Announcement Announcement Module
No announcement yet.
security:accesscontrollist not working Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • security:accesscontrollist not working

    Hi there,

    we are right in the midddle of integrating SpringSecurity ACL into our existing software.

    So here is the catch:

    HTML Code:
    <security:accesscontrollist hasPermission="WRITE" domainObject="#{blaHandler.selectedBla}">								
    	<div class="submit-button go_right paddingRight10">
    		<span> <em> <h:commandLink  value="#{msg.text_edit_bla}" action="#{blaHandler.editBla}" /> 
    		</em> </span> </div>
    should show the button only if the current user has WRITE permissions.

    Problem: The button is always there, so filtering does not seem to work.

    What I found out:
    1. The reference to the Model Object via the Handler is working and shown correctly in Firebug.
    2. Filtering the same request via @Secured Annotation in the Handler works.
    3. We rewrote some parts of the ACL default classes, as shown in the configuration below. But these should work fine ( see Nr. 2 )
    4. There are no exceptions or anything, the site just loads and shows the button.
    5. As far as I can tell the tag is simply not used. While debugging neither the relevant Voter nor the AccessDecisionManager are reached.
    6. As a sidenote: we use SpringSecurity for some time, it`s just the ACL thats new to the system.

    I think our configuration is lacking somehow,but I can`t find it.
    So here is it:

    About our System :
    - Spring V 3.1 M2
    - Springsecurity 3.1.0 RC2

    Our configuration :
    - In the webpage:
    HTML Code:
    <html xmlns=""
    - ApplicationContext

    HTML Code:
    <security:http auto-config='true' access-denied-page="/accessDenied.html">
    		<security:intercept-url pattern="/**" access="ROLE_STANDARD" />
    		<security:form-login login-page="/login.html"
    			authentication-failure-url="/login_error.html" default-target-url="/pages/start/start.html"
    			always-use-default-target="true" />
    		<security:logout logout-success-url="/login.html"
    			invalidate-session="true" />
    	        <security:concurrency-control max-sessions="1" />
    	<security:authentication-manager alias="authenticationManager" >
    			<security:password-encoder hash="md5" />
    	<!-- ACL Decision Manager Configuration-->
    	<security:global-method-security secured-annotations="enabled" 
    		pre-post-annotations="enabled" >
    	<bean id="accessDecisionManager" class="">
    		<property name="allowIfAllAbstainDecisions" value="false" />
    		<property name="decisionVoters">
    				<bean class="" />
    				<bean class="" />
    	<bean id="resourceSecurityInterceptor"
    		<property name="authenticationManager" ref="authenticationManager" />
    		<property name="accessDecisionManager" ref="accessDecisionManager" />
    		<property name="securityMetadataSource"
    			ref="secureResourceFilterInvocationDefinitionSource" />
    		<property name="observeOncePerRequest" value="false" />
    <!-- 		<security:custom-filter after="LAST" /> -->
    	<bean id="secureResourceFilterInvocationDefinitionSource"
    		class="somemodule.generic.util.SecureResourceFilterInvocationDefinitionSource" />
    	<context:component-scan base-package="somepackage" />
    	<!-- 1. initialization of all orchestra modules (required for core15 module) -->
    	<import resource="classpath*:/META-INF/spring-orchestra-init.xml" />
    	<!-- 2. the conversation scopes -->
    	<bean class="org.springframework.beans.factory.config.CustomScopeConfigurer">
    		<property name="scopes">
    				<entry key="conversation.manual">
    						<property name="timeout" value="240" />
    				<entry key="conversation.access">
    						<!-- property name="timeout" value="35" / -->
    						<property name="lifetime" value="access" />
    	<context:annotation-config />
    	<!-- ACL -->
    	<bean class="" id="aclDecisionManager">
    		<property name="decisionVoters">
    				<ref bean="readVoter"/>
    				<ref bean="writeVoter"/>
    				<ref bean="createVoter"/>
    				<ref bean="deleteVoter"/>
    	<!-- ACL Voter -->
    	<bean class="" id="readVoter">
    		<constructor-arg ref="mutableAclService"/>
    		<constructor-arg value="VOTE_READ"/>
    				<util:constant static-field=""/>
    		<property name="processDomainObjectClass" value="somemodule.acl.model.ACLProtectedObject"/>
    	<!-- Other Voters deleted for ease of reading. -->
    	<!-- ACL Caching -->
    	<bean class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean" id="ehCacheManagerBean"/>
    	<bean class="org.springframework.cache.ehcache.EhCacheFactoryBean" id="ehCacheFactoryBean">
    		<property name="cacheManager" ref="ehCacheManagerBean"/>
    		<property name="cacheName" value="springAclCacheRegion"/>
    	<bean class="" id="ehCacheAclCache">
    		<constructor-arg ref="ehCacheFactoryBean"/>
    	<bean class="somemodule.acl.service.MyJdbcMutableAclService" id="mutableAclService"> 
    		<constructor-arg ref="dataSource"/>
    		<constructor-arg ref="ehCacheAclCache"/>
    		<constructor-arg ref="lookupStrategy"/>
    	<bean class="" id="aclAuthzStrategy">
    				<ref local="aclAdminAuthority"/>
    				<ref local="aclAdminAuthority"/>
    				<ref local="aclAdminAuthority"/>
    	<bean class="" id="aclAuditLogger"/>
    	<bean class="" id="aclAdminAuthority">
    		<constructor-arg value="ROLE_ADMIN"/>
    	<bean class="somemodule.acl.util.MyACLLookupStrategy" id="lookupStrategy">
    		<constructor-arg ref="dataSource"/>
    		<!-- Ehcache -->
    		<constructor-arg ref="ehCacheAclCache"/>
    		<constructor-arg ref="aclAuthzStrategy"/>
    		<constructor-arg ref="aclAuditLogger"/>
    		<!-- custom permisison factory -->
    	<!--  END ACL -->
    If you need any more information please ask away.

    If you read this far, then:
    Your help is really appreciated.

  • #2
    Just a bump.
    Anyone got an idea ??