Announcement Announcement Module
No announcement yet.
1.0.0-RC1 MethodInvocation AOP problem Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • 1.0.0-RC1 MethodInvocation AOP problem

    I am unable to use the AOP method interception via an AutoProxy. It seems whenever this code at line 288 in AbstractSecurityInterceptor

    ConfigAttributeDefinition attr = this.obtainObjectDefinitionSource()
    is called, it is always returning null, even though the method has been mapped with a role. I have included my mapping below. The acutal method invoked is

    However the method is never returned when invoked via an autoproxy. The bean is retreived from the providerFactory bean which simply checks that all providers implement the correct interface on intializiation. Can anyone give me a hand with this?

    Spring definition

     <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "">
     <!--  Add all service provider adapter to this auto proxy creator.  This will automagically add the
     acegi security method interceptor to every bean when requested from Spring -->
      <bean id="autoProxyCreator" class="org.springframework.aop.framework.autoproxy.BeanNameAutoProxyCreator">
        <property name="interceptorNames">
        <property name="beanNames">
      <!-- This bean specifies which roles are authorized to execute which methods. -->
      <bean id="securityInterceptor" class="org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
        <!-- reject unauthorized invocations -->
        <property name="rejectPublicInvocations" value="true"/>
        <property name="authenticationManager" ref="authenticationManager"/>
        <property name="accessDecisionManager" ref="accessDecisionManager"/>
        <property name="objectDefinitionSource">
        <!--  all implementing classes need public method security added-->
      <!-- This bean specifies which roles are assigned to each user.
      This sets a user map from our WebServiceUserParser -->
      <bean id="userDetailsService" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl">
        <property name="userMap">
        	<ref bean="userMapFactoryBean"/>
      <!-- This bean specifies that a user can access the protected methods 
       if they have any one of the roles specified in the objectDefinitionSource above. -->
      <bean id="accessDecisionManager" class="">
        <property name="decisionVoters">
          <list><ref bean="roleVoter"/></list>
      <!-- The next three beans are boilerplate. They should be the same for nearly all applications. -->
      <bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">
        <property name="providers">
          <list><ref bean="authenticationProvider"/></list>
      <!--  Use a DAO provider
      This still uses UsernamePasswordAuthenticationToken, but requires a 
      WSPasswordCallback as a credential so the password can be
      set into the callback for authentication during the message
      decryption in the additionalAuthenticationChecks method
      <bean id="authenticationProvider" class="">
        <property name="userDetailsService" ref="userDetailsService"/>
      <bean id="roleVoter" class=""/>
      <!-- UserMapLoader bean -->
      <bean id="userMapLoader" class="">
      	<property name="permissionsFile"><value></value></property>
      <!-- Work around bean for InMemoryDAOImpl -->
      <bean id="userMapFactoryBean" class="">
      	<property name="loader"><ref bean="userMapLoader"/></property>
      <!-- our listener that checks every 30 seconds for a new security file -->
      <bean id="scheduledTask" class="org.springframework.scheduling.timer.ScheduledTimerTask">
    	  <!-- wait 10 seconds before starting repeated execution -->
    	  <property name="delay"><value>10000</value></property>
    	  <!-- run every 30 seconds -->
    	  <property name="period"><value>30000</value></property>
    	  <property name="timerTask"><ref bean="securityReloader"/></property>
      <!-- our actual time task -->
      <bean id="securityReloader" class="">
      	<property name="userDetailsService"><ref bean="userDetailsService"/></property>
      	<property name="userMapLoader"><ref bean="userMapLoader"/></property>
      	<property name="paranoid"><value>true</value></property>
      <!-- Our own web service implementations -->
      <bean id="flightBankWebService" class="com.ata.webservices.provider.ServiceProviderAdapter">
    	<!-- set the service provider factory -->
      	<property name="providerFactory">
      		<ref bean="providerFactory"/>
      	<!-- set the dozer mappings -->
      	<property name="mapper">
      		<ref bean="mapper"/>
        <!-- Provider factory to grab a users business provider -->
      <bean id="providerFactory" class="com.ata.webservices.factory.ServiceProviderFactoryImpl">
      	<property name="userDetailsService">
      		<ref bean="userDetailsService"/>
      	<property name="adapters">
      				<ref bean="datalexAdapter"/>
      <bean id="datalexAdapter" class="com.ata.adapter.datalex.DatalexStatelessAdapterImpl">
      	<property name="factory">
      		<ref bean="storeFrontFactory"/>
      <!-- datalex adapter config -->
      <bean id="storeFrontFactory" class="com.ata.adapter.datalex.factory.StoreFrontsFactory">
      	<property name="bookitProps"><value></value></property>
      <!-- dozer converter configuration -->
      <bean id="mapper" 
        class="net.sf.dozer.util.mapping.DozerBeanMapper" singleton="true">
        <property name="mappingFiles">

  • #2
    I have a little more information to provide. It appears the ACEGI is not getting the correct class on my Method invocation objects. The method

    public Object invoke(MethodInvocation mi) throws Throwable
    of class MethodSecurityInterceptor (Line 75) is receiving a MethodInvocation object of instance ReflectiveMethodInvocation. It seems the values are not correct in this object. Both the target and the targetClass are the class

    However, the method object is for

    public abstract com.ata.adapter.beans.FlightSearchResults com.ata.adapter.SearchAdapter.searchRoundTrip(java.lang.String,java.lang.String,java.util.Date,java.util.Date,int,int,int) throws com.ata.adapter.exception.AdaptorException
    Which is the calling method, IE the method invoking the ACEGI security proxy, not the target of the security proxy. Here is my code for the SearchAdapter, as well as the provider lookup code.

    SearchAdapter searchRoundTrip

    public FlightSearchResults searchRoundTrip(String origin,
    			String destination, Date departDate, Date returnDate,
    			int numAdults, int numChildren, int numSeniors) throws Exception {
    		com.ata.adapter.beans.FlightSearchResults results = providerFactory.getProvider()
    				.searchRoundTrip(origin, destination, departDate, returnDate,
    						numAdults, numChildren, numSeniors);
    		FlightSearchResults serviceResults = (FlightSearchResults)
    				results, FlightSearchResults.class);
    		return serviceResults;

    	 * Gets the adapter from the WebServiceUser object
    	 * @return
    	public StatelessBookingAdapter getProvider() {
    		Object userName = SecurityContextHolder.getContext().getAuthentication().getPrincipal();
    		UserDetails userDetails= userDetailsService.loadUserByUsername(userName.toString());
    		//can we find the user
    		if(userDetails == null){
    			throw new WebServiceSecurityException("No user details were found for username '" + userName.toString() + "'");
    		//make sure its the right type before we cast. Should never happen, but a sanity check
    		if(!(userDetails instanceof WebServiceUser)){
    			throw new WebServiceSecurityException("The user '" + userName.toString() + "' is not defined as WebServiceUser type");
    		String providerName = ((WebServiceUser)userDetails).getServiceProvider();
    		StatelessBookingAdapter adapter = (StatelessBookingAdapter) adapters.get(providerName);
    		//check one has been defined
    		if(adapter == null){
    			throw new WebServiceSecurityException("No service provider was found for the user '" + userName.toString() + "'");
    		//if we get here we're good, return the provider.
    		return adapter;


    • #3
      Solution Found

      I have found the solution, if you use a org.springframework.aop.framework.autoproxy.BeanNa meAutoProxyCreator

      you MUST set

      <property name="proxyTargetClass" value="true"/>

      Otherwise, the method passed is the method on the caller of the proxied bean, NOT the target method. I am adding a request to get this into the documentation.


      • #4
        I'll add a comment to the Acegi Security docs as well: