Announcement Announcement Module
Collapse
No announcement yet.
roo security @preAuthorize @postFilter issues Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • roo security @preAuthorize @postFilter issues

    Hi,

    I'm using spring security 3.0.5 with roo. I've been at this for a while now, can't figure it out... so I hope you guys can help.

    In one of my Domain classes I added some find methods to the .java file (in addition to the roo generated ones in the .aj file).

    Trying to secure them as follows doesn't seem to do anything if using mode="aspectj" in the global method security namespace element. Everything works, but I don't think method security is ever actually applied. Don't see anything in logs...

    Code:
    @PreAuthorize("ROLE_USER")
    @PostFilter("hasPermission(filterTarget,role) or hasRole('ROLE_ADMIN')")
    Trying to use aop instead, method security is applied:

    Code:
    org.springframework.security.access.prepost.PrePostAnnotationSecurityMetadataSource - @org.springframework.security.access.prepost.PreAuthorize(value=ROLE_USER) found on specific method: public static java.util.List x.y.DomainObject.findX()
    2011-02-27 10:32:45,728 ["http-bio-8080"-exec-8] DEBUG org.springframework.security.access.prepost.PrePostAnnotationSecurityMetadataSource - @org.springframework.security.access.prepost.PostFilter(value=hasPermission(filterTarget,role) or hasRole('ROLE_ADMIN')) found on specific method: public static java.util.List x.y.DomainObject.findX()
    2011-02-27 10:32:45,737 ["http-bio-8080"-exec-8] DEBUG org.springframework.security.access.method.DelegatingMethodSecurityMetadataSource - Adding security method [CacheKey[x.y.DomainObject; public static java.util.List x.y.DomainObject.findX()]] with attributes [[authorize: 'ROLE_USER', filter: 'null', filterTarget: 'null'], [authorize: 'null', filter: 'hasPermission(filterTarget,role) or hasRole('ROLE_ADMIN')']]
    but results in:

    Code:
    java.lang.IllegalStateException: Post-processor tried to replace bean instance of type [x.y.DomainObject] with (proxy) object of type [$Proxy134] - not supported for aspect-configured classes!
    So my question is:

    Is it even possible to secure methods on the same class in the .aj files as well as the .java files?

    If not what would be the best way to achieve what I want?
    Add my own methods as aspects and only use aspectj mode?

    Thanks!

  • #2
    Did you enable the security aspects in your pom?

    http://forum.springsource.org/showpo...40&postcount=3

    (Look at step #2 - if you don't do that, Spring Security aspects won't be compiled into your code and the annotations won't do anything.)

    Comment


    • #3
      Thanks, I was missing that.

      Edit: That did it!!! Thanks a lot!

      Could you still tell me how you knew to do exactly that? I read all the docs, reference guides and so on. I didn't find that info anywhere.
      Last edited by muskatus; Feb 28th, 2011, 07:01 AM.

      Comment


      • #4
        I don't remember. It might have been the comments in SEC-1232, or maybe some comments in these here Roo forums. I'd been following this subject for a while....

        (It was some people in these forums that teased out changes to Roo and Spring Security which made some of this work. One cool thing is you can now write your own security aspects that inject @PreAuthorize annotations on Roo-managed methods!)

        Comment


        • #5
          Originally posted by mikej View Post
          One cool thing is you can now write your own security aspects that inject @PreAuthorize annotations on Roo-managed methods!
          Yeah I've seen that. Looks nice indeed.

          Comment


          • #6
            @mikej and @muskatus

            It worked on tc server developer but it not work with tomcat and jetty. I don't known why?

            Could you test with mvn tomcat:run and mvn jetty:run?
            Last edited by tk1cntt; Mar 6th, 2011, 04:37 AM.

            Comment


            • #7
              Sorry, it wouldn't be easy for me to test with mvn tomcat:run (I have an external directory I need on my classpath and I don't see a way to add it to the Maven Tomcat plugin configuration).

              If it helps, I use Tomcat 6 standalone and I start it up via Eclipse.

              Comment


              • #8
                Originally posted by tk1cntt View Post
                @mikej and @muskatus

                It worked on tc server developer but it not work with tomcat and jetty. I don't known why?

                Could you test with mvn tomcat:run and mvn jetty:run?
                I've only used tomcat 7 so far and it works.

                Comment


                • #9
                  Just type

                  Code:
                  cd /path/to/roo
                  
                  mvn jetty:run
                  and maven will load all plugin depend.

                  Please help me test it

                  Thanks so much

                  Comment


                  • #10
                    It's not a plugin dependency, it's an external folder where I keep properties files I don't want to keep inside the war. The tomcat maven plugin doesn't provide a mechanism for adding external folders to the classpath so these properties files can be picked up.

                    At any rate, perhaps you could test with Tomcat or Jetty standalone and troubleshoot from there.

                    Comment

                    Working...
                    X