Announcement Announcement Module
Collapse
No announcement yet.
Putting security annotations in BlahController_Roo_Controller.aj Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Putting security annotations in BlahController_Roo_Controller.aj

    It seems Spring security now has 3 different implementations that can be implemented by annotations at the method level,

    1) secured-annotations for pre-Spring 3.0 security

    2) jsr250-annotations the Java standard way

    3) pre-post-annotations introduced in Spring 3.0

    I think I right saying each can be applied by putting an annotation .e.g @Secure("ROLE_BLAH") or similar at the start of a method.

    I am not able to get any of these to be recognised when I put them above the methods in BlahRecordController_Roo_Controller.aj

    Is it possible to include these security annotations in these aspects. If so what should I be doing

    I am enabling the relevent security settings as follows
    <global-method-security secured-annotations="enabled" jsr250-annotations="enabled" pre-post-annotations="enabled" />

  • #2
    I don't have the answer for you, but I do know that it's not a good idea to modify your project's .aj files, as these are managed by Roo (which might decide to remove your changes at some later point). If you want to customise your controllers' behaviour, the safe approach is to "push in" the relevant elements (methods, etc) from the .aj file into the .java file, and make your changes there. You might even find that this makes your annotations work properly.

    Comment


    • #3
      Good news... AspectJ is smart enough to allow you to introduce annotations to methods that were also introduced via an ITD!

      The following is the "normal" style we use in Roo ITDs:

      Code:
          @LogIt
          public static List<Choice> Choice.findAllChoices() {..}
      This adds a findAllChoices() method into the Choice type. It also ensures that method is annotated with @LogIt.

      This is actually equivalent:

      Code:
          declare @method: public List<Choice> Choice.findAllChoices(): @LogIt;
      
          public static List<Choice> Choice.findAllChoices() {..}
      The good news is the "declare @method" can be in a different ITD to the one that defines the method introduction. Therefore you can easily add annotations to Roo ITD-introduced methods, which will be ideal for your security use case.

      HTH
      Ben

      PS: Ensure you're using the latest AJDT and AspectJ, otherwise you might see bug https://bugs.eclipse.org/bugs/show_bug.cgi?id=288635. I tested the above with AJDT version 2.0.3.e35x-20100129-1100; AspectJ version
      1.6.8.20100108135337 in STS 2.3.1.RC2.

      Comment


      • #4
        Originally posted by Ben Alex View Post
        Good news... AspectJ is smart enough to allow you to introduce annotations to methods that were also introduced via an ITD!
        Great!!!!

        I think this is very useful!!

        Comment


        • #5
          Hello Alex

          Thanks for that it could be very helpful but I how do I implement it

          For example the following is standard Roo generated code

          BlahController_Roo_Controller.aj {
          ...
          public String BlahController_Roo_Controller.list(@RequestParam(v alue = "page", required = false) Integer page, @RequestParam(value = "size", required = false) Integer size, ModelMap modelMap)
          ..
          }

          So I created an aspect

          privileged aspect BlahController_Our_Controller {
          declare @method: public String BlahController.list():
          @Secured("ROLE_TELLER");
          }

          But I get error The method 'public java.lang.String BlahController.list()' does not exist

          So I tried with all the parameters

          declare @method: public String BlahController.list(Integer page, Integer size, ModelMap modelMap): @Secured("ROLE_TELLER");

          But I get an error
          Syntax error on token "page", ")"
          which suggests to me they there should be no parameters

          Comment


          • #6
            Originally posted by MarkGo View Post
            For example the following is standard Roo generated code

            Code:
            BlahController_Roo_Controller.aj {
            ...
            public String BlahController_Roo_Controller.list(@RequestParam(value = "page", required = false) Integer page, @RequestParam(value = "size", required = false) Integer size, ModelMap modelMap)
            ..
            }
            So I created an aspect

            privileged aspect BlahController_Our_Controller {
            declare @method: public String BlahController.list():
            @Secured("ROLE_TELLER");
            }

            But I get error The method 'public java.lang.String BlahController.list()' does not exist
            AspectJ is correct. You should use BlahController.list(..) (ie the .. means 0 or more matching arguments to AspectJ). Your expression above said you want a list() method with zero arguments.

            Originally posted by MarkGo View Post
            So I tried with all the parameters

            Code:
            declare @method: public String BlahController.list(Integer page, Integer size, ModelMap modelMap): @Secured("ROLE_TELLER");
            But I get an error
            Syntax error on token "page", ")"
            which suggests to me they there should be no parameters
            In this second case you're putting in parameter names (ie page, size, modelMap). Try removing them, but leaving the parameter types (ie Integer, Integer, ModelMap). Assuming you've imported the types in the aspect's import statement area, or fully qualified those parameter types, it should work.

            A good overview of writing pointcut definitions can be found in the AspectJ documentation. But I think the above will set you in the right direction. If not please don't forget to include your AJDT and AspectJ view (as shown in the About dialogue of STS/Eclipse after you click the AspectJ button).

            Comment


            • #7
              I have got the following to compile

              declare @method: public String OwnerController.list(Integer , Integer , ModelMap ): @Secured("ROLE_TELLER");

              But even with the following in applicationContext-security.xml it still does not stop me acessing the owner list when I do not have the role "ROLE_TELLER".

              <global-method-security secured-annotations="enabled"> </global-method-security>

              Comment


              • #8
                You need to add the Spring Security Aspects library into your Aspect Path and modify your global-method-security accordingly. I'd recommend asking about this on the Spring Security forum.

                Comment

                Working...
                X