Announcement Announcement Module
Collapse
No announcement yet.
AOP Interceptors and Principals Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • AOP Interceptors and Principals

    Hi,

    I'm trying to migrate an application using EJB 2.1 to Spring. In the old
    version, I have a EJB Dispatcher that audits the applicacion. I'm developing an Spring
    AOP Interceptor for do something similar, but I don't know how to obtain the user
    principal in a simply manner.

    Using acegi or web filter that put the user in the current thread would be a
    solution. s there a simpler manner to do this?

    Thanks

  • #2
    Hi ,

    You can use HTTPServlet's getUserPrincipal for your above problem.

    You can define a filter where you can get a reference to Request Object and then from that request object you can query getUserPrincipal.

    Refer to the example below.

    Example:

    The following example depicts a Web application or servlet using the programmatic security model. The following example is one usage and not necessarily the only usage of the programmatic security model. The application can use the information returned by the getUserPrincipal(), isUserInRole() and getRemoteUser() methods in any other way that is meaningful to that application. Using the declarative security model whenever possible is strongly recommended.


    File : HelloServlet.java

    public class HelloServlet extends javax.servlet.http.HttpServlet {

    public void doPost(
    javax.servlet.http.HttpServletRequest request,
    javax.servlet.http.HttpServletResponse response)
    throws javax.servlet.ServletException, java.io.IOException {
    }
    public void doGet(
    javax.servlet.http.HttpServletRequest request,
    javax.servlet.http.HttpServletResponse response)
    throws javax.servlet.ServletException, java.io.IOException {

    String s = "Hello";


    // get remote user using getUserPrincipal()
    java.security.Principal principal = request.getUserPrincipal();
    String remoteUserName = "";
    if( principal != null )
    remoteUserName = principal.getName();
    // get remote user using getRemoteUser()
    String remoteUser = request.getRemoteUser();

    // check if remote user is granted Mgr role
    boolean isMgr = request.isUserInRole("Mgr");

    // display Hello username for managers and bob.
    if ( isMgr || remoteUserName.equals("bob") )
    s = "Hello " + remoteUserName;

    String message = "<html> \n" +
    "<head><title>Hello Servlet</title></head>\n" +
    "<body> /n +"
    "<h1> " +s+ </h1>/n " +
    byte[] bytes = message.getBytes();

    // displays "Hello" for ordinary users
    // and displays "Hello username" for managers and "bob".
    response.getOutputStream().write(bytes);
    }

    }

    After developing the servlet, you can create a security role reference for the HelloServlet as shown in the following example:

    Add this entry in web.xml

    <security-role-ref>
    <description> </description>
    <role-name>Mgr</role-name>
    </security-role-ref>


    Hope this helps

    Comment


    • #3
      AOP Interceptors and Principals

      Hi kravicha,

      Thanks for your advice. Using the Servlet security model I can audit the application at http request level.
      I'm looking for a system to do the same but at service level.

      For example, I could use a Filter that intercept all the request, then capture the principal using one of the methods of the Request Object and put it in the Thread Local. Later, using a AOP interceptor, obtain the user located in the Thread Local and audit the Service Method calls. I think I could use the SecurityContextHolder Object instead of the Thread Local.

      Nevertheless I think this is too complicated. Do anybody know a simpler manner to do the same? I'd like anything more "KISS"

      Thanks

      Comment


      • #4
        Originally posted by javim View Post
        ...
        Using acegi or web filter that put the user in the current thread would be a
        solution. s there a simpler manner to do this?

        Thanks
        I'm afraid it's nor clear what do you want to get eventually. All you need is to choose security system to use and integrate your aop interceptors to it. Am I right understanding that you don't want to user acegi and ask about 'simpler' security system?

        Comment

        Working...
        X