Announcement Announcement Module
Collapse
No announcement yet.
Spring Authentication With DWR Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • #61
    Ooops - Thanks for pointing that out Luke. I think the MethodInvocationUtils class might still be busted though. I updated the tests to use the createFromClass method like this:

    Code:
    	public void testMethodInvocation()
    	{
    		MethodInvocation methodInvocation = 
    			MethodInvocationUtils.
    			createFromClass(AuthenticationServiceImpl.class, "login");
    		
    		assertNull(methodInvocation);
    	}
    	
    	public void testFindMethod()
    	{
    		String methodName = "login";
    		
    		boolean methodFound = false;
    		
            for(Method m: AuthenticationServiceImpl.class.getMethods())
            {
        		methodFound = true;
            }
            assertTrue(methodFound);
        };
    }
    Thoughts? Thanks again!

    Comment


    • #62
      Incidentally I created a ticket:
      http://jira.springframework.org/browse/SEC-1177

      Comment


      • #63
        Originally posted by ole.ersoy View Post
        ...

        So as your saying I'm sure DWR has the algorithm for constructing the object array that is the method arguments. Except they are doing it with the proxy call parameters. So they must have a utility class for figuring out the type of a parameter and they are using that to build the Object[] argument array used to find the method. So for exampe with:

        proxy.method(String, int);
        proxy.method(String, String);

        They need to figure out whether the second argument is a String or an int.

        In our case I think we need something like:

        Map<String, Object[]>

        The String key would be the method declaration with arguments. For example:

        com.example.MyClass#myMethod(Array<int>, String)

        And the Object[] would be the corresponding argument array.

        So we would use method string to lookup the argument array and then pass that along with the method name to MethodInvocationNUtils.create(Object object, String methodName, Object[] args)....Once MethodInvocationUtils gets fixed....

        OK - I'm going to play more with your code now to see whether I can get it working on my end.

        Again - Nice work!
        2 things that we can do with this:
        - keep it simple if we can: just object and methodName for now, and then going complex later.
        - keep the code in order: by creating common interfaces and packages, and fragmenting implementation if needed.

        I think that it is quite difficult to work out the multiple-method aproach for us and for the user, because is difficult to express (as we are not sending the actual parameters, we need to define a language to express argument types,could be an array of strings, where the strings are the classes names, but i don't think it is practical :S).

        Regards,

        Comment


        • #64
          I think keeping it simple for now is a good idea. I'm guessing 99% of use cases will not require the method overloading scenario, and even if they do they could just create a wrapper with a different method name and they're good.

          Comment


          • #65
            Well, so, what we do with the other matter?
            Can we use org.acegisecurity package for this? Perhaps org.acegisecurity.extras or something like that.

            Why don't we modularize this in some way?
            The authorization and authentication via service is useful not just for DWR but for any remoting method.
            Perhaps we can make some generalization, and reuse this code to implement explicit authorization and authentication for other platforms.

            Regards,

            Comment


            • #66
              See my comments in your issue.

              BTW, you seem to be using a mix of Acegi and Spring Security. Is that just coincidence? I'd recommend you stick with the Spring version since Acegi is now deprecated.

              Comment


              • #67
                Originally posted by Luke Taylor View Post
                See my comments in your issue.

                BTW, you seem to be using a mix of Acegi and Spring Security. Is that just coincidence? I'd recommend you stick with the Spring version since Acegi is now deprecated.
                You are right Luke, i'm still using acegi :S, just because there was no need to upgrade (in the middle of a project with acegi).
                We must stick with Spring Security although.
                Thanks,

                Comment


                • #68
                  I think acegisecurity has been deprecated, now that it's a official Spring project. Perhaps:

                  org.springframework.security.extras...


                  I like the idea of generalizing for remoting in general. I think we just need to provide an additional:

                  isCallable(Object object, String methodName) on the Authorization interface...

                  We can create a Spring JIRA ticket and see whether the Spring developers wish to have any of this included with Spring, and we can go from there. WDYT?

                  Comment


                  • #69
                    Originally posted by ole.ersoy View Post
                    I think acegisecurity has been deprecated, now that it's a official Spring project. Perhaps:

                    org.springframework.security.extras...
                    ok, lets propose that one,

                    I like the idea of generalizing for remoting in general. I think we just need to provide an additional:

                    isCallable(Object object, String methodName) on the Authorization interface...
                    And which would be the interface, and the implementation classes for DWR in this case?
                    Because if we change String jsBeanName for Object object, we can't remote this class but we have to make a wrapper for it.

                    We can create a Spring JIRA ticket and see whether the Spring developers wish to have any of this included with Spring, and we can go from there. WDYT?
                    Do it!!!

                    this implementation throws a plain exception if there are 2 methods with the same name:
                    Code:
                        public boolean isCallable(String jsBeanName, String methodName) throws Exception{
                    
                            Container ct = WebContextFactory.get().getContainer();
                            Object obj = ct.getBean(jsBeanName);
                            
                            MethodInvocation mi = null;
                            for(Method m: obj.getClass().getMethods())
                            	if (m.getName().equals(methodName)) {
                            		if (mi != null)
                            			mi = new SimpleMethodInvocation(m,null);
                            		else
                            			throw new Exception("Method repeated Exception");
                            	}
                            
                            Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
                            
                            return methodInvocationPrivilegeEvaluator.isAllowed(mi, authentication);
                        };

                    Comment


                    • #70
                      OK - Cool - (I like the exception in the event of duplicate methods addition) I'll create the ticket, once I'm done testing stuff out. BTW - Maybe we should not tie the API to DWR, and hence the servlet API, at all. So only provide the method:

                      isCallable(Object object, methodName)

                      Then have the code:

                      Code:
                      		
                      Container container = 
                      			WebContextFactory.get().getContainer();
                      
                      		Object object = container.getBean(dwrProxyName);
                      In a utility method specific to DWR, and we can combine the two in our application specific service method.

                      Comment


                      • #71
                        And how would be doing that?
                        Some example please

                        Regards,

                        Comment


                        • #72
                          Actually maybe our discussion about method overloading is a "Moo" point.

                          The DWR test page has the following message for overloaded methods:

                          Javascript does not support overloaded methods, so the javascript file generated from this class will contain two methods the second of which will replace the first. This is probably not what you wanted.

                          It is best to avoid overloaded methods when using DWR.

                          Comment


                          • #73
                            Originally posted by ole.ersoy View Post
                            Actually maybe our discussion about method overloading is a "Moo" point.

                            The DWR test page has the following message for overloaded methods:
                            I didn't knew that dwr didn't supported or avoided supporting overloaded methods.
                            I thought that it do supported it by sending the parameters and checking serverside if there was a method with those parameters.

                            Either way, it is an interesting and productive discussion, and it is not wrong to assume the general case if we wont to expand support to other remoting methods.

                            For the moment, let's keep it simple and just raise an exception.

                            Regards,

                            Comment


                            • #74
                              OK - I'll clean this up a little better for the DWR demo project, but we have a utility method like this:

                              Code:
                              	public Object lookupDWRProxiedObjectBySpringBeanID(String springBeanID)
                              	{
                              		Container container = 
                              			WebContextFactory.get().getContainer();
                              
                              		return container.getBean(springBeanID);
                              	}
                              And the isCallable Method like this:

                              Code:
                              	public boolean isCallable(Object object, String methodName)
                              	{
                              		Authentication authentication = 
                              			SecurityContextHolder.
                              			getContext().
                              			getAuthentication();
                              		
                              		MethodInvocation methodInvocation = null;
                              
                                      for(Method method: object.getClass().getMethods())
                                      {
                                      	if (method.getName().equals(methodName))
                                      	{
                                      		methodInvocation = new SimpleMethodInvocation(object, method,null);	
                                      	}
                                      }
                              
                              		MethodInvocationPrivilegeEvaluator methodInvocationPrivilegeEvaluator
                              			= new MethodInvocationPrivilegeEvaluator();
                              
                                      return methodInvocationPrivilegeEvaluator.
                                      		isAllowed(
                                      				methodInvocation, 
                                      				authentication);
                              And on class SomeService

                              Code:
                              public boolean isCallable(String dwrProxyBeanID, methodName)
                              {
                              
                                     Object object = lookupDWRProxiedObjectBySpringBeanID(String springBeanID);
                              
                              return AuthorizationService.isCallable(object, methodName); 
                              }
                              Disclaimer: I still need to test....

                              Comment


                              • #75
                                Strange - I'm still getting null when doing this:

                                Code:
                                        		methodInvocation = new SimpleMethodInvocation(object, method,null);
                                I've tested the object and it's an instance of AuthenticationService. I've also tested that the method is found, by return true if it is. I've even tested that this

                                methodInvocation = new SimpleMethodInvocation(object, method,null);

                                works in a regular unit test, and it does. It's just not working during integration testing...

                                Comment

                                Working...
                                X