Announcement Announcement Module
Collapse
No announcement yet.
Spring Security problem with using @PreAuthorize("hasPermission(.... Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring Security problem with using @PreAuthorize("hasPermission(....

    I am new to spring security and I'm trying to implement @PreAuthorize("hasPermission(#something, 'write')") on a method. I believe I have configured everything correctly (see config below) however whenever I use @PreAuthorize("hasPermission( my app no longer loads, if I remove it everything is fine.

    I have utilized some of the elements of spring-security such as general Authentication, hasRole, etc.

    I am using spring 3.1 and spring-security 3.1.2

    spring-security.xml
    Code:
    <beans:beans xmlns="http://www.springframework.org/schema/security"
    	xmlns:beans="http://www.springframework.org/schema/beans" 
    	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    	xsi:schemaLocation="http://www.springframework.org/schema/beans
    	http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
    	http://www.springframework.org/schema/security
    	http://www.springframework.org/schema/security/spring-security-3.1.xsd">
    
    	 <global-method-security pre-post-annotations="enabled">
    	 	<expression-handler ref="expressionHandler"/>
    	 </global-method-security>
    	
    	
        <http auto-config="true" access-denied-page="/accessDenied.jsp" use-expressions="true">
       	 
    		<form-login login-page="/login.htm" default-target-url="/loginSuccess.htm"
    			authentication-failure-url="/loginfailed.htm" />
    		<logout logout-success-url="/login.htm" />
    
        
        </http>	
    	
    	<authentication-manager>
    		<authentication-provider>
    		
    		<password-encoder hash="md5" />
    		<jdbc-user-service data-source-ref="dataSource"
     
     		   users-by-username-query="
    		      select login as username,trim(password)...."/>
    		</authentication-provider>
    	</authentication-manager>
    </beans:beans>
    applicationContext.xml
    Code:
    ....
      <bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
            <property name="permissionEvaluator" ref="applicationUserPermission"/>
      </bean>	
    	
      <bean id="applicationUserPermission" class="com.hwa.security.ApplicationUserPermissionEvaluator"/>
    ....
    Evaluator implementation:
    Code:
    public class ApplicationUserPermissionEvaluator implements PermissionEvaluator {
    
    	public boolean hasPermission(Authentication auth, Object target, Object permission) {
    		boolean hasPermission = true; 
    		if (target instanceof ApplicationUser){ 
    			ApplicationUser applicationUser = (ApplicationUser) target; ......
    Use of annotation
    Code:
    	@PreAuthorize("hasPermission(#applicationUser, 'write')")
    	public void addOrUpdateApplicationUser(ApplicationUser applicationUser) {....}
    The error is generic but here it is (note if I remove the hasPermission above the app loads):

    Code:
    INFO: Closing Hibernate SessionFactory
    Sep 28, 2012 12:54:16 PM org.apache.catalina.core.StandardContext listenerStart
    SEVERE: Exception sending context initialized event to listener instance of class org.springframework.web.context.ContextLoaderListener
    java.lang.OutOfMemoryError: Java heap space
    	at java.util.Arrays.copyOf(Arrays.java:2882)
    	at java.lang.AbstractStringBuilder.expandCapacity(AbstractStringBuilder.java:100)
    	at java.lang.AbstractStringBuilder.append(AbstractStringBuilder.java:390)
    	at java.lang.StringBuffer.append(StringBuffer.java:224)
    	at java.io.StringWriter.write(StringWriter.java:95)
    	at java.io.PrintWriter.write(PrintWriter.java:412)
    	at java.io.PrintWriter.write(PrintWriter.java:429)
    	at java.io.PrintWriter.print(PrintWriter.java:559)
    	at java.io.PrintWriter.println(PrintWriter.java:695)
    	at java.lang.Throwable.printStackTrace(Throwable.java:512)
    	at org.springframework.beans.factory.BeanCreationException.printStackTrace(BeanCreationException.java:176)
    	at org.springframework.beans.factory.BeanCreationException.printStackTrace(BeanCreationException.java:180)
    	at java.util.logging.SimpleFormatter.format(SimpleFormatter.java:72)
    	at java.util.logging.StreamHandler.publish(StreamHandler.java:179)
    	at java.util.logging.ConsoleHandler.publish(ConsoleHandler.java:88)
    	at java.util.logging.Logger.log(Logger.java:478)
    	at java.util.logging.Logger.doLog(Logger.java:500)
    	at java.util.logging.Logger.logp(Logger.java:700)
    	at org.apache.commons.logging.impl.Jdk14Logger.log(Jdk14Logger.java:101)
    	at org.apache.commons.logging.impl.Jdk14Logger.error(Jdk14Logger.java:149)
    	at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:307)
    	at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:111)
    	at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4206)
    	at org.apache.catalina.core.StandardContext.start(StandardContext.java:4705)
    	at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:799)
    	at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:779)
    	at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:601)
    	at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:675)
    	at org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:601)
    	at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502)
    	at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1317)
    	at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:324)
    Thanks in advanced,

    Keith

  • #2
    Keith, have you tried increasing the heap size to see if the app starts? Using the annotation may push the memory usage over the current limit since it has to create proxies around method calls.

    Code:
    -Xms256m -Xmx512m

    Comment


    • #3
      Thanks for the reply.

      I changed from
      -Xmn128m
      -Xms256m
      -Xmx768m
      -Xss1m
      -XX:PermSize=128m
      -XX:MaxPermSize=384m

      to

      -Xmn128m
      -Xms1024m
      -Xmx1024m
      -Xss2m
      -XX:PermSize=128m
      -XX:MaxPermSize=512m

      Still received the same error... let me know if I should increase it further and perhaps to what.

      Comment


      • #4
        Hmm, I don't think you need to increase it further. I'm not sure what the problem is then. To narrow down the cause of the problem, does the error occur when change the expression from "hasPermission(#applicationUser, 'write')" to something else? If that doesn't work, try with a different expression and don't set the custom permission evaluator. You can also try debugging to see what bean it's working on when the error happens. Good luck!

        Comment


        • #5
          Just to note

          I tried something slightly different that I assumed would cause the same outcome... and it did.

          I commented out all of my xml configs that I mentioned before and attempted to use the inline logic and still received the same error.

          Code:
          	@PreAuthorize("#applicationUser.login == authentication.name")
          	public void addOrUpdateApplicationUser(ApplicationUser applicationUser) {...}

          Comment


          • #6
            What if you are not using the custom PermissionEvaluator?

            Comment


            • #7
              Turns out my logging wasn't receiving the errors generated by spring, once I fixed that I was able to see the "real" error. My actual error dealt with proxying a proxy, and I was able to get around that. Thanks for all your help.

              Keith

              Comment

              Working...
              X