Announcement Announcement Module
Collapse
No announcement yet.
security:accesscontrollist not working Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • security:accesscontrollist not working

    Hi there,

    we are right in the midddle of integrating SpringSecurity ACL into our existing software.

    So here is the catch:

    HTML Code:
    <security:accesscontrollist hasPermission="WRITE" domainObject="#{blaHandler.selectedBla}">								
    	<div class="submit-button go_right paddingRight10">
    		<span> <em> <h:commandLink  value="#{msg.text_edit_bla}" action="#{blaHandler.editBla}" /> 
    		</em> </span> </div>
    </security:accesscontrollist>
    should show the button only if the current user has WRITE permissions.

    Problem: The button is always there, so filtering does not seem to work.

    What I found out:
    1. The reference to the Model Object via the Handler is working and shown correctly in Firebug.
    2. Filtering the same request via @Secured Annotation in the Handler works.
    3. We rewrote some parts of the ACL default classes, as shown in the configuration below. But these should work fine ( see Nr. 2 )
    4. There are no exceptions or anything, the site just loads and shows the button.
    5. As far as I can tell the tag is simply not used. While debugging neither the relevant Voter nor the AccessDecisionManager are reached.
    6. As a sidenote: we use SpringSecurity for some time, it`s just the ACL thats new to the system.

    Conclusion?
    I think our configuration is lacking somehow,but I can`t find it.
    So here is it:



    About our System :
    - Spring V 3.1 M2
    - Springsecurity 3.1.0 RC2

    Our configuration :
    - In the webpage:
    HTML Code:
    <html xmlns="http://www.w3.org/1999/xhtml"
    	xmlns:ui="http://java.sun.com/jsf/facelets"
    	xmlns:h="http://java.sun.com/jsf/html"
    	xmlns:f="http://java.sun.com/jsf/core"
    	xmlns:rich="http://richfaces.org/rich"
    	xmlns:a4j="http://richfaces.org/a4j"
    	xmlns:sec="http://www.springframework.org/security/facelets/tags"
    	xmlns:security="http://www.springframework.org/schema/security">
    - ApplicationContext

    HTML Code:
    <security:http auto-config='true' access-denied-page="/accessDenied.html">
    		<security:intercept-url pattern="/**" access="ROLE_STANDARD" />
    		<security:form-login login-page="/login.html"
    			authentication-failure-url="/login_error.html" default-target-url="/pages/start/start.html"
    			always-use-default-target="true" />
    
    		<security:logout logout-success-url="/login.html"
    			invalidate-session="true" />
    		<security:session-management>
    	        <security:concurrency-control max-sessions="1" />
    	    </security:session-management>	
    	</security:http>
    
    	<security:authentication-manager alias="authenticationManager" >
    		<security:authentication-provider
    			user-service-ref="userDetailsProvider">
    			<security:password-encoder hash="md5" />
    		</security:authentication-provider>
    	</security:authentication-manager>
    	<!-- ACL Decision Manager Configuration-->
    	<security:global-method-security secured-annotations="enabled" 
    		access-decision-manager-ref="aclDecisionManager" 
    		pre-post-annotations="enabled" >
    	</security:global-method-security>
    
    	<bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
    		<property name="allowIfAllAbstainDecisions" value="false" />
    		<property name="decisionVoters">
    			<list>
    				<bean class="org.springframework.security.access.vote.RoleVoter" />
    				<bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
    			</list>
    		</property>
    	</bean>
    
    	<bean id="resourceSecurityInterceptor"
    		class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
    		<property name="authenticationManager" ref="authenticationManager" />
    		<property name="accessDecisionManager" ref="accessDecisionManager" />
    		<property name="securityMetadataSource"
    			ref="secureResourceFilterInvocationDefinitionSource" />
    		<property name="observeOncePerRequest" value="false" />
    <!-- 		<security:custom-filter after="LAST" /> -->
    	</bean>
    
    	<bean id="secureResourceFilterInvocationDefinitionSource"
    		class="somemodule.generic.util.SecureResourceFilterInvocationDefinitionSource" />
    
    
    	<context:component-scan base-package="somepackage" />
    
    	<!-- 1. initialization of all orchestra modules (required for core15 module) -->
    	<import resource="classpath*:/META-INF/spring-orchestra-init.xml" />
    
    	<!-- 2. the conversation scopes -->
    	<bean class="org.springframework.beans.factory.config.CustomScopeConfigurer">
    		<property name="scopes">
    			<map>
    				<entry key="conversation.manual">
    					<bean
    						class="org.apache.myfaces.orchestra.conversation.spring.SpringConversationScope">
    						<property name="timeout" value="240" />
    
    					</bean>
    				</entry>
    
    				<entry key="conversation.access">
    					<bean
    						class="org.apache.myfaces.orchestra.conversation.spring.SpringConversationScope">
    						<!-- property name="timeout" value="35" / -->
    						<property name="lifetime" value="access" />
    					</bean>
    				</entry>
    			</map>
    		</property>
    	</bean>
    
    	<context:annotation-config />
    	<!-- ACL -->
    	
    	<bean class="org.springframework.security.access.vote.AffirmativeBased" id="aclDecisionManager">
    		<property name="decisionVoters">
    			<list>
    				<ref bean="readVoter"/>
    				<ref bean="writeVoter"/>
    				<ref bean="createVoter"/>
    				<ref bean="deleteVoter"/>
    			</list>
    		</property>
    	</bean>
    
    	<!-- ACL Voter -->
    	<bean class="org.springframework.security.acls.AclEntryVoter" id="readVoter">
    		<constructor-arg ref="mutableAclService"/>
    		<constructor-arg value="VOTE_READ"/>
    		<constructor-arg>
    			<array>
    				<util:constant static-field="org.springframework.security.acls.domain.BasePermission.READ"/>
    			</array>
    		</constructor-arg>
    		<property name="processDomainObjectClass" value="somemodule.acl.model.ACLProtectedObject"/>
    	</bean>
    	
    	<!-- Other Voters deleted for ease of reading. -->
    		
    	<!-- ACL Caching -->
    	<bean class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean" id="ehCacheManagerBean"/>
    	<bean class="org.springframework.cache.ehcache.EhCacheFactoryBean" id="ehCacheFactoryBean">
    		<property name="cacheManager" ref="ehCacheManagerBean"/>
    		<property name="cacheName" value="springAclCacheRegion"/>
    	</bean>
    	<bean class="org.springframework.security.acls.domain.EhCacheBasedAclCache" id="ehCacheAclCache">
    		<constructor-arg ref="ehCacheFactoryBean"/>
    	</bean>
    	
    	<bean class="somemodule.acl.service.MyJdbcMutableAclService" id="mutableAclService"> 
    		<constructor-arg ref="dataSource"/>
    		<constructor-arg ref="ehCacheAclCache"/>
    		<constructor-arg ref="lookupStrategy"/>
    	</bean>
    	
    	<bean class="org.springframework.security.acls.domain.AclAuthorizationStrategyImpl" id="aclAuthzStrategy">
    		<constructor-arg>
    			<array>
    				<ref local="aclAdminAuthority"/>
    				<ref local="aclAdminAuthority"/>
    				<ref local="aclAdminAuthority"/>
    			</array>
    		</constructor-arg>
    	</bean>	
    	<bean class="org.springframework.security.acls.domain.ConsoleAuditLogger" id="aclAuditLogger"/>
    	<bean class="org.springframework.security.core.authority.GrantedAuthorityImpl" id="aclAdminAuthority">
    		<constructor-arg value="ROLE_ADMIN"/>
    	</bean>
    	
    	<bean class="somemodule.acl.util.MyACLLookupStrategy" id="lookupStrategy">
    		<constructor-arg ref="dataSource"/>
    		<!-- Ehcache -->
    		<constructor-arg ref="ehCacheAclCache"/>
    		<constructor-arg ref="aclAuthzStrategy"/>
    		<constructor-arg ref="aclAuditLogger"/>
    		<!-- custom permisison factory -->
    	</bean>
    	
    	<!--  END ACL -->
    If you need any more information please ask away.



    If you read this far, then:
    Thanks
    Your help is really appreciated.

  • #2
    Just a bump.
    Anyone got an idea ??

    Comment

    Working...
    X