Acegi Security in one hour

A concise guide to securing your Java Web applications

1 2 3 4 5 6 7 Page 2
Page 2 of 7

Adding authentication services

In a secured Web application, authentication is the process that verifies the user's identity. When a user clicks on a link, an HTTP request goes to the Web server and in turn to the application server that holds the requested resource. The server then checks if the resource corresponding to the link is protected or not. If the resource is protected and the user is not already authenticated, a security mechanism redirects to a login page. Based on the login credentials the user supplies on that page, the application either performs the next step or again redirects to a login page.

As part of authenticating the example application using Acegi Security, you need to configure Acegi beans in a Spring configuration file. Acegi Security requires many Spring beans, so you can put them in a separate configuration file named applicationContext-acegi-security.xml.

FilterChainProxy, you'll recall from Listing 1, intercepts all HTTP requests for specified URL patterns. It then delegates these requests to a series of Spring-managed beans (filters) defined with the filterInvocationDefinitionSource bean property for a specified URL pattern. Listing 4 shows the filter chain for Acegi Security.

Listing 4. Filter chain

<bean id="filterChainProxy"
    class="org.acegisecurity.util.FilterChainProxy">

    <property name="filterInvocationDefinitionSource">
      <value>
        CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
        PATTERN_TYPE_APACHE_ANT
        /j_acegi_security_check*=httpSessionContextIntegrationFilter,authenticationProcessingFilter 
        /**/*=httpSessionContextIntegrationFilter,logoutFilter,
authenticationProcessingFilter,securityContextHolderAwareRequestFilter,
anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor
      </value>
    </property>

  </bean>

Acegi Security performs two steps when an unauthenticated user attempts to access a protected resource:

Step 1: Redirecting to login page

When any unauthenticated user tries to access a protected link, ExceptionTranslationFilter detects it as an exception and launches AuthenticationEntryPoint. AuthenticationEntryPoint redirects the HTTP request to a login page, as you can see from the authenticationProcessingFilterEntryPoint bean definition in Listing 5.

Listing 5. Bean definition for authenticationProcessingFilterEntryPoint

<bean id="exceptionTranslationFilter"
  class="org.acegisecurity.ui.ExceptionTranslationFilter">
  <property name="authenticationEntryPoint">
    <ref local="authenticationProcessingFilterEntryPoint" />
  </property>

  ...
</bean>

<bean id="authenticationProcessingFilterEntryPoint"
  class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
  <property name="loginFormUrl">
    <value>/login.jsp</value>
  </property>

  <property name="forceHttps">
    <value>false</value>
</bean>

Step 2: Submission of authentication credentials

The user now fills out the login form and submits the HTTP request. FilterChainProxy intercepts the request again. Because the request is submitted to the /j_acegi_security_check URL pattern, the request is delegated to the filter chain in Listing 4, and AuthenticationProcessingFilter performs the actual job of authentication. AuthenticationProcessingFilter, shown in Listing 6, checks the credential (user ID/password) information entered. If the authentication process is successful, the request is forwarded to the requested page (if the user is authorized to access it; more about this later). If authentication fails, the user is redirected to the login page again.

Listing 6. AuthenticationProcessingFilter

<bean id="authenticationProcessingFilter"
  class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
  <property name="authenticationManager">
    <ref bean="authenticationManager" />
  </property>

  <property name="authenticationFailureUrl">
    <value>/login.jsp?login_error=1</value>
  </property>
  <property name="defaultTargetUrl">
    <value>/</value>

  </property>
  <property name="filterProcessesUrl">
     <value>/j_acegi_security_check</value>
  </property>
</bean>

authenticationManager, defined in Listing 7, is responsible for passing requests through a chain of AuthenticationProviders.

Listing 7. authenticationManager definition

<bean id="authenticationManager"
  class="org.acegisecurity.providers.ProviderManager">
  <property name="providers">

    <list>
      <ref local="daoAuthenticationProvider" />
      <ref local="anonymousAuthenticationProvider" />
    </list>
  </property>
</bean>


1 2 3 4 5 6 7 Page 2
Page 2 of 7