Announcement Announcement Module
Collapse
No announcement yet.
Spring Securit 2.0 @Secured Annotations: BUG? Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring Securit 2.0 @Secured Annotations: BUG?

    Guys,

    I'm trying my hands on Spring Security 2.0M2. Playing around with spring-security-samples-tutorial-2.0-M2.war I discovered that the @Secured tag does not function the way it should.

    The BankService has the code snippet

    Code:
      @Secured("ROLE_TELLER")
      public Account post(Account account, double amount);
    which means only when the user is logged in as ROLE_TELLER can access the service method else throw a 403 exception. Makes sense. The applicationContext-business.xml says this line

    Code:
      <bean id="bankService" class="bigbank.BankServiceImpl">
        <constructor-arg ref="bankDao"/>
        <!-- This will add a security interceptor to the bean
        <security:intercept-methods>
          <security:protect method="bigbank.BankService.*" access="IS_AUTHENTICATED_REMEMBERED" />
          <security:protect method="bigbank.BankService.post" access="ROLE_TELLER" />
        </security:intercept-methods>  -->
      </bean>
    by default the security:intercept-methods is commented. The flow of the app I followed.
    1. Enter Home Page
    2. Click on listAccounts
    3. Click on the amount to add or subtract the amount in account (calls the post method)
    4. The amount is changed and the new amount is reflected.

    As per the @Secured annotation I should have got the login screen first. which did not occur and I was able to access the resource without logging in.

    Now let's ignore the @Secured and uncomment the security:intercept-methods from applicationContext-business.xml, and then restart the application

    It asked me to login when trying to access the resource and gives access only to the ROLE_TELLER, the other user fails. Is this is a bug or something is missing in terms of configuration. or do I have to use both (does not make sense)

  • #2
    If you only use the @Secured nothing will happen. You will have to tell spring to do something with it. You will need to setup a MethodSecurityInterceptor with a
    SecurityAnnotationAttributes.

    Code:
    <bean id="attributes"
                class="org.springframework.security.annotation.SecurityAnnotationAttributes"/>
    <bean id="objectDefinitionSource"
                class="org.springframework.security.intercept.method.MethodDefinitionAttributes">
      <property name="attributes"><ref local="attributes"/></property>
    </bean>
    
    <bean id="bankManagerSecurity"
                class="org.springframework.security.intercept.method.aopalliance.MethodSecurityInterceptor">
      <property name="validateConfigAttributes"><value>false</value></property>
      <property name="authenticationManager"><ref bean="authenticationManager"/></property>
      <property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property>
      <property name="runAsManager"><ref bean="runAsManager"/></property>
      <property name="objectDefinitionSource"><ref bean="objectDefinitionSource"/></property>
    </bean>

    Comment


    • #3
      Since you are using 2.0-M2 you can also use the <security:annotation-driven/> element to specify that you are using annotations.

      Comment


      • #4
        Originally posted by Luke View Post
        Since you are using 2.0-M2 you can also use the <security:annotation-driven/> element to specify that you are using annotations.
        I am using the <annotation-driven /> element in the XML. Do I still need to use the interceptor?

        Comment


        • #5
          What package is in SecurityAnnotationAttributes?

          Do you know what jar file holds org.springframework.security.annotation.SecurityAn notationAttributes?
          Last edited by shahbazi; Apr 17th, 2008, 12:27 PM.

          Comment


          • #6
            This class is no longer in the codebase.

            Comment


            • #7
              Hi

              i have the same problem, using spring 2.5.3 and spring-security 2.0

              my config is:

              Code:
              <security:global-method-security >
                    <security:protect-pointcut expression="execution(* de.reitsportkoch.*Service.*(..))" access="ROLE_USER"/>
              </security:global-method-security>
              or

              Code:
              <security:global-method-security   secured-annotations="enabled" />
              and / or

              Code:
              <bean id="daacc" class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"/>
                  
                  <bean id="objectDefinitionSource" class="org.springframework.security.annotation.SecuredMethodDefinitionSource">
                  </bean>
              
                  <bean id="securityInterceptor" class="org.springframework.security.intercept.method.aopalliance.MethodSecurityInterceptor">
                      <property name="authenticationManager"><ref local="authenticationManager"/></property>
                      <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
                      <property name="objectDefinitionSource">
                          <ref local="objectDefinitionSource"/>
                      </property>
                  </bean>
              for my junit test i create a AnonymousAuthenticationToken
              so I expect that all my methods in the service, marked with @Secured
              should throw a SecurityException. but this doesn't happen.

              i haves looked into the docs and into the sample apps, but i didn't find my mistake.

              i hope you can help, me. if you need more informations, so tell me.

              thank you verry much

              mfg Gideon

              Comment


              • #8
                Originally posted by Luke View Post
                This class is no longer in the codebase.
                So how do we configure spring 2.0.0 to work with annotations? The example application context file (applicationContext-acegi-security.xml in spring-security-samples-tutorial-2.0.0.war) still contains a reference to org.springframework.security.annotation.SecurityAn notationAttributes, which indeed isn't in the code base. Any docs around on how to set things up?

                Comment


                • #9
                  Originally posted by svanvoor View Post
                  So how do we configure spring 2.0.0 to work with annotations? The example application context file (applicationContext-acegi-security.xml in spring-security-samples-tutorial-2.0.0.war) still contains a reference to org.springframework.security.annotation.SecurityAn notationAttributes, which indeed isn't in the code base. Any docs around on how to set things up?
                  I'm having the same problem :-( Have you found a solution??

                  I also have a own SecurityAnnotations class, which adds by default a @Secured Annotation above every method. How can I implement that with Sprin Security 2.0?

                  Code:
                  public class Re7SecurityAnnotationAttributes extends SecurityAnnotationAttributes {
                  
                  	private final SecurityConfig DEFAULT_ANNOTATION_SECURED = new SecurityConfig(SecyUserRole.JS_USER.getValue());
                  
                  	/**
                  	 * Wir wollen diese Methode benutzen, um default Secured Annotations zu deklarieren fuer
                  	 * diejenigen Methoden, welche secured sein sollen. Falls Secured ueberschrieben wird aufm
                  	 * Interface, dann soll der Drfault ueberschrieben werden und diese Methode nichts machen.
                  	 */
                  	@Override
                  	public Collection getAttributes(Method method) {
                  
                  		// bestehende Konfiguration holen...
                  		final Collection collection = super.getAttributes(method);
                  
                  		// Pruefen ob keine Annotation config @Secured -> wir fuegen unseren default hinzu
                  		if (collection != null || collection.size() == 0) {
                  			final String packageName = SecurityHelper.getPackageName(method);
                  			final boolean votablePackage = najsre7.enums.Package.isVotablePackage(packageName);
                  			if (votablePackage) {
                  				final boolean hasVotableParameters = SecurityHelper.containsLaufnummerIdAsArgument(method);
                  				if (hasVotableParameters) {
                  					collection.add(DEFAULT_ANNOTATION_SECURED);
                  				}
                  			}
                  			else {
                  				// gehoert nicht zu den als votable registrierten Packages, drum sein lassen...
                  			}
                  		}
                  		else {
                  			// Default wurde mit Annotation ueberschrieben, ergo keinen Default setzen und nix
                  			// weiter veraendern.
                  		}
                  		return collection;
                  	}
                  }
                  Angela
                  Last edited by angela; Apr 21st, 2008, 09:32 AM.

                  Comment


                  • #10
                    No, not yet. My @secure annotations are ignored, seems like there's still some magic XML I need to find out about.

                    Code:
                    public class SpringSecurityTest {
                        @Secured({"ROLE_ADMIN"})
                        public String secretAdminOnly(){
                            return "this top secret bet of text is for admin eyes only.";
                        }
                    
                        @Secured({"ROLE_USER"})
                        public String notSoSecret(){
                            return "this is not extremely secret, still, a bit sensitive though.";
                        }
                    
                        @Secured({"ROLE_ANONYMOUS"})
                        public String publicKnowledge(){
                            return "Everyone knows this. Not a secret at all.";
                        }
                    }
                    When logged in as a regular user, no security exception gets thrown when I call secretAdminOnly().

                    Comment


                    • #11
                      Try reading the section in method security in the namespace section in the reference. Also the tutorial application is set up to use Secured annotations with the new namespace syntax, so it shouldn't be so hard to work out with both these available.

                      Comment


                      • #12
                        Having the same issue when upgrading from the 1.x series. I will looking more closely at using the new syntax. However the reference documentation is still showing the old way:
                        http://static.springframework.org/sp...ect-impls.html

                        Comment


                        • #13
                          There's a section on method security using namespaces here:

                          http://static.springframework.org/sp...ethod-security

                          Comment


                          • #14
                            In my existing code (1.x) I have a custom implementation of the MethodDefinitionAttributes class which I have injected a Java5 SecurityAnnotationAttributes object. In other words I have a custom objectDefinitionSource in the MethodSecurityInterceptor - very similar to the example in the docs (which is not applicable since the SecurityAnnotationsAttributes class no longer exists..):

                            <bean id="objectDefinitionSource"
                            class="org.springframework.security.intercept.meth od.MethodDefinitionAttributes">
                            <property name="attributes"><ref local="attributes"/></property>
                            </bean>

                            <bean id="bankManagerSecurity"
                            class="org.springframework.security.intercept.meth od.aopalliance.MethodSecurityInterceptor">
                            <property name="validateConfigAttributes"><value>false</value></property>
                            <property name="authenticationManager"><ref bean="authenticationManager"/></property>
                            <property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property>
                            <property name="runAsManager"><ref bean="runAsManager"/></property>
                            <property name="objectDefinitionSource"><ref bean="objectDefinitionSource"/></property>
                            </bean>

                            I am not sure how I can create the MethodDefinitionAttributes class? Do I just do it without injecting an object into the attributes property of this class? And add <global-method-security secured-annotations="enabled" /> to the context file?

                            Comment


                            • #15
                              Tutorial Application

                              I took tutorial application from SVN and add another controller has ShowAccount
                              and one method called myAccount as:


                              @Controller(value = "showAccount")
                              @RequestMapping("/showAccount.html")
                              public class ShowAccount {
                              @RequestMapping(params = "action=myAccount")
                              @Secured( "ROLE_TELLER" )
                              public String generate( ModelMap model){
                              Object obj = SecurityContextHolder.getContext().getAuthenticati on().getPrincipal();
                              String username = "";
                              if (obj instanceof UserDetails) {
                              username = ((UserDetails)obj).getUsername();
                              } else {
                              username = obj.toString();
                              }
                              model.put("username", username);
                              return "myAccount";
                              }

                              }

                              But we can go to showAccount.html url without login in!

                              While this is working fine with Acegi-Security 1.x.

                              I attached tutorial.zip without WEB-INF/lib, (make sure you put Spring 2.5 libs).
                              Last edited by shahbazi; Apr 25th, 2008, 06:54 PM.

                              Comment

                              Working...
                              X