This document is a brief description of the processing that occurs to authenticate and authorize an HTTP request using Acegi and the SAIS Framework.
The HTTP request is intercepted in a servlet filter, that delegates to a collection of Acegi filters, called the filter chain. The filter chain ensures the sequence of authorization and authentication processing, and manages authentication protocols and access to security information about users. Upon successful authentication and authorization it establishes a SecurityContext for use by the application.
The filter chain is configured in the Spring Context, the servlet filter in web.xml. SAIS applications will use either Spring Context configurations for security will be in either applicationContext-common-security.xml or applicationContext-web.xml, located in src/main/resources of the application.
The configuration bean for the filter chain is called the filterChainProxy. Here is a sample configuration:
<bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy"> <property name="filterInvocationDefinitionSource"> <value> PATTERN_TYPE_APACHE_ANT /css/**=#NONE# /dhtml/**=#NONE# /images/**=#NONE# /js/**=#NONE# /**=httpSessionContextIntegrationFilter,ssoAuthenticationProcessingFilter,basicAuthenticationProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor </value> </property> </bean>
The filter chain run order is defined on the line starting with "/**=httpSessionContextIntegrationFilter". The items in this list are also configured bean references. They perform the following functions:
httpSessionContextIntegrationFilter: Gets an existing security context from the session, or creates a new empty context.
ssoAuthenticationProcessingFilter: If authentication has not already been established in the SecurityContext ( that is was not present in the session ), checks to see if the user is already set in the servlet request, indicating that SSO has authenticated the user. If so, it sets up all the data structures needed by the security context. This includes the list of roles that the user is authorized for, based on the results of calling the configured authorization services ( see below ).
basicAuthenticationProcessingFilter: If authentication has not already been established ( that is by either being present in the session or by SSO ), and the local.authentication property has been set, performs HTTP Basic authentication. The user is prompted for a username and password, which must match what is configured in the application property file. This filter is intended as a solution to running the application with a security context in the absence of SSO, which is the situation on developer's local workstations. This filter checks that the user and password entered in the login prompt in the browser match the property values for Local Authentication Properties.
Local Authentication Properties: A set of standard properties that tell the security framework. The following properties are used for local authentication. local.authentication=true
local.user.name=sabrown
local.user.password=whatever
All of these properties must be present. The local authentication properties should never be set on SAIS servers.
They are set in the Application Property File that resides in the user's home folder.
exceptionTranslationFilter: catches all exceptions from the filters that follow. Applies configured exception handlers based on the exception type caught. For example, if an AuthenticationException is thrown, indicating that the request is not authenticated yet, then it calls the method to start the authentication process. If an AccessDeniedException is thrown, indicating that authentication has failed, then the AccessDeniedHandler is called. The default handler simply sends an access denies http response code in the response header.
filterSecurityInterceptor: Secures the requested HTTP resource(s) based on the SecurityContext. The work is delegated to a number of helpers configured for this bean. Requires a definition of what resources are to be protected and what roles apply. If the requested resource is supposed to be protected and there is no established authentication in the SecurityContext by this point, it throws an AuthenticationException which is handled as described before. Otherwise, it will determine if authorization in the SecurityContext is sufficient for access to the resource, throwing AccessDeniedException if appropriate.
switchProcessingUserFilter: This is an optional filter that the allows a user to invoke a URL that lets them impersonate another user. Since access to this feature usually requires that the request be authorized for the URL resource that performs the switch, it follows the filterSecurityInterceptor in the chain. Once the switch is performed, the SecurityContext contains the credentials for a different user, but it also remembers the original user so impersonation may be exited and the original credentials restored.
The beans that determines which authorization services will be called to get the authenticated user's roles looks as follows:
<bean id="mitsisRolesUserDetailsService" class="edu.mit.common.security.acegi.userdetails.MitsisRolesUserDetailsService"> <property name="authorizationService" ref="authorizationService" /> </bean> <bean id="authorizationService" class="edu.mit.common.security.authorization.MultipleAuthorizationsService"> <property name="combine" value="false" /> <property name="authorizationServices"> <list> <ref bean="studentRoleAuthorizationService" /> <ref bean="mitRolesAuthorizationService" /> </list> </property> </bean>
mitsisRolesUserDetailsService: acts as an adapter between the Acegi security system and the authorization classes in the SAIS framework.
Basic Authentication: Acegi handles all the requirements of the Basic authentication protocol. It is a two step process. An unauthenticated request will result in a challenge response header sent to the browser that will result in the familiar ugly login box to the user. When the user submits the login credentials in what is now the second request, it contains a header with the credentials. The presence of this header is detected and processed by the basicAuthenticationProcessingFilterand the credentials are compared to the values from the application property file. If there is a match the data structures for the security context are configured including the list of roles from the configured authorization services. Since the first request does not contain the credentials header, it always falls through the filter chain to the filterSecurityInterceptor, which will throw an exception ( if the requested resource should be secured ), which is caught by the exceptionTranslationFilter, which in turn results in the challenge response being issued. You also may wonder, if there is now a second request required, what happened to the first one which actually has the resource you want to view ? It is temporarily stored in the session and then resumed if authentication and authorization succeed. So Acegi does a lot of work here that you normally do not have to worry about.