Announcement Announcement Module
Collapse
No announcement yet.
Acegi method security & Command pattern Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Acegi method security & Command pattern

    Hi,

    I have a set of Command classes implementing a ICommand interface (with an execute method).
    Now, I want to enable role based authorization on the execute method of each command.
    I have setup my security advice, and added it to my autoproxy bean:
    <bean class="org.springframework.aop.framework.autoproxy .BeanNameAutoProxyCreator">
    <property name="beanNames"><value>*Service</value></property>
    <property name="interceptorNames">
    <list>
    <value>commandSecurityAdvice</value>
    </list>
    </property>
    </bean>

    The roles are setup in the security advice:
    ...
    <property name="objectDefinitionSource">
    <value>
    command1.execute=ROLE_SUPERVISOR
    command2.execute=ROLE_SUPERVISOR
    command3.execute=ROLE_USER,ROLE_SUPERVISOR
    </value>
    </property>
    ...

    ACEGI is evaluating my secured object (the command) as an ICommand object and therefore would not match any role.

    In the ACEGi code, it is only checked against interfaces. So what would be the right approach in my case?
    I would like to avoid setting a security advice for each command.

    Thanks

    Xavier

  • #2
    Does my question have any sense that nobody replied?

    Xav.

    Comment


    • #3
      Where abouts is the code is the problem you are facing?

      Comment


      • #4
        The ACEGI code that causes me a problem is the one that tries to match the interface of my secured object with the objectDefinitionSource.
        The code is in MethodDefinitionMap.lookupAttributes(Method).
        It is coded to match the method of my secured object to a method of an interface:
        Class[] interfaces = method.getDeclaringClass().getInterfaces();

        in my case, even though my class Command1 implements ICommand (with an execute method), I want to be able to specify in the objectDefinitionSource:
        Command1.execute=ROLE_USER
        But this would match nothing because of the getInterfaces().

        I am no saying there is a problem in the lookupAttributes method but rather am asking if there is another way to achieve that: assigning ROLEs to methods defined on classes implementing the same interface.

        X.

        Comment


        • #5
          Cool, wow it works by specifying the following in my BeanNameAutoProxyCreator:

          <property name="proxyTargetClass" value="true" />

          That uses now the implementation class, not the interface.

          Thanks for the help.

          X.

          Comment


          • #6
            Not a problem, glad to help! If you want to understand this more, the reference manual should help.
            http://www.springframework.org/docs/...l#aop-proxying

            Comment


            • #7
              Thank you for this link. That knowledge may have saved me some trouble for my future Acegi stuff.

              Comment


              • #8
                If in doubt it's always worth while having a read of the reference manual! It saves many hours of frustration and pulling your hair out .

                Comment

                Working...
                X