Announcement Announcement Module
Collapse
No announcement yet.
AFTER_ACL_COLLECTION_READ not intercepting with MethodSecurityInterceptor Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • AFTER_ACL_COLLECTION_READ not intercepting with MethodSecurityInterceptor

    I'm using an Oracle DB and have my AclService populating the tables like so:

    ACL_SID
    ID PRINCIPAL SID
    1 1 siobhan
    2 0 ROLE_USER

    ACL_CLASS
    ID CLASS
    1 model.coso.impl.BusinessUnit

    ACL_OBJECT_IDENTITY
    ID OBJECT_ID_CLASS OBJECT_ID_IDENTITY PARENT_OBJECT OWNER_SID ENTRIES_INHERITING
    1 1 3 1 1

    ACL_ENTRY
    ID ACL_OBJECT_IDENTITY ACE_ORDER SID MASK GRANTING AUDIT_SUCCESS AUDIT_FAILURE
    1 1 0 2 1 1 0 0

    So I am expecting that only ROLE_USER can read my object - BusinessUnit#3

    The config uses an AclEntryAfterInvocationCollectionFilteringProvider as in the DMS example:

    Code:
       <!-- ============== "AFTER INTERCEPTION" AUTHORIZATION DEFINITIONS =========== -->
    
       <bean id="afterInvocationManager" class="org.springframework.security.afterinvocation.AfterInvocationProviderManager">
          <property name="providers">
             <list>
                <ref local="afterAclCollectionRead"/>
             </list>
          </property>
       </bean>
    
       <!-- Processes AFTER_ACL_COLLECTION_READ configuration settings -->
       <bean id="afterAclCollectionRead" class="org.springframework.security.afterinvocation.AclEntryAfterInvocationCollectionFilteringProvider">
          <constructor-arg ref="aclService"/>
          <constructor-arg>
          	<list>
              <ref local="org.springframework.security.acls.domain.BasePermission.READ"/>
          	</list>
          </constructor-arg>
       </bean>
       
    
       <!-- ================= METHOD INVOCATION AUTHORIZATION ==================== -->
    
    	<bean id="methodSecurityAdvisor" class="org.springframework.security.intercept.method.aopalliance.MethodDefinitionSourceAdvisor" autowire="constructor"/>
    
       <bean id="methodSecurityInterceptor" class="org.springframework.security.intercept.method.aopalliance.MethodSecurityInterceptor">
          <property name="authenticationManager"><ref bean="authenticationManager"/></property>
          <property name="accessDecisionManager"><ref local="businessAccessDecisionManager"/></property>
          <property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
          <property name="objectDefinitionSource">
             <value>
                dao.ISecureRiskDao.getSecureRisksViewByBU=ROLE_USER,AFTER_ACL_COLLECTION_READ          
             </value>
          </property>
       </bean>
    The secured method queries the DB using findByCriteria:
    Code:
    DetachedCriteria c = DetachedCriteria.forClass(BusinessUnit.class);
    List bus = getHibernateTemplate().findByCriteria(c);
    When logged in as ROLE_OTHER in the SecurityContext Authentication this returns all domain objects, when I am expecting the one with id=3 to be excluded by the filter.

    I have the Spring Security code from SVN and can debug into AbstractSecurityInterceptor.afterPropertiesSet() on startup but none of my breakpoints in MethodSecurityInterceptor, AbstractSecurityInterceptor, or AfterInvocationProviderManager are stopping when the secured method is called.

    Is there anything I am missing?

    Thanks in advance for your help!
    Last edited by TechSiobhan; Jun 12th, 2008, 09:34 AM.

  • #2
    How are you applying the interceptor to your ISecureRiskDao bean?

    Comment


    • #3
      I was applying like so:

      Code:
       <bean id="methodSecurityInterceptor" class="org.springframework.security.intercept.method.aopalliance.MethodSecurityInterceptor">
            <property name="authenticationManager"><ref bean="authenticationManager"/></property>
            <property name="accessDecisionManager"><ref local="businessAccessDecisionManager"/></property>
            <property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
            <property name="objectDefinitionSource">
               <value>
                  dao.ISecureRiskDao.getSecureRisksViewByBU=AFTER_ACL_COLLECTION_READ          
               </value>
            </property>
         </bean>
      however I changed my config to use the <sec:intercept-methods> tags on the config of my manager bean and this did the trick.
      Last edited by TechSiobhan; Jun 18th, 2008, 06:21 AM.

      Comment

      Working...
      X