Issue Details (XML | Word | Printable)

Key: APF-1006
Type: Bug Bug
Status: Resolved Resolved
Resolution: Cannot Reproduce
Priority: Major Major
Assignee: Matt Raible
Reporter: beno?t moraillon
Votes: 0
Watchers: 1
Operations

If you were logged in you would be able to see more operations.
AppFuse

bug Acegi security and authenticated user without any application roles

Created: 18/Jan/08 08:10 AM   Updated: 03/May/08 09:54 PM   Resolved: 03/May/08 09:54 PM
Component/s: Security
Affects Version/s: 2.0.1
Fix Version/s: 2.0.1

Environment: LDAP authentication


 Description  « Hide
NullPointerException occurs when a user succeed authentication without any application roles.
i suggest to change security.xml in order to better manage access denied :

1) replace exceptionTranslationFilter by this one :

    <bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter">
    <property name="authenticationEntryPoint">
            <bean class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
                <property name="loginFormUrl" value="/login.jsp"/>
                <property name="forceHttps" value="false"/>
            </bean>
         </property>
  <property name="accessDeniedHandler">
   <bean class="org.acegisecurity.ui.AccessDeniedHandlerImpl">
    <property name="errorPage" value="/login.jsp?accessDenied=true"/>
   </bean>
  </property>
   </bean>


2) add this to login.jsp :

<c:if test="${param.accessdenied != null}">
    <li class="error" >
        <img src="${ctx}/images/iconWarning.gif" alt="<fmt:message key='icon.warning'/>" class="icon"/>
        <fmt:message key="errors.accessDenied"/>
        <%--${sessionScope.ACEGI_SECURITY_LAST_EXCEPTION.message}--%>
    </li>
 
</c:if>


3) add this in applicationresources.properties :

errors.accessDenied=Vous n'avez pas de droits suffisants pour accéder à cette application.



Sort Order: Ascending order - Click to sort in descending order
[ Permalink | « Hide ]
Matt Raible added a comment - 18/Jan/08 11:25 AM
Are you sure this isn't a duplicate of APF-940?

[ Permalink | « Hide ]
Matt Raible added a comment - 03/May/08 09:54 PM
Unable to reproduce with the following steps:

1. Created a new project with Spring MVC Basic.
2. Ran with mvn jetty:run-war
3. Deleted user roles from database with "delete from user_role".
4. Logged in with admin/admin.

Result: Received Access Denied page rather than NPE.

Atlassian JIRA (v4.0#466) | Report a problem | Request a feature | Contact administrators
Powered by a free Atlassian JIRA open source license for AppFuse. Try JIRA - bug tracking software for your team.