Announcement Announcement Module
Collapse
No announcement yet.
Method level security in GWT Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Method level security in GWT

    I'm writing a GWT application secured with Spring security. Logging in works fine, but authorization doesn't.

    I've tried using @Secured and @PreAuthorize annotations on my methods and that didn't work either.

    ApplicationContext.xml

    Code:
    <?xml version="1.0" encoding="UTF-8"?>
        
        <beans:beans xmlns="http://www.springframework.org/schema/security"
                     xmlns:beans="http://www.springframework.org/schema/beans"
                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                     xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                                http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
    
    
        <http auto-config="true">
            <intercept-url pattern="/testapplication/**" access="ROLE_USER"/>
            <intercept-url pattern="/gwt/**" access="ROLE_USER"/>
            <intercept-url pattern="/**/*.html" access="ROLE_USER"/>
            <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
            <intercept-url pattern="/security/*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
            <intercept-url pattern="/testapplication/appUserService*" access="ROLE_ADMIN"/>
         
            <form-login
                    login-page="/login.jsp"
                    authentication-failure-url="/security/error.html"
                    login-processing-url="/j_spring_security_check"
                    />
        </http>
        <beans:bean id="appUserService" class="com.test.testapplication.server.admin.appuser.AppUserServiceImpl"/>
    
    
        <beans:bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
        [DATASOURCE CONFIGURATION]
        </beans:bean>
        <global-method-security pre-post-annotations="enabled" secured-annotations="enabled" />
        <authentication-manager>
            <authentication-provider>
                <password-encoder hash="sha" />
                <jdbc-user-service data-source-ref="dataSource"
                                   users-by-username-query="select username,password,DECODE(enabled,'Y',1,'N',0) as enabled from APP_USER where username=?"
    
                                   authorities-by-username-query="select u.username, ur.role from APP_USER u, APP_USER_ROLE ur
    		                                                      where u.id = ur.APP_USER_ID and u.username =?  "
    
                        />
            </authentication-provider>
        </authentication-manager>
    </beans:beans>
    To test, I'm trying to secure 'appUserService'.

    web.xml

    Code:
    <?xml version="1.0" encoding="UTF-8"?>
        <web-app xmlns="http://java.sun.com/xml/ns/javaee"
                   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                   xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
        		  http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
                   version="2.5">
        
            <context-param>
                <param-name>contextConfigLocation</param-name>
                <param-value>
                    /WEB-INF/applicationContext.xml
                </param-value>
            </context-param>
            <servlet>
                <servlet-name>appUserService</servlet-name>
            <servlet-class>com.test.testapplication.server.admin.appuser.AppUserServiceImpl</servlet-class>
        </servlet>
        
        <!-- Spring security filter -->
        <filter>
            <filter-name>springSecurityFilterChain</filter-name>
            <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
        </filter>
    
        <filter-mapping>
            <filter-name>springSecurityFilterChain</filter-name>
            <url-pattern>/*</url-pattern>
        </filter-mapping>
        <!-- Spring listener -->
        <listener>
            <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
        </listener>
        <!-- Default page to serve -->
        <welcome-file-list>
            <welcome-file>testapplication.html</welcome-file>
        </welcome-file-list>
    </web-app>
    I'm looking for the simplest solution and I would prefer not to use AspectJ, any help would be greatly appreciated
Working...
X