Announcement Announcement Module
Collapse
No announcement yet.
Spring Securit 2.0 @Secured Annotations: BUG? Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    I guess that's because the controller is part of the web application context whose beans aren't visible in the main application context (where you presumbaly have the method security set up).

    Comment


    • #17
      Originally posted by Luke View Post
      I guess that's because the controller is part of the web application context whose beans aren't visible in the main application context
      Do you think the <context:component-scan base-package="bigbank.web" /> is not registering our controller into application context?


      The provided tutorial.zip was enhancing Spring Security's Tutorial example by adding one annotation based controller!

      Comment


      • #18
        The web/MVC beans aren't accessible from the main context. It doesn't matter whether you are using component-scan or configuring all the controllers and mappings explicitly in <yourapp>-servlet.xml, these beans are not visible from the context you define using the ContextLoaderListener in your web.xml file.

        Comment


        • #19
          Originally posted by Luke View Post
          Try reading the section in method security in the namespace section in the reference. Also the tutorial application is set up to use Secured annotations with the new namespace syntax, so it shouldn't be so hard to work out with both these available.
          Thanks, I did that....my config file looks now like that

          Code:
          <?xml version="1.0" encoding="UTF-8"?>
          	
          
          <b:beans xmlns="http://www.springframework.org/schema/security"
              xmlns:b="http://www.springframework.org/schema/beans"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
                                  http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd">
                                  
                                  
            <http auto-config='true' >
            	<remember-me user-service-ref='userDetailsService' />
            </http>    
            
            <!-- Acegi User Load DAO -->
          		<b:bean id="userDetailsService" class="security.acegi.hibernate.ExtranetUserDAOHibernate"  parent="BaseDAOHibernate">
          			<b:property name="informationManager" ref="informationManager"/>
          			<b:property name="personManager" ref="personManager"/>
          			<b:property name="benutzerManager" ref="benutzerManager"/>
          			<b:property name="secyManager" ref="secyManager"/>
          			<b:property name="useramtManager" ref="useramtManager"/>
          		</b:bean>        
                                  
          	<b:bean id="httpSessionContextIntegrationFilter" class="org.springframework.security.context.HttpSessionContextIntegrationFilter">
          		<custom-filter position="SESSION_CONTEXT_INTEGRATION_FILTER"/>
          	</b:bean>
            
            <b:bean id="exceptionTranslationFilter" class="org.springframework.security.ui.ExceptionTranslationFilter">
              <custom-filter position="EXCEPTION_TRANSLATION_FILTER"/>
              <b:property name="authenticationEntryPoint">
          			<b:bean class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
          				<b:property name="loginFormUrl" value="/index.jsp"/>
          				<b:property name="forceHttps" value="false"/>
          			</b:bean>
          		</b:property>
          		<b:property name="accessDeniedHandler">
          			<b:bean class="org.springframework.security.ui.AccessDeniedHandlerImpl">
          				<b:property name="errorPage" value="/error.jsp"/>
          			</b:bean>
          		</b:property>
            </b:bean>
            
             <b:bean id="anonymousProcessingFilter" class="org.springframework.security.providers.anonymous.AnonymousProcessingFilter">
              <custom-filter position="ANONYMOUS_FILTER"/>
              <b:property name="key" value="changeThis"/>
          	<b:property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS"/>
            </b:bean>
            
            <b:bean id="containerAuthenticationFilter" class="najsre7.webapp.filter.ContainerAuthenticationFilter">
              <custom-filter position="AUTHENTICATION_PROCESSING_FILTER"/>
             <b:property name="authenticationManager" ref="authenticationManager"/>
            </b:bean>
            
             <b:bean id="organisationValidationFilter" class="najsre7.webapp.filter.OrganisationValidationFilter">
              <custom-filter after="AUTHENTICATION_PROCESSING_FILTER"/>
               <b:property name="informationManager" ref="informationManager"/>
            </b:bean>
          	
          	
          	<!-- Access Descision manager -->
          	<global-method-security access-decision-manager-ref="unanimousBasedAccessDecisionManager" />
          		
          	<b:bean id="unanimousBasedAccessDecisionManager" class="org.springframework.security.vote.UnanimousBased">
          		<b:property name="allowIfAllAbstainDecisions" value="false"/>
          		<b:property name="decisionVoters">
          			<b:list>
          				<b:bean class="org.springframework.security.vote.RoleVoter"/>
          				<b:bean class="org.springframework.security.vote.AuthenticatedVoter"/>
          				<b:bean class="security.acegi.NDBJSSecurityVoter"/>
          			</b:list>
          		</b:property>
          	</b:bean>
          	
          	<authentication-manager alias="authenticationManager"/>
          
          	
          	<b:bean id="shaPasswordEncoder" class="org.springframework.security.providers.encoding.ShaPasswordEncoder"/>
          
          
              <authentication-provider user-service-ref='userDetailsService'>
              	 <password-encoder hash="sha"/>
              </authentication-provider>
          	
          	<global-method-security secured-annotations="enabled" />
          
          	<!-- The use of protect-pointcut is particularly powerful, as it allows you to apply security to many beans with only a simple declaration. Consider the following example: -->	 
          	<global-method-security>
              	<protect-pointcut expression="execution(* najs*.service..*Manager*Impl*.*(..))" access="ROLE_USER"/>
          	</global-method-security>
          	
          	
          	
          </b:beans>
          My Voter (NDBJSVoter) is never called. Anybody knows why?

          regards
          Angela

          Comment


          • #20
            already found the solution....sorry...it was because i had several <global-method-security> in my file...

            angela

            Comment


            • #21
              I just recognized that i have another problem now with my global-method-security definition!

              In my old config I used a self implemented class which only added the @secured Annotation if one of the arguments in the method was of class LaufnummerId.

              With my configuration now, @secured is added at every method.

              Is there a way I can do this with the new configuration? Because the class SecurityAnnotationAttributes doesnt' exist anymore.

              regards angela

              Comment


              • #22
                SpringSecurity v2.0.3 &gt;&gt; @Secured annotation not working

                Originally posted by Luke Taylor View Post
                Since you are using 2.0-M2 you can also use the <security:annotation-driven/> element to specify that you are using annotations.
                Point#1: As found in the latest version (Spring Security v2.0.3), this org.springframework.security.annotation.SecurityAn notationAttributes is not supported anymore.

                Point#2: As seen from the url, http://jira.springframework.org/brow...s:all-tabpanel, it is mentioned (by Adam Dyga - 06/May/08 01:34 PM) that " .... MethodDefinitionAttributes class exists, but SecurityAnnotationAttributes doesn't and due to this org.springframework.security.annotation.SecuredMet hodDefinitionSource should be used instead of them. "

                But it is NOT mentioned how to use the SecuredMethodDefinitionSource for method level security. It would be better if a detailed example is provided within the documentation. The official documentation seems incomplete.

                Point#3: Using <security:annotation-driven/> or, <annotation-driven/ >as mentioned Luke Taylor. But in Spring Security latest version (v2.0.3), this annotation is not found. So it would be better if some concrete solution is provided.

                I'm still facing the problem. The @Secured annotation does not work actually.

                My suggestion to Luke (or, any other SpringSecurity deveopment team member) is: please provide a complete example for method-based security using the @Secured annotation, this will resolve many problems/queries for members like us. It would be nice if this example includes: a spring-security config file, sample java files with @Secured annotations and specific version of the springsecurity API.

                Thanks,
                ... M. Chisty

                Comment


                • #23
                  Enabling secured annotations is already explained in the manual:

                  http://static.springframework.org/sp...ethod-security

                  and the basic tutorial sample is a complete example - it contains code and configuration files which use secured annotations.

                  Comment


                  • #24
                    MCHISTY

                    The reason you are not finding the @Secure annotation is down to the JARs you have a dependency on. Taking the example directly from Spring's example, you could use the following dependency (Maven 2):
                    <dependency>
                    <groupId>org.springframework.security</groupId>
                    <artifactId>spring-security-core-tiger</artifactId>
                    <version>${spring.security.version}</version>
                    <!-- Bringing in Spring 2.0.8 -->
                    <exclusions>
                    <exclusion>
                    <groupId>org.springframework</groupId>
                    <artifactId>spring-support</artifactId>
                    </exclusion>
                    </exclusions>
                    </dependency>
                    <dependency>
                    <groupId>org.springframework.security</groupId>
                    <artifactId>spring-security-taglibs</artifactId>
                    <version>${spring.security.version}</version>
                    <!-- Bringing in Spring 2.0.8 -->
                    <exclusions>
                    <exclusion>
                    <groupId>org.springframework</groupId>
                    <artifactId>spring-support</artifactId>
                    </exclusion>
                    </exclusions>
                    </dependency>
                    And you will find that you have access to the annotation. Remember that annotations only exist in JDK 1.5 onwards, hence why the 'spring-security-core-tiger' artifact has them, when the 'spring-security-core' does not.

                    Apologies about the belated response, I hope it helps.
                    Last edited by marshbourdon; Oct 7th, 2008, 02:25 AM.

                    Comment

                    Working...
                    X