Announcement Announcement Module
Collapse
No announcement yet.
Java5 annotations Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Java5 annotations

    Hi,

    I'm trying to convert my application over to using Java5 annotations to protect individual methods but I'm not having much luck. My configuration before:
    Code:
    <bean id="securityInterceptor" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor"> 
    	<property name="validateConfigAttributes"><value>false</value></property>
    	<property name="authenticationManager"><ref bean="authenticationManager"/></property>
    	<property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property>
    	<property name="runAsManager"><ref bean="runAsManager"/></property>
    	<property name="objectDefinitionSource">
    	    <value>
    net.fiveprime.services.AssayServices.setAssayPlateStatus=TEST
    	    </value>
    	</property>
       </bean>
    and my configuration after:

    Code:
    <bean id="attributes"	
        	 class="net.sf.acegisecurity.annotation.SecurityAnnotationAttributes"/>
    
    <bean id="objectDefinitionSource" 
    		class="net.sf.acegisecurity.intercept.method.MethodDefinitionAttributes">
      		<property name="attributes"><ref local="attributes"/></property>
    </bean>
    	
    <bean id="securityInterceptor" 
    		class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
        <property name="validateConfigAttributes"><value>false</value></property>
        <property name="authenticationManager"><ref bean="authenticationManager"/></property>
        <property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property>
        <property name="runAsManager"><ref bean="runAsManager"/></property>
        <property name="objectDefinitionSource"><ref bean="objectDefinitionSource"/></property>
    </bean>
    with the following annotation in my source code:

    Code:
    @Secured({"TEST"})
    public void setAssayPlateStatus(AssayPlate assayPlate, String status);
    This seems to me all I should be doing but my setAssayPlateStatus method is not protected with the annotations method. When I look at the Debug log at startup with the previous method I get a number of lines reporting the methods have been protected but this does not happen with the annotations.

    Any pointers? I'm also using Java 5 annotations for Spring transactions on the same class and methods if this makes a difference. I currently have those annotations in the implementation class rather than the interface, does this play a role?

    thanks
    Jonny

  • #2
    I think that you have to define an aspect for this security interceptor. try to add the following code to your application context.
    Code:
        <bean id="securityAutoProxyCreator" class="org.springframework.aop.framework.autoproxy.BeanNameAutoProxyCreator">
            <property name="proxyTargetClass" value="true"/>
            <property name="interceptorNames">
                <list>
                    <value>securityInterceptor</value>
                </list>
            </property>
            <property name="beanNames">
                <list>
                    <value>AssayServices</value>
                </list>
            </property>
        </bean>

    Comment


    • #3
      Well, yes, I also have an proxy factory configured that should use both my security interceptor and my transaction interceptor. That did not change.

      What I changed was the definition of how the interceptor was configured, not how it is applied via the proxy factory. My transaction interceptor works with annotations. My security interceptor works with the first configuration I posted (method signitures in the xml for the objectDefinitionSource). But, the security interceptor when configured with annotations for the objectDefinitionSource.

      I don't use the aspect configuration suggested mind, mine is:

      Code:
      <bean id="assayServices" class="org.springframework.aop.framework.ProxyFactoryBean">
        	<description>Configuration of the AOP interceptors for the assay services</description>
          <property name="proxyInterfaces">
            <value>net.fiveprime.services.AssayServices</value>
          </property>
      	<property name="target"><ref local="assayServicesTarget"/></property>
          <property name="interceptorNames">
            <list>
              <value>securityInterceptor</value>
              <value>transactionInterceptor</value>
            </list>
          </property>
        </bean>
      which works for the initial definition of the securityInterceptor but not the annotation based definition.

      Anyone any experience with getting annotations to work?

      thanks
      Jonny

      Comment


      • #4
        I figured it out, I should have gone home earlier last night.

        The security role I was using to test the annotations with did not have the prefix ROLE_. Once that was added things work as expected.

        One thing though. I noticed that the security annotations have to go into the interface to work. This is not a limitation with transaction annotations. Is there a reason for this?

        Also, anyone any pointers to best practices on this, ie are annotations regarding transactions and security specification related (and so belong in the interface) or implementation related (and so belong in the concrete implementation class). I seem to be able to convince myself of both depending on circumstance.

        Comment


        • #5
          Interfaces and Annotations

          You should be able to annotate regular classes... I have used them in the contacts-tiger sample

          http://cvs.sourceforge.net/viewcvs.p...va?view=markup

          What happened when you tried annotating the implementation?

          Cheers,
          Mark

          Comment


          • #6
            I went over my test cases to make sure I wasn't making a mistake. Basically, if I annotate my implementation classes the security protection is ignored. It's as if the method isn't protected. When the annotation is in the interface, all is well.

            I looked at the sample code and the main difference I see is that you are using auto proxy generation, whereas I use explicit proxy generation in which I list the interceptors I want for each class/interface pair. An example of my proxy factory configuration was given above. Could this be where they differ?

            Jonny

            Originally posted by markstgodard
            You should be able to annotate regular classes... I have used them in the contacts-tiger sample

            http://cvs.sourceforge.net/viewcvs.p...va?view=markup

            What happened when you tried annotating the implementation?

            Cheers,
            Mark

            Comment


            • #7
              Hi,

              I'm currently building my first spring/acegi-based application and facing the same problem.

              The @Secured-Annotation works for me just fine in the interface definition, but gets ignored when placed in the implementing class.

              I also use auto-proxy-generation using the DefaultAdvisorAutoProxyCreator.

              Any hint, what can cause this behaviour?

              Thanks in advance,
              Frank.

              Comment


              • #8
                Can you post your code examples and configuration.... in the meantime I will verify annotating concrete classes.

                Cheers

                Comment


                • #9
                  Thanks Mark!

                  Here is my configuration-snippet:

                  Code:
                  <bean id="autoProxyCreator"   class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator">
                  </bean>
                  
                  <bean id="methodDefinitionSourceAdvisor"   class="org.acegisecurity.intercept.method.aopalliance.MethodDefinitionSourceAdvisor">
                      <constructor-arg>
                          <ref bean="methodSecurityInterceptor" />
                      </constructor-arg>
                  </bean>
                  
                  <bean id="methodSecurityInterceptor"
                      class="org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
                      <property name="authenticationManager">
                          <ref bean="authenticationManager" />
                      </property>
                      <property name="accessDecisionManager">
                          <ref bean="accessDecisionManager" />
                      </property>
                      <property name="objectDefinitionSource">
                          <ref bean="methodDefinitionAttributes" />
                      </property>
                  </bean>
                  
                  <bean id="methodDefinitionAttributes"
                      class="org.acegisecurity.intercept.method.MethodDefinitionAttributes">
                      <property name="attributes">
                          <bean
                              class="org.acegisecurity.annotation.SecurityAnnotationAttributes" />
                      </property>
                  </bean>
                  Annotating the Interface works correct.
                  Both TransactionInterceptor and MethodSecurityInterceptor appear in the stacktrace:

                  Code:
                  public interface IExampleService {
                  
                      @Secured({"ROLE_ALL", "ROLE_SERVICE"})
                      @Transactional
                      public String doWhateverYouDo();
                  
                  }
                  Annotating the Implementation just works for the TransactionInterceptor.
                  The Secured-Annotation gets ignored:

                  Code:
                  public class ExampleService implements IExampleService {
                      ...
                  
                      @Secured({"ROLE_ALL", "ROLE_SERVICE"})
                      @Transactional
                      public String doWhateverYouDo() {
                         ...
                      }
                  }

                  Comment


                  • #10
                    Ahh, I forgot to mention...

                    I am using Spring 1.2.7 and Acegi 1.0.0 RC2

                    Comment


                    • #11
                      Any updates??

                      Any updates on this? I'm having the same problem.....

                      Comment

                      Working...
                      X