Announcement Announcement Module
Collapse
No announcement yet.
Verify secure method execution, before real execution. Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Verify secure method execution, before real execution.

    Hi all,

    Everything related to secure execution of methods is working fine here. It happens, we need to know before hand, if the authenticated user would be authorized to execute a method which is under the net.sf.acegisecurity.intercept.method.aopalliance. MethodSecurityInterceptor custody, with the proper object definition source in place.

    This is important to us, since secure method execution is based ni ACL entries for a given object in a certain context execution. We do need to know if the user will be allowed to execute a method before actually executing it.

    Our object definition source is a mixed set of ROLES and BasicAclEntryVoters. We are passing a domain object as an argument in our secured business methods, and the BasicAclEntryVoters are related to the class for the mentioned domain object.

    Actually, we have an extended fake MethodSecurityInterceptor that just checks for execution privileges returning the AccessDenny exception if any, and then it is NOT executing the real method. I find this current approach to get this answer a little bit rough / force brute thing.

    Is there another call in the API we can use just to check if a given method would be allow to or deny to without using a fake extended MethodSecurityInterceptor ?

    Thanks in advance,

    Gustavo

  • #2
    Re: Verify secure method execution, before real execution.

    Originally posted by gfaerman
    Is there another call in the API we can use just to check if a given method would be allow to or deny to without using a fake extended MethodSecurityInterceptor ?
    You should be able to write a simple MethodInvocationPrivilegeEvaluator class that has the ObjectDefinitionSource and AccessDecisionManager as collaborators. It would have a single method:

    public boolean allowed(MethodInvocation, Authentication);

    Of course, you'll need the Authentication to have GrantedAuthority[]s, but that should be OK as generally you'll have that available from the ContextHolder. The only semi-difficult thing to do is create a MethodInvocation, but that's surprisingly easy - check out the unit test's MockMethodInvocation for an example (note that many of the getters do not need to be implemented).

    I'll add this to JIRA, as it'd be a good general-purpose feature: http://opensource.atlassian.com/proj.../browse/SEC-18

    Comment


    • #3
      Thank you very much for your attention Ben.

      Will give it try.

      Cheers,
      Gustavo.

      Comment

      Working...
      X