Announcement Announcement Module
Collapse
No announcement yet.
MethodSecurityInterceptor does not "intercept" Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • MethodSecurityInterceptor does not "intercept"

    i've got an java application running on tomcat6.
    i'm using spring 3.0.4 and spring security 3.0.5.

    to protect the access of my dao methods i want to use the spring security `MethodSecurityInterceptor`. but this one doesn't actually "intercept" access at all.

    It is configured like this:

    Code:
    <bean id="securityInterceptor" class="org.springframework.security.access.intercept.aopalliance.MethodSecurityInteceptor"> 
    		
    		<property name="authenticationManager"> 
    			<ref bean="authenticationManager"/> 
    		</property> 
    		
    		<property name="accessDecisionManager"> 
    			<ref bean="accessDecisionManager"/> 
    		</property> 
    		
    		<property name="securityMetadataSource">
    			<value> 
    				com.xkst.dao.InvoiceDao.*=ROLE_ADMIN
    				com.xkst.dao.UserDao.*=ROLE_ADMIN
    			</value>
    		</property> 
    	</bean>
    according to the configuration every access of any of the methods of the UserDao should be intercepted an controlled.

    the methods to be protected get accessed by a rich client java application. to make the service available for the client i use the spring `HttpInvokerServiceExporter`.

    the dao classes are not exported directly. there is a single serviceclass being exported providing a single point of access for the client.

    on the client side i've got this `clientContext.xml` file which references the exported service on the server.

    in the client code i just load the context and pick the exported bean out of it

    Code:
        public class SecurityTest {
    	public static void main(String[] args) {
    		
    		
    		ClassPathXmlApplicationContext ctx = new ClassPathXmlApplicationContext("clientContext.xml");
    		EntityServiceInterface serverService = (EntityServiceInterface) ctx.getBean("entityServiceInterface");
    		
    		List<UserEntity> users = serverService.performGetAllUsers();
    		for(UserEntity user : users) {
    			System.out.println(user.getUserName());
    		}
            
    	}

    here i can just invoke any method of the 'serverService' on my client which should be protected by the 'MethodSecurityInterceptor' without authenticating. i can query all data from my 'UserDao'.

    i really don't know what the missing link is.

    `authenticationManager` and `accessDecisionManager` are configured as well. there is no error message at the startup of the server. it even logs the creation of the "secured methods" like:

    Code:
     2011-08-01 10:38:48,675  INFO MethodDefinitionMap:75 - Adding secure method [public java.util.List com.xkst.dao.UserDao.findAll()] with attributes [[ROLE_ADMIN]]
    so what am i doing wrong? can please someone give me a hint? i would really appreciate any help.
    cheers and thanks a lot, chris

  • #2
    Check your configuration for duplicate daos and make sure that your method security is part of the SAME application context as your daos if it isn't security isn't applied.

    Comment


    • #3
      hi marten.

      thanks for your advice.
      i got one file called applicationContext.xml. both, userdao and methodsecurityinterceptor are defined there.

      meanwhile i also configured an AutoProxyCreator like that:

      Code:
      <bean id="autoProxyCreator" class="org.springframework.aop.framework.autoproxy.BeanNameAutoProxyCreator"> 
      		<property name="interceptorNames">
      			<list> 
      				<value>securityInterceptor</value>
      			</list> 
      		</property> 
      		<property name="beanNames">
      			<list> 
      				<value>userService</value> 
      			</list> 
      		</property>
      		<property name='proxyTargetClass' value="true"/>
      </bean>
      now the interceptor is really called when the secure method is called - nevertheless it just does no authorization and returns the result of the invoked method.
      i found this config line on a tutorial site:
      Code:
      <property name='proxyTargetClass' value="true"/>
      but i do not really know what it is for. without this line the interceptor is not called.

      Comment


      • #4
        Your bean names seem to be different throughout the above posts (userService, userDao, entityServiceInterface), so I'd guess your not configuring AOP correctly somewhere. You might use this test class as a guide.

        Comment


        • #5
          hi luke,

          thanks for the link to the test class. i am going to use it right now.

          according to the names i use:

          "userService" is the bean name of the class userDao

          Code:
          <bean id="userService" class="com.xkst.dao.UserDao">
              	<property name="sessionFactory" ref="sessionFactory" />
          </bean>
          "entityServerService" is the bean to be exported with "HttpInvokerServiceExporter". this bean accesses the userDao. i made this single point of access for my rich client so i dont have to export all my dao classes.

          so the "call hierarchy" is:
          CLIENT -> exported EntityServerService -> UserDao

          Comment


          • #6
            thanks - your test class is quite handy for fast testing configurations.

            i now figured out my problem:

            i did not use the "secured" userService-bean out of the applicationContext - i just used the "getInstance" method from my userService since it is implemented as a singleton.

            thanks a lot! chris

            Comment

            Working...
            X