Announcement Announcement Module
Collapse
No announcement yet.
Unable to set RolePrefix for RoleVoter Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Unable to set RolePrefix for RoleVoter

    I'm attempting to set my own rolePrefix for RoleVoter. I haven't seen any concrete examples to do this except for an old acegi security one. Here's my applicationContext-security-ns.xml file:

    <beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schem...-beans-2.5.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-2.0.xsd">

    <beans:bean id="roleVoter" class="org.springframework.security.vote.RoleVoter ">
    <property name="rolePrefix" value="FOO-BAR-"/>
    </beans:bean>


    Here's the error message:

    Context initialization failed
    org.springframework.beans.factory.xml.XmlBeanDefin itionStoreException: Line 16 in XML document from ServletContext resource [/WEB-INF/applicationContext-security-ns.xml] is invalid; nested exception is org.xml.sax.SAXParseException: cvc-complex-type.2.4.c: The matching wildcard is strict, but no declaration can be found for element 'property'.


    How does one set the rolePrefix for the RoleVoter? Or is this just a trival configuration issue on my part?

    thanks,

    Brian

  • #2
    The element "property" is part of the "beans" namespace, so it needs the prefix too. Using a decent XML editor is recommended as it will tell you this right away. Otherwise it's a bit like Java programming with a text editor instead of an IDE and only finding out your mistakes at compile time .

    Comment


    • #3
      Thanks. I'll use XMLSpy from now on.

      Comment


      • #4
        Defining just the roleVoter bean doesn't appear to be enough. The roleVoter bean probably needs to be associated w/ another bean like say a httpRequestAccessDecisionManager which is then associated w/ a filterInvocationInterceptor and so on? I imagine going this explicit config route I won't be able to use the http bean which consolidates stuff? This is what I have so far:

        <beans:bean id="roleVoter" class="org.springframework.security.vote.RoleVoter ">
        <beansroperty name="rolePrefix" value="FOO-BAR-"/>
        </beans:bean>

        <http auto-config="true">
        <intercept-url pattern="/*.do" access="FOO-BAR-USER" />
        <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        </http>

        <authentication-provider>
        <user-service>
        <user name="admin" password="admin" authorities="FOO-BAR-USER,FOO-BAR-ADMIN" />
        <user name="user" password="user" authorities="FOO-BAR-USER" />
        </user-service>
        </authentication-provider>


        2008-04-30 09:34:56,437 ERROR [org.springframework.web.context.ContextLoader] - Context initialization failed org.springframework.beans.factory.BeanCreationExce ption: Error creating bean with name '_filterChainProxy': Initialization of bean failed; nested exception is org.springframework.beans.factory.BeanCreationExce ption: Error creating bean with name '_filterSecurityInterceptor': Invocation of init method failed; nested exception is java.lang.IllegalArgumentException: Unsupported configuration attributes: [FOO-BAR-USER]

        Comment


        • #5
          The below allowed me to change the prefix from 'ROLE_' to 'PRIV_'. I am still wondering if there are less wordy ways to do the same.

          <http access-decision-manager-ref="accessDecisionManager"
          ....

          <beans:bean
          id="accessDecisionManager"
          class="org.springframework.security.vote.Affirmati veBased">
          <beansroperty name="decisionVoters">
          <beans:list>
          <beans:ref bean="roleVoter" />
          <beans:ref bean="authenticatedVoter" />
          </beans:list>
          </beansroperty>
          </beans:bean>

          <beans:bean
          id="roleVoter"
          class="org.springframework.security.vote.RoleVoter ">
          <beansroperty name="rolePrefix" value="PRIV_" />
          </beans:bean>

          <beans:bean
          id="authenticatedVoter"
          class="org.springframework.security.vote.Authentic atedVoter">
          </beans:bean>

          Comment


          • #6
            Thanks. Your sample config works for me.

            Comment


            • #7
              So a local authentication-provider user-service config works. When trying a ldap-server and ldap-authentication-provider the role prefix ROLE_ appears. I'm using the same config you've detailed and have this ldap config:

              <ldap-server url="ldap://localhost:10389/dc=poc" />
              <ldap-authentication-provider
              group-search-filter="member={0}"
              group-search-base="ou=groups"
              user-search-base="ou=people"
              user-search-filter="uid={0}"
              />

              <http auto-config="false" access-decision-manager-ref="accessDecisionManager">
              <intercept-url pattern="/*.do" access="FOO-BAR-User" />
              <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
              <form-login />
              <anonymous />
              <http-basic />
              <logout />
              </http>


              Debug log statements:

              2008-04-30 15:09:18,703 DEBUG [org.springframework.ldap.core.support.AbstractCon
              textSource] - Got Ldap context on server 'ldap://localhost:10389/dc=poc'
              2008-04-30 15:09:18,718 DEBUG [org.springframework.security.ldap.populator.Defau
              ltLdapAuthoritiesPopulator] - Roles from search: [FOO-BAR-OKC-Administrator, FOO-BAR-User]
              2008-04-30 15:09:18,718 DEBUG [org.springframework.security.userdetails.ldap.Lda
              pUserDetailsMapper] - Mapping user details from context with DN: uid=admin, ou=p
              eople, dc=poc
              2008-04-30 15:09:18,734 DEBUG [org.springframework.security.ui.webapp.Authentica
              tionProcessingFilter] - Authentication success: org.springframework.security.pro
              [email protected] 6: Principal: org.springframew
              [email protected] 5388b5: Username: admin; Passw
              ord: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired:
              true; AccountNonLocked: true; Granted Authorities: ROLE_FOO-BAR-USER, ROLE_FOO-BAR
              -OKC-ADMINISTRATOR; Password: [PROTECTED]; Authenticated: true; Details:
              org.springframework.security.ui.WebAuthenticationD [email protected]: RemoteIpAddre
              ss: 127.0.0.1; SessionId: F07FB2B25D02E10A3764A36FE2FD4E97; Granted Authorities:
              ROLE_FOO-BAR-USER, ROLE_FOO-BAR-OKC-ADMINISTRATOR

              Comment


              • #8
                Originally posted by janw View Post
                The below allowed me to change the prefix from 'ROLE_' to 'PRIV_'. I am still wondering if there are less wordy ways to do the same.
                You can use a shorter prefix for the "beans" namespace. Alternatively, you can write your bean declarations in another file (which uses beans as the default namespace) and either import it or add it to the context loader.

                Comment

                Working...
                X