Announcement Announcement Module
Collapse
No announcement yet.
AccessDecisionManager with Java Configuration Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • AccessDecisionManager with Java Configuration

    Hey guys,

    does anyone know how to register AccessDecisionManager to the HttpSecurity when using java configuration? In my xml I have:

    Code:
    <http access-decision-manager-ref="accessDecisionManager">
    .....
    </http>
    
    
    	<bean id="accessDecisionManager" class="org.springframework.security.vote.UnanimousBased">
    		<property name="decisionVoters">
    			<list>
    				<bean class="org.springframework.security.vote.RoleVoter" />
    				<bean class="org.example.CustomVoter" />
    			</list>
    		</property>
    	</bean>
    and I don't know how to specify my AccessDecisionManager on the HttpSecurity.

    Any help will be appreciated.

  • #2
    You can refer to the NamespaceHttpTests for an example of using the access-decision-manager-ref.



    PS: If you are having trouble mapping the XML namespace to Java Configuration please refer to the tests. In general, the tests are named as Namespace<XMLElement>Tests. So since you want to learn more about how to use the <http> element in Java Configuration you will want to use NamespaceHttpTests.

    Comment


    • #3
      Hi Rob,

      thanks a lot for your guides. I looked at the test cases and tried to implement it like this bellow:

      Code:
          @Override
          protected void configure(HttpSecurity http) throws Exception {
              http
                  .authorizeUrls().accessDecisionManager(defaultAccessDecisionManager())
                      .antMatchers("/admin/**").hasRole("ADMINGROUP")
                      .anyRequest().authenticated().and()
                  .formLogin()
                      .loginProcessingUrl("/j_spring_security_check").permitAll()
      .....
      But then onstartup I get the following exception:

      Code:
      2013-07-30 11:41:55,481 [main] ERROR org.springframework.web.context.ContextLoader - Context initialization failed
      org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'springSecurityFilterChain' defined in class org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration: Instantiation of bean failed; nested exception is org.springframework.beans.factory.BeanDefinitionStoreException: Factory method [public javax.servlet.Filter org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration.springSecurityFilterChain() throws java.lang.Exception] threw exception; nested exception is java.lang.IllegalArgumentException: Unsupported configuration attributes: [permitAll, permitAll, hasRole('ROLE_ADMINGROUP'), authenticated, permitAll]
      	at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:581)
      	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1025)
      I'm sure it's my misconfiguration again, but I just can't figure it out. Thanks a lot for your effort in helping me.

      Comment


      • #4
        I suppose there is a slight difference between the sample I pointed you to and the configuration you had. The difference is that the sample is assuming you are supporting expressions. So you have two different options:

        The first (I would recommend) is to update your configuration to include a WebExpressionVoter. For example:

        Code:
        @Bean
        public AccessDecissionManager defaultAccessDecisionManager() {
            List<AccessDecisionVoter<FilterInvocation>> voters = new ArrayList<AccessDecisionVoter<FilterInvocation>>();
            voters.add(new WebExpressionVoter());
            voters.add(new CustomVoter());
            AccessDecissionManager result = new UnanimousBased();
            result.setDecisionVoters(voters);
            return result;
        }
        The second option is to change to not use expressions within Spring Security's url mappings. For example:
        Code:
        protected void configure(HttpSecurity http) throws Exception {
             http
                .apply(new UrlAuthorizationConfigurer())
                    .accessDecisionManager(defaultAccessDecisionManager())
                    .antMatchers("/admin/**").hasRole("ADMINGROUP")
                    .anyRequest().authenticated().and()
                ....
        }

        Comment


        • #5
          Thanks Rob, it works

          Comment

          Working...
          X