Versions Compared

Old Version 2

changes.mady.by.user Stuart W Brown

Saved on

compared with

New Version 3

changes.mady.by.user Stuart W Brown

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The HTTP request is passed through a series of filters, called the filter chain. Each filter performs a specific task . Which filters and the order in which they run, and the helper classes that they use to perform their tasks, are in a particular order. The filter chain is configured in the applicationContext-web.xml file, located in src/main/resources of the application. Upon successful authentication and authorization a SecurityContext is established that can be used by the application. 

The configuration bean that holds the filter configuration is called the filterChainProxy. As the name suggests, it acts as an interface to the filter chain. A filter using this proxy class is also defined in the web.xml so it gets used.

Code Block
 <bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">
		<property name="filterInvocationDefinitionSource">
			<value>
				PATTERN_TYPE_APACHE_ANT
				/css/**=#NONE#
				/dhtml/**=#NONE#
				/images/**=#NONE#
				/js/**=#NONE#
				/**=httpSessionContextIntegrationFilter,exceptionTranslationFilter,ssoAuthenticationProcessingFilter,mitBasicProcessingFilter,filterSecurityInterceptor,switchUserProcessingFilter
			</value>
		</property>
	</bean>

The filter chain run order is defined on the line starting with "/**=httpSessionContextIntegrationFilter".  The items in this list are also configured bean references. They perform the following functions:

...

switchProcessingUserFilter: This is an optional filter that the allows a user to invoke a URL that lets them impersonate another user. Since access to this feature usually requires that the request be authorized for the URL resource that performs the switch, it follows the filterSecurityInterceptor in the chain. Once the switch is performed, the SecurityContext contains the credentials for a different user, but it also remembers the original user so impersonation may be exited and the original credentials restored.

The beans that determines which authorization services will be called to get the authenticated user's roles looks as follows:

Code Block

 	<bean id="mitsisRolesUserDetailsService" class="edu.mit.common.security.acegi.userdetails.MitsisRolesUserDetailsService">
		<property name="authorizationService"  ref="authorizationService" />
	</bean>

	<bean id="authorizationService" class="edu.mit.common.security.authorization.MultipleAuthorizationsService">
		<property name="combine" value="false" />
		<property name="authorizationServices">
			<list>
				<ref bean="studentRoleAuthorizationService" />
				<ref bean="mitRolesAuthorizationService" />
			</list>
		</property>
	</bean>

mitsisRolesUserDetailsService: acts as an adapter between the Acegi security system and the authorization classes in the SAIS framework.