do agree as i had to read the manual about two times to really get it. But once you get it, everything start making sense.

So to avoid the steep learning curve i would seriously advice anyone to get themselves a copy of Spring in Action (http://www.manning.com/walls2). Chapter 11 of this book covers Acegi really really well!! It really simplifies Acegi. Couple this with the reference manual and you would be rolling.

Try this one:

http://www.fstxblog.com/completely-geeked/2005/02/java-acegi-security-simplest-possible.html