Announcement Announcement Module
Collapse
No announcement yet.
AccessDecisionVoter.supports(Class) Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • AccessDecisionVoter.supports(Class)

    I want to add a custom Voter that is able to vote on MethodInvocation objects, so naturally I did

    Code:
        public boolean supports(Class clazz)
        {
            if (MethodInvocation.class.isAssignableFrom(clazz))
                return true;
            else
                return false;
        }
    I added that to my context with
    Code:
        <bean id="_accessManager" class="org.springframework.security.vote.AffirmativeBased">
            <property name="decisionVoters">
                <list>
                    <bean id="roleVoter" class="org.springframework.security.vote.RoleVoter" />
                    <bean id="AuthenticateVoter" class="org.springframework.security.vote.AuthenticatedVoter"/>
                    <bean id="IpmVoter" class="com.teamware.office.toss.security.IpmVoter"/>
                </list>
            </property>
        </bean>
    but that then causes an Exception from
    Code:
    Caused by: java.lang.IllegalArgumentException: AccessDecisionManager does not support secure object class: class org.springframework.security.intercept.web.FilterInvocation
    	at org.springframework.util.Assert.isTrue(Assert.java:65)
    	at org.springframework.security.intercept.AbstractSecurityInterceptor.afterPropertiesSet(AbstractSecurityInterceptor.java:178)
    I am therefore lost on how I can simply add a voter to do preauthentication checks on method calls as it seems the voter cannot return false ever.

    Any ideas?
    Antony

  • #2
    It looks to me like your supports(Class) method is supposed to check against FilterInterceptor instead of MethodInterceptor. The AbstractSecurityInterceptor is passing a FilterInterceptor into the supports method instead of a MethodInterceptor.

    Comment


    • #3
      Originally posted by Bron View Post
      It looks to me like your supports(Class) method is supposed to check against FilterInterceptor instead of MethodInterceptor. The AbstractSecurityInterceptor is passing a FilterInterceptor into the supports method instead of a MethodInterceptor.
      This is the second call to this method during startup, the first is given a MethodInvocation class, so it returns true. My vote method needs to inspect the method arguments, so it cannot support FilterInvocation, so when this is called 2nd time, it returns false.

      This code is based on the ContactSecurityVoter mentioned in the ref guide (but the source is no longer part of the distro) and that does exactly the same.

      https://fisheye.springsource.org/bro...ter.java?r=269

      Comment


      • #4
        You are using the name "_accessManager" which is the namespace-defined name used internally by Spring Security. You shouldn't use any names starting with an underscore which might conflict with the namespace beans.

        You are probably overwriting the default implementation and your AccessDecisionManager is being used for both web and method security. If you want to use a custom implementation, then set it using the "access-decision-manager-ref" attribute on the <global-method-security> element instead.

        Comment


        • #5
          Originally posted by Luke Taylor View Post
          You are using the name "_accessManager" which is the namespace-defined name used internally by Spring Security. You shouldn't use any names starting with an underscore which might conflict with the namespace beans.

          You are probably overwriting the default implementation and your AccessDecisionManager is being used for both web and method security. If you want to use a custom implementation, then set it using the "access-decision-manager-ref" attribute on the <global-method-security> element instead.
          Thanks Luke - I did that and it works!

          I was originally trying to add a new Voter to the default access manager and couldn't see how that could be done - documentation's not clear about that - is it possible?

          By providing my own access manager, does that mean that the internal "_accessManager" bean is still used for web security?

          Comment


          • #6
            Originally posted by adb View Post
            Thanks Luke - I did that and it works!

            I was originally trying to add a new Voter to the default access manager and couldn't see how that could be done - documentation's not clear about that - is it possible?
            No. Configuring an AccessDecisionManage isn't too onerous and is more flexible/cleaner. It makes more sense to use that as the customization point.

            By providing my own access manager, does that mean that the internal "_accessManager" bean is still used for web security?
            Yes. Unless you also set the appropriate attribute on the <http> element (or FilterSecurityInterceptor if you are using plain beans). Check out the reference manual namespace chapter and appendix.

            Comment

            Working...
            X