Announcement Announcement Module
Collapse
No announcement yet.
Method Security Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Method Security

    Hi everyone,

    i'm trying to secure methods. somehow i only can use this feature on interfaces.
    when i try to secure for example a struts 2 action by adding this on front of the method:
    Code:
    @Secured({"ROLE_ADMIN"})
    i get this exception:
    Code:
    java.lang.NoSuchMethodException: $Proxy36.execute()
    	at java.lang.Class.getMethod(Class.java:1605)
    	at org.apache.struts2.interceptor.validation.AnnotationValidationInterceptor.getActionMethod(AnnotationValidationInterceptor.java:55)
    	at org.apache.struts2.interceptor.validation.AnnotationValidationInterceptor.doIntercept(AnnotationValidationInterceptor.java:41)
    .........
    This are the configurations i'm using:

    Code:
    	<bean id="securityInterceptor" class="org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
    		<property name="validateConfigAttributes"><value>false</value></property>
      		<property name="authenticationManager"><ref bean="authenticationManager"/></property>
      		<property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property>
      		<property name="objectDefinitionSource"><ref bean="objectDefinitionSource"/></property>
    	</bean>
    
    <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"/>
    
        <bean class="org.acegisecurity.intercept.method.aopalliance.MethodDefinitionSourceAdvisor">
        	<constructor-arg><ref bean="securityInterceptor" /></constructor-arg>
       	</bean>
    
     	<bean id="objectDefinitionSource" class="org.acegisecurity.intercept.method.MethodDefinitionAttributes">
        	<property name="attributes">
            	<bean class="org.acegisecurity.annotation.SecurityAnnotationAttributes" />
          	</property>
        </bean>
    i hope someone can help me. thx in advance kukudas.

  • #2
    Re: Method security

    Hi kukudas,
    you're trying to use the @Secured annotation with Acegi 1.0 instead of Spring Security 2.0. I think this is not possible. Secured annotation is only available since Spring Security 2.0 (unless I missed something ??).

    Comment


    • #3
      i'm using acegi 1.0.5 and it worked with securing an methods of an interface. but when it is not an interface i get an exception.

      Comment


      • #4
        ok sorry for that, I have just checked Acegi's documentation and it looks like it can work with @Secured on interfaces. I don't know whether it's possible to use it on implementation classes. Sorry I can't help you more on this matter...

        Just one more thing: isn't it possible for you to migrate on Spring Security 2.0? I believe your problem will be solved and ACEGI 1.0 is meant to become deprecated sooner or later...

        Comment


        • #5
          yes i probably will migrate, i think the problem is that the struts 2 action are instantiated before the DefaultAdvisorAutoProxyCreator is.

          Comment


          • #6
            still same problem after migrating it has something to do with the proxy.

            Comment


            • #7
              if i add this:
              Code:
               <security:global-method-security secured-annotations="enabled" jsr250-annotations="enabled"/>
              i get this exception:
              Code:
              org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'userDao' defined in ServletContext resource [/WEB-INF/applicationContext.xml]: Initialization of bean failed; nested exception is java.lang.NoClassDefFoundError: javax/annotation/security/DenyAll
              Caused by: 
              java.lang.NoClassDefFoundError: javax/annotation/security/DenyAll
              	at org.springframework.security.annotation.Jsr250MethodDefinitionSource.processAnnotations(Jsr250MethodDefinitionSource.java:59)
              	at org.springframework.security.annotation.Jsr250MethodDefinitionSource.findAttributes(Jsr250MethodDefinitionSource.java:47)
              	at org.springframework.security.intercept.method.AbstractFallbackMethodDefinitionSource.computeAttributes(AbstractFallbackMethodDefinitionSource.java:117)
              	at org.springframework.security.intercept.method.AbstractFallbackMethodDefinitionSource.getAttributes(AbstractFallbackMethodDefinitionSource.java:90)
              	at org.springframework.security.intercept.method.DelegatingMethodDefinitionSource.getAttributes(DelegatingMethodDefinitionSource.java:32)
              	at org.springframework.security.intercept.method.aopalliance.MethodDefinitionSourceAdvisor$MethodDefinitionSourcePointcut.matches(MethodDefinitionSourceAdvisor.java:120)
              	at org.springframework.aop.support.AopUtils.canApply(AopUtils.java:205)
              	at org.springframework.aop.support.AopUtils.canApply(AopUtils.java:244)
              	at org.springframework.aop.support.AopUtils.findAdvisorsThatCanApply(AopUtils.java:278)
              	at org.springframework.aop.framework.autoproxy.AbstractAdvisorAutoProxyCreator.findEligibleAdvisors(AbstractAdvisorAutoProxyCreator.java:83)
              	at org.springframework.aop.framework.autoproxy.AbstractAdvisorAutoProxyCreator.getAdvicesAndAdvisorsForBean(AbstractAdvisorAutoProxyCreator.java:66)
              	at org.springframework.aop.framework.autoproxy.AbstractAutoProxyCreator.postProcessAfterInitialization(AbstractAutoProxyCreator.java:296)
              	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyBeanPostProcessorsAfterInitialization(AbstractAutowireCapableBeanFactory.java:313)
              	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1181)
              	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:427)
              	at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:249)
              	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:155)
              	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:246)
              	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:160)
              	at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:285)
              	at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:352)
              	at org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader.java:246)
              	at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:189)
              	at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:49)
              	at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:3764)
              	at org.apache.catalina.core.StandardContext.start(StandardContext.java:4216)
              	at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1014)
              	at org.apache.catalina.core.StandardHost.start(StandardHost.java:736)
              	at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1014)
              	at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
              	at org.apache.catalina.core.StandardService.start(StandardService.java:448)
              	at org.apache.catalina.core.StandardServer.start(StandardServer.java:700)
              	at org.apache.catalina.startup.Catalina.start(Catalina.java:552)
              	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
              	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
              	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
              	at java.lang.reflect.Method.invoke(Method.java:597)
              	at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:295)
              	at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:433)
              really strange ..

              Comment


              • #8
                Hi, usually you don't use both secured-annotations and jsr250-annotations attributes.
                You have to choose between them.

                secured-annotations -> @Secured
                jsr250-annotations -> @RolesAllowed

                Which annotations are you using?

                I believe the error you're getting is related to @RolesAllowed. If you're not using it, can you remove jsr250-annotations="true" and see if you still get an error?


                Originally posted by kukudas View Post
                if i add this:
                Code:
                 <security:global-method-security secured-annotations="enabled" jsr250-annotations="enabled"/>
                i get this exception:
                Code:
                org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'userDao' defined in ServletContext resource [/WEB-INF/applicationContext.xml]: Initialization of bean failed; nested exception is java.lang.NoClassDefFoundError: javax/annotation/security/DenyAll
                Caused by: 
                java.lang.NoClassDefFoundError: javax/annotation/security/DenyAll
                	at org.springframework.security.annotation.Jsr250MethodDefinitionSource.processAnnotations(Jsr250MethodDefinitionSource.java:59)
                	at org.springframework.security.annotation.Jsr250MethodDefinitionSource.findAttributes(Jsr250MethodDefinitionSource.java:47)
                	at org.springframework.security.intercept.method.AbstractFallbackMethodDefinitionSource.computeAttributes(AbstractFallbackMethodDefinitionSource.java:117)
                	at org.springframework.security.intercept.method.AbstractFallbackMethodDefinitionSource.getAttributes(AbstractFallbackMethodDefinitionSource.java:90)
                	at org.springframework.security.intercept.method.DelegatingMethodDefinitionSource.getAttributes(DelegatingMethodDefinitionSource.java:32)
                	at org.springframework.security.intercept.method.aopalliance.MethodDefinitionSourceAdvisor$MethodDefinitionSourcePointcut.matches(MethodDefinitionSourceAdvisor.java:120)
                	at org.springframework.aop.support.AopUtils.canApply(AopUtils.java:205)
                	at org.springframework.aop.support.AopUtils.canApply(AopUtils.java:244)
                	at org.springframework.aop.support.AopUtils.findAdvisorsThatCanApply(AopUtils.java:278)
                	at org.springframework.aop.framework.autoproxy.AbstractAdvisorAutoProxyCreator.findEligibleAdvisors(AbstractAdvisorAutoProxyCreator.java:83)
                	at org.springframework.aop.framework.autoproxy.AbstractAdvisorAutoProxyCreator.getAdvicesAndAdvisorsForBean(AbstractAdvisorAutoProxyCreator.java:66)
                	at org.springframework.aop.framework.autoproxy.AbstractAutoProxyCreator.postProcessAfterInitialization(AbstractAutoProxyCreator.java:296)
                	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyBeanPostProcessorsAfterInitialization(AbstractAutowireCapableBeanFactory.java:313)
                	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1181)
                	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:427)
                	at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:249)
                	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:155)
                	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:246)
                	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:160)
                	at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:285)
                	at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:352)
                	at org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader.java:246)
                	at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:189)
                	at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:49)
                	at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:3764)
                	at org.apache.catalina.core.StandardContext.start(StandardContext.java:4216)
                	at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1014)
                	at org.apache.catalina.core.StandardHost.start(StandardHost.java:736)
                	at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1014)
                	at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
                	at org.apache.catalina.core.StandardService.start(StandardService.java:448)
                	at org.apache.catalina.core.StandardServer.start(StandardServer.java:700)
                	at org.apache.catalina.startup.Catalina.start(Catalina.java:552)
                	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
                	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                	at java.lang.reflect.Method.invoke(Method.java:597)
                	at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:295)
                	at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:433)
                really strange ..

                Comment


                • #9
                  Hi,

                  i'm using @Secured and i delted jsr250-annotations="true".
                  now i can startup without any error and when i enter a secured area
                  i don't get this error with the proxy but it seams it still does not work because
                  i have access to those methods even with not secured roles.
                  edit: is it really enough to just add this:

                  <security:global-method-security secured-annotations="enabled"/>
                  and with @Secured({"ROLE"}) make the restriction ?

                  edit2: it seems to work on interfaces but not on other classes hm..


                  edit3: somehow i referenced to the old acegi libarys ive updated it now and now i get again the first exception
                  java.lang.NoSuchMethodException: $Proxy36.execute()

                  somtimes its even 35 or 37
                  Last edited by kukudas; Jun 19th, 2008, 10:05 AM.

                  Comment


                  • #10
                    I'm not sure the role name you have used is correct. Can you try something more conventional such as ROLE_ADMIN?

                    Besides, can you try to put a breakpoint inside the class that holds the @Secured annotation, run in debug mode, and check the type of the instantiated object? It should be using a proxy called $$Proxy1 or something similar. If not, your annotation is not taken into account.

                    Also, is your target class (the one that holds the @Secured annotation) declared as a Spring bean? (it has to).

                    Originally posted by kukudas View Post
                    Hi,

                    i'm using @Secured and i delted jsr250-annotations="true".
                    now i can startup without any error and when i enter a secured area
                    i don't get this error with the proxy but it seams it still does not work because
                    i have access to those methods even with not secured roles.
                    edit: is it really enough to just add this:

                    <security:global-method-security secured-annotations="enabled"/>
                    and with @Secured({"ROLE"}) make the restriction ?

                    edit2: it seems to work on interfaces but not on other classes hm..


                    edit3: somehow i referenced to the old acegi libarys ive updated it now and now i get again the first exception
                    java.lang.NoSuchMethodException: $Proxy36.execute()

                    somtimes its even 35 or 37

                    Comment


                    • #11
                      thanks for your reply today i cant try it i think cause im sick .
                      yes the class is in my spring configuration, but i have the scope=prototype because struts 2 actions are instantiated every request. maybe there is the problem? i will try to use another role and see what happens, i don't know really how to debug this class(which is only as a class file in the spring package i assume).

                      Comment

                      Working...
                      X