Announcement Announcement Module
Collapse
No announcement yet.
Method security with struts2 make all request params in action NULL Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Method security with struts2 make all request params in action NULL

    I need to use method security in my Struts2 application. It works as I want - deny user with no permission and allow access when user has a proper one.
    But when user with granted access get into secured method which is the method of Struts action, all request params there, for some reason, are set to NULL.
    Please, help me to resolve the issue, if anybody has already faced it. Or may be someone could share his knowledge how to properly configure Struts2 application to use Spring Secure method security.
    Last edited by dubrovsky; Jan 23rd, 2009, 09:01 AM.

  • #2
    My Test case #1 - unsuccessful

    OK. Noone could help. That's why I had to do it myself.
    Here is what I managed to find out:
    Test case #1
    1. applicationContext-beans.xml
    Code:
    <bean id="ZajavsR_A" class="com.bivc.infmclient.actions.ZajavsR_A" scope="prototype" />
    2.applicationContext-security.xml
    Code:
    <global-method-security >
          <protect-pointcut expression="execution(* com.bivc.infmclient.actions.ZajavsR_A.view(..))" access="ROLE_SUPERVISOR"/>
    </global-method-security>
    <http auto-config="true">
          <intercept-url pattern="/*.do" access="ROLE_USER" />
          <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    </http>
    <authentication-provider>
            <password-encoder hash="md5"/>
            <user-service>
                <user name="rod" password="a564de63c2d0da68cf47586ee05984d7" authorities="ROLE_SUPERVISOR, ROLE_USER, ROLE_TELLER" />
    	      <user name="peter" password="22b5c9accc6e1ba628cedc63a72d57f8" authorities="ROLE_USER" />
    	 </user-service>
    </authentication-provider>
    3. ZayavsR_I.java
    Code:
    public interface ZayavsR_I {
      public String view();
    }
    4. ZajavsR_A.java
    Code:
    public class ZajavsR_A extends InfmClientSupport_A implements ZajavsDAOAware, JSONAware, ZayavsR_I {
      public ZajavsR_A(){}
      
      public String view() {
        // SOME CODE HERE
    
        return SUCCESS;
      }
    }
    5. infmclient-support.xml - Struts2 config
    Code:
    <package name="zajavs-support" namespace="/" extends="infmclient-default">
        <action name="Zajavs_*" method="{1}" class="ZajavsR_A">
          <result name="success" type="json"/>
          <result name="input">/jsp/ZajavsOMP.jsp</result>
        </action>
     </package>
    As a result, I had the problem described above - all request params in ZajavsR_A.java Struts Action class are set to NULL. May be I miss something here, may be some config params, which I don't know, who can point out my mistake?

    Comment


    • #3
      My Test case #2 - still unsuccessful

      Let's try another way.
      1. applicationContext-beans.xml
      Code:
      <bean id="ZajavsR_A" class="com.bivc.infmclient.actions.ZajavsR_A" scope="prototype" />
           
              <bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager" />
              <bean id="roleVoter" class="org.springframework.security.vote.RoleVoter" />
      
              <bean id="accessDecisionManager" class="org.springframework.security.vote.AffirmativeBased">
                <property name="decisionVoters">
                  <list>
                    <ref bean="roleVoter" />
                  </list>
                </property>
              </bean>
      
              <bean id="objectDefinitionSource" class="org.springframework.security.intercept.method.MapBasedMethodDefinitionSource" />
      
              <bean id="methodSecurityInterceptor" class="org.springframework.security.intercept.method.aopalliance.MethodSecurityInterceptor">
                <property name="authenticationManager" ref="authenticationManager"/>
                <property name="accessDecisionManager" ref="accessDecisionManager"/>
                <property name="objectDefinitionSource" ref="objectDefinitionSource"/>
              </bean>
      
              <bean class="org.springframework.aop.framework.autoproxy.BeanNameAutoProxyCreator">
                <property name="proxyTargetClass" value="true"/>
                <property name="beanNames">
                  <value>
                    ZajavsR_A
                  </value>
                </property>
                <property name="interceptorNames">
                  <list>
                    <value>methodSecurityInterceptor</value>
                  </list>
                </property>
              </bean>
      2. applicationContext-security.xml
      Code:
      <global-method-security >
      <protect-pointcut expression="execution(* com.bivc.infmclient.actions.ZajavsR_A.view(..))" access="ROLE_SUPERVISOR"/>
      </global-method-security>
      <http auto-config="true">
            <intercept-url pattern="/*.do" access="ROLE_USER" />
            <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
      </http>
      <authentication-provider>
              <password-encoder hash="md5"/>
              <user-service>
                  <user name="rod" password="a564de63c2d0da68cf47586ee05984d7" authorities="ROLE_SUPERVISOR, ROLE_USER, ROLE_TELLER" />
      	      <user name="peter" password="22b5c9accc6e1ba628cedc63a72d57f8" authorities="ROLE_USER" />
      	</user-service>
      </authentication-provider>
      3. ZayavsR_I.java - don't use anymore, as I'LL proxy Target Class, not Interface
      4. ZajavsR_A.java
      Code:
      public class ZajavsR_A extends InfmClientSupport_A implements ZajavsDAOAware, JSONAware/*, ZayavsR_I*/ {
        public ZajavsR_A(){}
        
        public String view() {
          // SOME CODE HERE
      
          return SUCCESS;
        }
      }
      5. infmclient-support.xml - Struts2 config - the same as in code above.

      Here I always receive such unexpected error -
      Initialization of bean failed; nested exception is org.springframework
      .aop.framework.AopConfigException: Could not generate CGLIB subclass of class [class $Proxy6]: Common
      causes of this problem include using a final class or a non-visible class; nested exception is java
      .lang.IllegalArgumentException: Cannot subclass final class class $Proxy6

      and so on...
      I didn't understand why my action class became final, as I couldn't find in it itself and in it's parent classes any final classes or methods.
      As a result I didn't manage to solve the error. Who knows, what's the problem here and how to resolve it?

      Comment


      • #4
        My Test case #3 - at long last successful!

        1. applicationContext-beans.xml
        Code:
        <bean id="ZajavsR_A" class="com.bivc.infmclient.actions.ZajavsR_A" scope="prototype" />
             
                <bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager" />
                <bean id="roleVoter" class="org.springframework.security.vote.RoleVoter" />
        
                <bean id="accessDecisionManager" class="org.springframework.security.vote.AffirmativeBased">
                  <property name="decisionVoters">
                    <list>
                      <ref bean="roleVoter" />
                    </list>
                  </property>
                </bean>
        
                <!--bean id="objectDefinitionSource" class="org.springframework.security.intercept.method.MapBasedMethodDefinitionSource" /-->
        
                <bean id="methodSecurityInterceptor" class="org.springframework.security.intercept.method.aopalliance.MethodSecurityInterceptor">
                  <property name="authenticationManager" ref="authenticationManager"/>
                  <property name="accessDecisionManager" ref="accessDecisionManager"/>
                  <property name="objectDefinitionSource">
                    <value>
                      com.bivc.infmclient.actions.ZajavsR_A.view=ROLE_SUPERVISOR
                    </value>
                  </property>
                </bean>
        
                <bean class="org.springframework.aop.framework.autoproxy.BeanNameAutoProxyCreator">
                  <property name="proxyTargetClass" value="true"/>
                  <property name="beanNames">
                    <value>
                      ZajavsR_A
                    </value>
                  </property>
                  <property name="interceptorNames">
                    <list>
                      <value>methodSecurityInterceptor</value>
                    </list>
                  </property>
                </bean>
        Notice here, objectDefinitionSource is configured directly in MethodSecurityIterceptor

        2. applicationContext-security.xml
        Code:
        <global-method-security >
        <!--protect-pointcut expression="execution(* com.bivc.infmclient.actions.ZajavsR_A.view(..))" access="ROLE_SUPERVISOR"/-->
        </global-method-security>
        <http auto-config="true">
              <intercept-url pattern="/*.do" access="ROLE_USER" />
              <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        </http>
        <authentication-provider>
                <password-encoder hash="md5"/>
                <user-service>
                    <user name="rod" password="a564de63c2d0da68cf47586ee05984d7" authorities="ROLE_SUPERVISOR, ROLE_USER, ROLE_TELLER" />
        	      <user name="peter" password="22b5c9accc6e1ba628cedc63a72d57f8" authorities="ROLE_USER" />
        	</user-service>
        </authentication-provider>
        protect-pointcut is ejected here...

        Other configs are the same as in test case #2.
        And suddenly everything began to work as expected.

        OK, guys. I spent nearly an hour of my working day to write these posts, as English isn't my native language, I hope that someone could find time to share his experience and helped me to solve issues described in test cases #1 and #2.

        Comment


        • #5
          My Test case #1 problem is resolved and is also successful!

          In order not to receive NULL request params in struts2 action using AspectJ pointcut expressions in the <global-method-security> element, just put param's setters in your Interface, where your protected methods are placed. For example:
          Code:
          public interface ZayavsR_I {
            public String view(); // protected method
            public void setLimit(Integer limit); // request param
            public void setStart(Integer start);// request param
            public void setType(Integer type);// request param
          }
          The matter of fact is that interface ZayavsR_I is used to proxy class with protected method. Spring Framework create Proxy object above our interface(ZayavsR_I here) - by default, such way of Method's protection works only through interfaces, which is further used by Spring to protect our method(view() here) and by OGNL engine to fill actions params(limit, start and type here).

          Comment


          • #6
            needing a little help

            Hello.

            I tried to follow your first successful test case (Test 3). Everything works fine except for some misses:

            here is my directory:

            /jsp > resources can be accessed by "USER", "ADMIN" and "SUPER"
            /jsp/admin > resources here can be accessed by "ADMIN" and "SUPER" only
            /jsp/admin/secured > resources here can be accessed by "SUPER" only

            assuming login user is of "USER" role:
            if i access /jsp/admin/admin.jsp using this url: http://localhost:8080/<my_proj>/jsp/admin/Admin.action the page will be redirected to 403.jsp -> accessDenied
            but if i access it using this url: http://localhost:8080/<my_proj>/jsp/Admin.action, the page /jsp/admin/admin.jsp is rendered, which is not correct.. Can you please walk me through?

            Here are my config files:

            security.xml
            PHP Code:
              <global-method-security> <!--  jsr250-annotations="enabled" access-decision-manager-ref="accessDecisionManager" /> -->
                </global-
            method-security>

                <
            http auto-config="true" session-fixation-protection="none" 
                    
            access-decision-manager-ref="accessDecisionManager">
                    <
            intercept-url pattern="/jsp/*.jsp" access="_MUST_NOT_BE_ACCESSED" />
                    <
            intercept-url pattern="/jsp/admin/*.jsp" access="_MUST_NOT_BE_ACCESSED" />
                    <
            intercept-url pattern="/jsp/admin/secured/*.jsp" access="_MUST_NOT_BE_ACCESSED" />
                    <
            intercept-url pattern="/jsp/*.action" access="USER,ADMIN" />
                    <
            intercept-url pattern="/jsp/admin/*.action" access="ADMIN" />
                    <
            intercept-url pattern="/jsp/admin/secured/*.action" access="SUPER" />
                    <
            form-login login-page="/index.jsp" default-target-url="/jsp/Home.action" 
                        
            authentication-failure-url="/index.jsp?login_error=true" />
                </
            http>

                <
            authentication-provider>
                       <
            jdbc-user-service data-source-ref="dataSource" 
                       
            users-by-username-query="select username, password, enable from employee where username=?" 
                       
            authorities-by-username-query="select username, role from employee where username=?" />
                </
            authentication-provider>
                
                <
            beans:bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager" />
                
                <
            beans:bean id="roleVoter" class="org.springframework.security.vote.RoleVoter">
                  <
            beans:property name="rolePrefix" value="" />
                </
            beans:bean>
                
                <
            beans:bean id="accessDecisionManager" class="org.springframework.security.vote.AffirmativeBased" >
                  <
            beans:property name="decisionVoters" >
                    <
            beans:list>
                      <
            beans:ref bean="roleVoter" />
                    </
            beans:list>
                  </
            beans:property>
                </
            beans:bean>
                
                <
            beans:bean id="methodSecurityInterceptor" class="org.springframework.security.intercept.method.aopalliance.MethodSecurityInterceptor" >
                  <
            beans:property name="authenticationManager" ref="authenticationManager" />
                  <
            beans:property name="accessDecisionManager" ref="accessDecisionManager" />
                  <
            beans:property name="objectDefinitionSource">
                    <
            beans:value>
                      
            com.goldenway.action.AdminAction.execute=ADMIN
                    
            </beans:value>
                  </
            beans:property>
                </
            beans:bean>
                
                <
            beans:bean class="org.springframework.aop.framework.autoproxy.BeanNameAutoProxyCreator" >
                  <
            beans:property name="proxyTargetClass" value="true" />
                  <
            beans:property name="beanNames">
                    <
            beans:value>
                      
            AdminAction
                    
            </beans:value>
                  </
            beans:property>
                  <
            beans:property name="interceptorNames">
                    <
            beans:list>
                      <
            beans:value>methodSecurityInterceptor</beans:value>
                    </
            beans:list>
                  </
            beans:property>
                </
            beans:bean>
                
                <
            beans:bean id="AdminAction" class="com.goldenway.action.AdminAction" scope="prototype" /> 
            struts.xml
            PHP Code:
             <package name="com.goldenway.action" extends="struts-default" >
                <
            action name="Home" class="com.goldenway.action.HomeAction" >
                  <
            result name="success" >/jsp/home.jsp</result>
                </
            action>
                
                <
            action name="Admin" class="com.goldenway.action.AdminAction" >
                  <
            result name="success" >/jsp/admin/admin.jsp</result>
                </
            action>
              </
            package
            have i missed something?

            thanks:
            -marckun

            related post: http://forum.springsource.org/showthread.php?t=74854

            Comment

            Working...
            X