Announcement Announcement Module
Collapse
No announcement yet.
How to bypass MethodSecurityInterceptor for internal RMI calls ? Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to bypass MethodSecurityInterceptor for internal RMI calls ?

    Hi All,

    Our application is using acegi security for web and method level authentication. All of this is working great but I hit a problem and i have spent enough time finding that obvious solution but at last posting my problem here.

    Our application consists of multiple modules deployed on separate machines, each of these modules talk to each other via RMI. All our RMI methods are secured now, but issue here module to module rmi calls fails because of authentication failure.

    Code:
    <bean id="securityInterceptor"
    		class="org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
    		<property name="authenticationManager">
    			<ref bean="authenticationManager" />
    		</property>
    		<property name="accessDecisionManager">
    		  <bean class="org.acegisecurity.vote.AffirmativeBased">
    			<property name="allowIfAllAbstainDecisions" value="false"/>
    			<property name="decisionVoters">
    	  		  <list>
    				<bean class="org.acegisecurity.vote.RoleVoter">
    				  <property name="rolePrefix" value=""/>
    				</bean>						
    			  </list>
    			</property>
    	  	  </bean>
    		</property>
    		<property name="objectDefinitionSource">
    			<value>
    com.test.SecureBean.*=admin, user_role
    			</value>
    		</property>
    	</bean>
    
    	<bean class="acegi.MultiAddrRmiServiceExporter">
    		<property name="serviceName"
                      value="myService"/>
    		<property name="service"
                      ref="myService"/>
    		<property name="serviceInterface"
                      value="com.test.SecureBeanService"/>
            <property name="interceptors"> 
        		<list> 
           			<ref bean="securityInterceptor"/> 
        		</list> 
     		</property>                          
    	</bean>
    When a user is logged into the system his security context is passed from module to module but we have some timers running that don't have any user logged, how to by pass MethodSecurityInterceptor for those time ?


    Thanks for your help.

  • #2
    Because of lack of any obvious solution I am adding an internalAuthenticationProvider that will have access to secret location of username password (like encrypted file) all the modules will know how to access that file and pass the credentials to the other rmi service.

    Comment

    Working...
    X