Announcement Announcement Module
Collapse
No announcement yet.
Advice not woven when springsecurity is used Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Advice not woven when springsecurity is used

    Hi there. I'm working on a project with a very traditional spring architecture, nothing fancy here.

    We have modules (jars) and each one of them hold an application context.

    So, we have an orm.jar with its app context declaring the entitymanager for example

    We have a business jar that contains an app context with services, and imports the orm

    We have a web layer with an app context that imports the business

    On top of that, we have a jar for security that the web layer also imports (we use spring security) and we define the proper web filters to point to springsecurity's filter

    Our stack is in production for a while, never had any major issues up to now.

    I needed to add an aspect to our service classes, I've done that quite a few times with Spring, and never thought would be an issue. Its a simple around advice:

    Code:
    public Object filterData(ProceedingJoinPoint pjp) throws Throwable {
    
    		logger.debug("Invoking method: {}", pjp.getSignature().getName());
    		Object ret = pjp.proceed();
    		
    		if (!SecurityContextHolder.getContext().getAuthentication().isAuthenticated() || SecurityContext.getAuthentication().getApi().getScope() == Scope.PUBLIC) {
    			if (ret == null)
    				return null;
    			PropertyFilterBean filter = new PropertyFilterBean("public");
    			if (ResourceEntity.class.isAssignableFrom(ret.getClass())) {
    				Object filtered = filter.filter(((ResourceEntity)ret).getData());
    				((ResourceEntity)ret).setData(filtered);
    			} else {
    				ret = filter.filter(ret);
    			}
    			
    		}
    		return ret;
    	}
    And this aspect is configured like this:

    Code:
    		<aop:pointcut expression="execution(* com.acme.services..*.*(..)))"
    			id="allServicesExecution" />
    		<aop:aspect id="securityPropertyFilter" ref="securityPropertyFilterAspect"
    			order="999">
    			<aop:around method="filterData" pointcut-ref="allServicesExecution" />
    		</aop:aspect>
    	</aop:config>
    I've set the order to be very high, to the <tx:> aspects are excuted outside this one.

    So, ran a few integration tests using Spring tests, and voila, my aspect was working as expected.

    But, when I package it inside the war file, the aspect does not get triggered.

    I'm assuming the problem is with springsecurity because the moment I remove the import of that context, and get rid of the filters, the aspect is triggered (of course now, it won't work properly since SecurityContextHolder will have a null reference to authentication)

    Anyone would have an idea of what could be messing with my aspect? From the docs seems that one can't use <aop:config> when using auto-proxying. I wonder if this is the case for springsecurity (we do use @Secure annotations), and if it is, what would be the solution?

    Regards

  • #2
    I'm getting better in answering my own questions:

    Had to turn on proxy-target-class=true on security:global-method-security

    Did the trick

    Comment

    Working...
    X