Announcement Announcement Module
Collapse
No announcement yet.
Spring Authentication With DWR Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • #31
    I'm already protecting method calls (we started the threa from there ).
    The point is that i don't want to ask for permission to use it, but to ask 'if i ask permission, would you let me?'.
    the difference is that it should not trigger any event.

    Regards,

    Comment


    • #32
      What we should do is to call the AccessDecisionManager decide method with a

      - ConfigAttributeDefinition object ,
      - authentication defined in securityContext ,
      - object comes from the query (this is the one we have to define),
      - ConfigAttributeDefinition config

      How will we fill all this?
      i have been doing some research, and we have to go deep into the reflection api, and aop part... (i'm really a newbie here, but we will figure it out!).

      Regards,

      Comment


      • #33
        AK - I get it ...Finally

        I'm pretty new to that as well. It would be nice if the AccessDecisionManager had something like:

        AccessDecisionManager.isCallable(/*String*/ qualifiedClassName, /*String*/ methodName);

        So the AccessDecisionManager would look up the roles the principal has, and for each role test to see whether the role is allowed to call the method.

        Or we could just implement it like that by creating a Map<role, Set<methods> and then seeing whether the method is in the set returned per role.

        I'll open another thread and see whether Spring has something like this as part of the AccessDecisionManager API, unless you already know or have a different idea?

        Comment


        • #34
          Not even a clue!!!
          Just ask!, i will keep looking into it,
          I think that we have to craft an object with the request, and just skip the hard parts for start (like parameters, and extensibility).
          You can write to dwr mailing list to notify our achievements!
          Regards,

          Comment


          • #35
            Hmm...Shoot you're right - we need to think about method argument types.

            I guess we need to pass:
            - className
            - methodName
            - argTypes

            And look up the method.

            I guess for each method we could construct a string using the class name, argumentTypes, and method name like this:

            className: com.example.ServiceClass
            methodName: specialService
            sequencedArgumentType: Map(<String, Set<String, int>), String, int

            And the qualified name of the method would be

            com.example.ServiceClass + "." + specialService + "." + Map(<String, Set<String, int>)Stringint

            Or something like that...

            Comment


            • #36
              OK - I asked about isCallable here:
              http://forum.springsource.org/showth...022#post245022

              Comment


              • #37
                Hi!,
                they have already implementede something like this!!!
                http://jira.springframework.org/browse/SEC-18
                http://forum.springsource.org/showth...ecisionManager

                it is already implemented in org.acegisecurity.intercept.method.MethodInvocatio nPriviledgeEvaluator

                Code:
                public boolean isAllowed(MethodInvocation mi, Authentication authentication)
                And to build MethodInvocation object there is a utility class called org.acegisecurity.util.MethodInvocationUtils that has some methods for that, like

                Code:
                MethodInvocation create(Object object, String methodName)
                We just have to do the mapping from javascript object to spring instance from DWR.
                I'm looking into it,

                regards,

                Comment


                • #38
                  Originally posted by nickar View Post
                  Hi!,
                  they have already implementede something like this!!!
                  http://jira.springframework.org/browse/SEC-18
                  http://forum.springsource.org/showth...ecisionManager

                  it is already implemented in org.acegisecurity.intercept.method.MethodInvocatio nPriviledgeEvaluator

                  Code:
                  public boolean isAllowed(MethodInvocation mi, Authentication authentication)
                  And to build MethodInvocation object there is a utility class called org.acegisecurity.util.MethodInvocationUtils that has some methods for that, like

                  Code:
                  MethodInvocation create(Object object, String methodName)
                  We just have to do the mapping from javascript object to spring instance from DWR.
                  I'm looking into it,

                  regards,
                  Soooo..., i've found what we where looking for.

                  Code:
                  org.directwebremoting.Container ct = org.directwebremoting.ServerContext.get(javax.servlet.ServletContext ctx);
                  Object obj = ct.getBean(String jsObjName);
                  
                  MethodInvocation mi = org.acegisecurity.util.MethodInvocationUtils.create(obj, methodName);
                  
                  return org.acegisecurity.intercept.method.MethodInvocationPriviledgeEvaluator.isAllowed(mi, authentication);
                  I haven't tested it, but i think it seems right!
                  I'll test this.
                  Regards,

                  Comment


                  • #39
                    That rocks! I was up until 3 a.m. playing with reflection and attempting an algorithm to understand how it could work. Thank God we don't need to go down that route!

                    Comment


                    • #40
                      Originally posted by ole.ersoy View Post
                      That rocks! I was up until 3 a.m. playing with reflection and attempting an algorithm to understand how it could work. Thank God we don't need to go down that route!
                      I'm almost there.
                      Check this out:
                      Code:
                          public boolean isCallable(String jsBeanName, String methodName){
                              Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
                              Container ct = ServerContextFactory.get(null).getContainer();
                              Object obj = ct.getBean(jsBeanName);
                      
                              MethodInvocation mi = MethodInvocationUtils.create(obj, methodName);
                      
                              return MethodInvocationPrivilegeEvaluator.isAllowed(mi, authentication);
                          };
                      The only thing that is not working is MethodInvocationPrivilegeEvaluator, that it's methods are not static, so i have to get an instance of this object from somewhere (i guess from spring configuration).

                      Let's finish with this!!!

                      Regards,

                      Comment


                      • #41
                        Well, this is it!

                        Please, give it a try.

                        SecurityServiceImpl.java
                        Code:
                        package org.siri.seguridad;
                        
                        import org.acegisecurity.Authentication;
                        import org.acegisecurity.AuthenticationManager;
                        import org.acegisecurity.providers.UsernamePasswordAuthenticationToken;
                        import org.acegisecurity.GrantedAuthority;
                        import org.acegisecurity.context.SecurityContextHolder;
                        
                        import org.acegisecurity.util.MethodInvocationUtils;
                        import org.acegisecurity.intercept.method.MethodInvocationPrivilegeEvaluator;
                        
                        import org.directwebremoting.Container;
                        import org.directwebremoting.WebContextFactory;
                        
                        import org.aopalliance.intercept.MethodInvocation;
                        
                        public class SecurityServiceImpl implements SecurityService {
                        
                        	AuthenticationManager authenticationManager;
                        
                        	public AuthenticationManager getAuthenticationManager() {
                        		return authenticationManager;
                        	}
                        
                        	public void setAuthenticationManager(AuthenticationManager authenticationManager) {
                        		this.authenticationManager = authenticationManager;
                        	}
                        
                            MethodInvocationPrivilegeEvaluator methodInvocationPrivilegeEvaluator;
                        
                            public MethodInvocationPrivilegeEvaluator getMethodInvocationPrivilegeEvaluator(){
                                return methodInvocationPrivilegeEvaluator;
                            }
                        
                            public void setMethodInvocationPrivilegeEvaluator(MethodInvocationPrivilegeEvaluator methodInvocationPrivilegeEvaluator){
                                this.methodInvocationPrivilegeEvaluator = methodInvocationPrivilegeEvaluator;
                            }
                        
                        	public boolean login(String username, String password) {
                                Authentication authentication = new UsernamePasswordAuthenticationToken(username, password);
                                authentication = authenticationManager.authenticate(authentication);
                                if (authentication.isAuthenticated()) {
                                    SecurityContextHolder.getContext().setAuthentication(authentication);
                                    return true;
                                };
                                return false;
                            }
                        
                        	public String[] getAuthorities() {
                                GrantedAuthority[] ga = SecurityContextHolder.getContext().getAuthentication().getAuthorities();
                                String[] retA = new String[ga.length];
                                for (int i = 0; i < ga.length; i++)
                                    retA[i] = (String) ga[i].toString();
                        
                           		return retA;
                                //return ga;
                            }
                        
                            public void logout() {
                                 SecurityContextHolder.getContext().setAuthentication(null);
                        	}
                        
                        
                            public boolean isCallable(String jsBeanName, String methodName){
                                Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
                                Container ct = WebContextFactory.get().getContainer();
                                Object obj = ct.getBean(jsBeanName);
                        
                                MethodInvocation mi = MethodInvocationUtils.create(obj, methodName);
                        
                                return methodInvocationPrivilegeEvaluator.isAllowed(mi, authentication);
                            };
                        }
                        SecurityService.java
                        Code:
                        package org.siri.seguridad;
                        
                        //import org.acegisecurity.GrantedAuthority;
                        
                        public interface SecurityService {
                        	public boolean login(String username, String password);
                        	public String[] getAuthorities();
                            public void logout();
                            public boolean isCallable(String jsBeanName, String methodName);
                        }
                        You have to add 2 definitions in applicationContext.xml because of methodInvocationPrivilegeEvaluator instanciation:
                        Code:
                            <bean id="methodInvocationPrivilegeEvaluator" class="org.acegisecurity.intercept.method.MethodInvocationPrivilegeEvaluator">
                                <property name="securityInterceptor">
                                    <ref bean="serviceSecurityInterceptor" />
                                </property>
                            </bean>
                            <bean id="securityService" class="org.springframework.aop.framework.ProxyFactoryBean">
                                <property name="target">
                                    <bean class="org.siri.seguridad.SecurityServiceImpl">
                                        <property name="authenticationManager"><ref bean="authenticationManager"/></property>
                                        <property name="methodInvocationPrivilegeEvaluator"><ref bean="methodInvocationPrivilegeEvaluator"/></property>
                                    </bean>
                                </property>
                                <property name="proxyInterfaces">
                                    <value>org.siri.seguridad.SecurityService</value>
                                </property>
                                <dwr:remote javascript="securityService"></dwr:remote>
                            </bean>
                        And!!!..., you will have to add dwr dependency to your pom
                        Code:
                               <dependency>
                                    <groupId>org.directwebremoting</groupId>
                                    <artifactId>dwr</artifactId>
                        			<version>2.0.3</version>
                                </dependency>
                        Regards!

                        Comment


                        • #42
                          I was wondering whether it needed some collaborators, but it does not look like it:

                          http://static.springsource.org/sprin...Evaluator.html

                          So I'm guessing it gets everything it needs in the constructor. I'll try just creating an instance and making the call:

                          Code:
                          		MethodInvocationPrivilegeEvaluator methodInvocationPrivilegeEvaluator
                          			= new MethodInvocationPrivilegeEvaluator();
                          		
                          		return methodInvocationPrivilegeEvaluator.
                          				isAllowed(
                          						methodInvocation, 
                          						authentication);
                          At least the IDE is not complaining.

                          Comment


                          • #43
                            I have already solved that.
                            Look at the post i've done before you.
                            Regards,

                            Comment


                            • #44
                              Hmmm...This part is not working for me:

                              Code:
                              		
                              Container container = 
                              			ServerContextFactory.get(null).getContainer();
                              Getting an NPE

                              Comment


                              • #45
                                Well it's about time! Can you do it a little quicker next time

                                OK - Playing now - Thanks!

                                Comment

                                Working...
                                X