Versions Compared

Old Version 5

changes.mady.by.user Stuart W Brown

Saved on

compared with

New Version 6

changes.mady.by.user Stuart W Brown

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
 <bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">
		<property name="filterInvocationDefinitionSource">
			<value>
				PATTERN_TYPE_APACHE_ANT
				/css/**=#NONE#
				/dhtml/**=#NONE#
				/images/**=#NONE#
				/js/**=#NONE#
				/**=httpSessionContextIntegrationFilter,exceptionTranslationFilterssoAuthenticationProcessingFilter,ssoAuthenticationProcessingFilterbasicAuthenticationProcessingFilter,mitBasicProcessingFilterexceptionTranslationFilter,filterSecurityInterceptor,switchUserProcessingFilter
			</value>
		</property>
	</bean>

...

httpSessionContextIntegrationFilter: Gets an existing security context from the session, or creates a new empty context.

exceptionTranslationFilter: catches all exceptions from the filters that follow. Applies configured exception handlers based on the exception type caught. For example, if an AuthenticationException is thrown, indicating that the request is not authenticated yet, then it calls the method to start the authentication process.  If an AccessDeniedException is thrown, indicating that authentication has failed, then the AccessDeniedHandler is called. The default handler simply sends an access denies http response code in the response header.

ssoAuthenticationProcessingFilter: If authentication has not already been established in the SecurityContext ( that is was not present in the session ), checks to see if the user is already set in the servlet request, indicating that SSO has authenticated the user.  If so, it sets up all the data structures needed by the security context. This includes the list of roles that the user is authorized for, based on the results of calling the configured authorization services ( see below ).

mitBasicProcessingFilterbasicAuthenticationProcessingFilter: If authentication has not already been established ( that is by either being present in the session or by SSO ), and the local authentication property has been set in the application property file, performs Basic authentication against the local credentials . The user is prompted for a username and password, which must match what is configured in the application property file.  This filter is intended as a solution to running the application with a security context in the absence of SSO, which is what is needed on developer's local workstations. The local authentication property should never be set on SAIS servers. Acegi handles all the requirements of the Basic authentication protocol. It is a two step process that requires two requests. The first request that is unauthenticated . An unauthenticated request will result in an AuthenticationException, which results in the start of the Basic authentication process, which sends a response with an authentication request in the header. Browsers interpret this to show header sent to the browser that will result in the familiar ugly login box to the user. When the user submits the login credentials in what is now the second request, it contains a header with the credentials. The presence of this header is detected and processed by the mitBasicProcessingFilter basicAuthenticationProcessingFilter and the credentials are compared to the values from the application property file. If there is a match the data structures for the security context are configured including the list of roles from the configured authorization services. However in this case the presence of role properties in the application property file will bypass the calls to the authorization servicesSince the first request does not

exceptionTranslationFilter: catches all exceptions from the filters that follow. Applies configured exception handlers based on the exception type caught. For example, if an AuthenticationException is thrown, indicating that the request is not authenticated yet, then it calls the method to start the authentication process.  If an AccessDeniedException is thrown, indicating that authentication has failed, then the AccessDeniedHandler is called. The default handler simply sends an access denies http response code in the response header.

filterSecurityInterceptor: Secures the requested HTTP resource(s) based on the SecurityContext. The work is delegated to a number of helpers configured for this bean. Requires a definition of what resources are to be protected and what roles apply. If the requested resource is supposed to be protected and there is no established authentication in the SecurityContext by this point, it throws an AuthenticationException which is handled as described before.  Otherwise, it will determine if authorization in the SecurityContext is sufficient for access to the resource, throwing AccessDeniedException if appropriate. 

...