Ben, You were right. It was a problem with my securityEnforcementFilter bean configuration. I see it now. Once I changed to the basicProcessingFilterEntryPoint bean reference it worked. I also needed your great explaination about SOAP authorization. I will be giving a presentation about Spring at AJUG (Atlanta User Group) next Tuesday. I will definitely mention this security plugin for Spring. My next challenge will be to get SSL Basic authentication configured with Acegi. Thank you so much for your attention about this problem.
Mark > [EMAIL PROTECTED] wrote: > >>Ben, >> >>I had to force Basic authentication by modifying the >> BasicProcessingFilter >>class so that the doFilter method sets the header field is set to "Basic >> " >>if header is null. I know this is ugly, but the SOAP client (Flash >>component) is not sending this value when the request is made. I do not >>understand this. >> >>Anyways, here is what I had to code to force this to happen. If you know >>a better way then I would like to know about it. I think that the Flash >>client is not setting this header field correctly to indicate that it is >>Basic auth, but I am not sure. If I do not use this code then a >>subsequent Acegi filter will try to redirect to a login page. Please >>advise. >> >> >> >> > Mark > > What is supposed to happen is: > > 1. SOAP request received, and attempted to be executed. > 2. MethodSecurityInterceptor throws AuthenticationException. > 3. Wrapping SecurityEnforcementFilter detects AuthenticationException > and calls AuthenticationEntryPoint (which must be > BasicProcessingFilterEntryPoint). > 4. BasicProcessingFilterEntryPoint responds with a challenge like this: > WWW-Authenticate: Basic realm="WallyWorld" > 5. SOAP client reads challenge, and retries request but this time with a > header like this: Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== > 6. SOAP request received, and attempted to be executed. > 7. BasicProcessingFilter detects header and attempts authentication, > placing successful Authentication into the HttpSession. > 8. AutoIntegrationFilter grabs Authentication from HttpSession and onto > ContextHolder. > 9. MethodSecurityInterceptor successful this time, as an Authentication > object on ContextHolder. > > Your code change seems to suggest to me your SecurityEnforcementFilter > isn't configured properly. It seems as if your BasicProcessingFilter is > being used to simulate an attempted authentication, which will cause > BasicProcessingFilter to launch BasicProcessingFilterEntryPoint right > away (it's designed to do this, as the user might have presented invalid > credentials, so they're given a chance to try again). Would you mind > copying your application context XML into an email showing the > configuration of the security objects? It should look something like this: > > <bean id="securityEnforcementFilter" > class="net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter"> > <property name="filterSecurityInterceptor"><ref > bean="filterInvocationInterceptor"/></property> > <property name="authenticationEntryPoint"><ref > bean="basicProcessingFilterEntryPoint"/></property> <------ NB this > line ---> > </bean> > > <bean id="basicProcessingFilter" > class="net.sf.acegisecurity.ui.basicauth.BasicProcessingFilter"> > <property name="authenticationManager"><ref > bean="authenticationManager"/></property> > <property name="authenticationEntryPoint"><ref > bean="basicProcessingFilterEntryPoint"/></property> > </bean> > > <bean id="basicProcessingFilterEntryPoint" > class="net.sf.acegisecurity.ui.basicauth.BasicProcessingFilterEntryPoint"> > <property name="realmName"><value>My Company's > Realm</value></property> > </bean> > > Thanks > Ben > > > > ------------------------------------------------------- > This SF.Net email is sponsored by BEA Weblogic Workshop > FREE Java Enterprise J2EE developer tools! > Get your free copy of BEA WebLogic Workshop 8.1 today. > http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click > _______________________________________________ > Acegisecurity-developer mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer > ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click _______________________________________________ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
