Announcement Announcement Module
Collapse
No announcement yet.
@Secured working... sometimes Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • @Secured working... sometimes

    Hi Spring Sec experts,

    currently I'm working on a Spring Application using Spring Security and we try to implement the annotation based approach and ACL.

    But, to be honest, I think I'm too stupid to get the annotations running correctly.

    Let me say it clearly:

    The following class is secured with @Secured and here the @Secured annotation works.

    Code:
    @Transactional
    @Secured({"ROLE_ADMIN", "ACL_TPOSTIT_ACCEPT"})
    public class TUserDaoImpl extends AbstractDao<TUser> implements TUserDao {
    
    	...
    
    }
    The following class is also Secured, but the @Secured anbnotation won't work at all. We even tracked down to the SecuredMethodDefinitionSource.class to see, that the annotation is not being processed at this class (but with TUserDaoImpl the annotation is processed!)

    Code:
    @Secured({"ROLE_ADMIN", "ACL_TPOSTIT_ACCEPT"})
    @Transactional
    public class PostitService implements PostitServiceInterface {
    
    	...
    	
    	}
    Okay, we've split the config into several files and include those through a central config:

    web-aaplication-config.xml:
    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <beans xmlns="http://www.springframework.org/schema/beans"
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xmlns:context="http://www.springframework.org/schema/context"
           xsi:schemaLocation="
               http://www.springframework.org/schema/beans
               http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
               http://www.springframework.org/schema/context
               http://www.springframework.org/schema/context/spring-context-2.5.xsd">
    
     <!-- Activates annotation-based bean configuration -->
    	<context:annotation-config />
    	<context:component-scan base-package="com.test.controller" />
    
    
    	<!-- Imports the configurations of the different infrastructure systems of the application -->
    	<import resource="dao.xml" />
    	<import resource="data-access-config.xml" />
    	<import resource="security-config.xml" />
    	<import resource="dwr-config.xml" />
    </beans>
    In dao.xml we define all DAOs, so nothing special in there, as well as in dwr-config.xml

    But here is the data-access-config.xml:

    <!-- Instructs Spring to perfrom declarative transaction managemenet on annotated classes -->
    <context:component-scan base-package="com.test.controller"/>

    <!-- Die Transaktionen werden über Annotationen an den Klassen durchgeführt -->
    <tx:annotation-driven />

    <aop:aspectj-autoproxy />

    <bean class="org.springframework.web.servlet.mvc.annotat ion.DefaultAnnotationHandlerMapping"/>
    <bean class="org.springframework.web.servlet.mvc.annotat ion.AnnotationMethodHandlerAdapter"/>

    <bean id="dataSource"
    ...
    </bean>

    <bean id="redisDS"
    ...
    </bean>

    <bean id="sessionFactory" class="org.springframework.orm.hibernate3.annotati on.AnnotationSessionFactoryBean">
    ...
    <property name="annotatedClasses">
    <list>
    <value>entities.MAnswerPrice</value>
    <value>entities.MAnswerService</value>
    ... (All annoated entities)
    </list>
    </property>
    <property name="dataSource" ref="dataSource" />
    </bean>

    <bean id="transactionManager" class="org.springframework.orm.hibernate3.Hibernat eTransactionManager">
    <property name="sessionFactory" ref="sessionFactory" />
    </bean>

    <bean id="masterExHandler" class="errorhandling.exceptions.MasterExceptionHan dler" />
    </beans>
    Okay, and here spring-security.xml:

    Code:
    	
    	<bean id="filterChainProxy" class="org.springframework.security.util.FilterChainProxy">
    		<property name="filterInvocationDefinitionSource">
    			<value>
    				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
    				PATTERN_TYPE_APACHE_ANT
    				/**=httpSessionContextIntegrationFilter,formAuthenticationProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor
    			</value>
    		</property>	
    	</bean>
    
    	
    	
    	<!-- enable Annotations -->
    	<security:global-method-security secured-annotations="enabled" access-decision-manager-ref="businessAccessDecisionManager"/>
    
    	<security:http auto-config="true">
    			<!-- 
    				login-page: That's the place where the user is taken when he is not logged in but the section of the page needs authentication; example: login-page="/Login.htm" 
    			 -->
    			<security:form-login login-page="/login.vev" authentication-failure-url="/login.vev?login_error=true" default-target-url="/app/default.vev"	login-processing-url="/j_spring_security_check"/> 
    			<security:logout invalidate-session="true" logout-url="/j_spring_logout" logout-success-url="/?logout=true"/>
    			<security:intercept-url pattern="/app/**" access="ROLE_USER, ROLE_MASTER_ADMIN, ROLE_ADMIN" />
    			<!--  <security:intercept-url pattern="/admin/**" access="ROLE_ADMIN, ROLE_SUPPORT" /> -->
    			
    		</security:http>
    
    <bean id="PostitService" class="security.PostitService"></bean>
    
    	<bean id="formAuthenticationProcessingFilter" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter">
    		<property name="defaultTargetUrl">
    			<value>/app/default.vev</value>
    		</property>
    		
    		<property name="authenticationManager">
    			<ref bean="authenticationManager" />
    		</property>
    	</bean>
    	
    	<bean id="userDetails" class="security.VeventionUserDetailService" /> 
        
    	<bean id="daoAuthenticationProvider" class="org.springframework.security.providers.dao.DaoAuthenticationProvider"> <!-- org.springframework.security.providers.dao.DaoAuthenticationProvider -->
    		<security:custom-authentication-provider/>
    	 	<property name="userDetailsService" ref="userDetails" />
    	 	<!-- <property name="saltSource" ref="salt" />-->
    	 	<property name="passwordEncoder" ref="encoder"/>
    	 	<property name="userCache">
    			<bean class="org.springframework.security.providers.dao.cache.EhCacheBasedUserCache">
    				<property name="cache" ref="ehcache" />
    			</bean>
    		</property>
    	</bean>
    	
    	<bean id="encoder" class="org.springframework.security.providers.encoding.Md5PasswordEncoder" />
    	<bean id="salt" class="org.springframework.security.providers.dao.salt.SystemWideSaltSource">
    		<property name="systemWideSalt" value="mySalt" />
    	</bean>
    
    	<bean id="ehcache" class="org.springframework.cache.ehcache.EhCacheFactoryBean">
    		<property name="cacheManager" ref="cacheManager" />
    		<property name="cacheName" value="userCache" />
    	</bean>
    	
    	<bean id="cacheManager" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean">
    		<property name="configLocation" value="/WEB-INF/config/ehcache.xml" />
    	</bean>
    		
    	<bean id="httpSessionContextIntegrationFilter"
    		class="org.springframework.security.context.HttpSessionContextIntegrationFilter" />
    
    	<bean id="exceptionTranslationFilter" class="org.springframework.security.ui.ExceptionTranslationFilter">
    		<property name="authenticationEntryPoint">
    			<ref bean="formLoginAuthenticationEntryPoint" />
    		</property>
    	</bean>
    
    	 <bean id="filterSecurityInterceptor" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
    		<property name="authenticationManager">
    			<ref bean="authenticationManager" />
    		</property>
    		<property name="accessDecisionManager">
    			<ref bean="accessDecisionManager" />
    		</property>
    		<property name="objectDefinitionSource">
    			<value>
    				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
    				
    				PATTERN_TYPE_APACHE_ANT
    			</value>
    		</property> 
    	</bean>
    
    
    	<bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
    	  <property name="providers">
    	    <list>
    	      <ref local="daoAuthenticationProvider" />
    	    </list>
    	  </property>
    	</bean>
    	
    	<!-- accessDecisionManager for HTTP -->
    	<bean id="accessDecisionManager" class="org.springframework.security.vote.AffirmativeBased">
    		<property name="allowIfAllAbstainDecisions" value="true"/>
    		<property name="decisionVoters">
    			<list>
    				<ref bean="roleVoter" />
    			</list>
    		</property>
    	</bean>
    	
    	<bean id="roleVoter" class="org.springframework.security.vote.RoleVoter" />
    
    	<!-- ACL Decision Manager -->
    	<bean id="businessAccessDecisionManager" class="org.springframework.security.vote.UnanimousBased">
    	   <property name="allowIfAllAbstainDecisions" value="false"/>
    	   <property name="decisionVoters">
    	       <list>
    	           <ref local="aclReportAcceptVoter"/>        
    	       </list>
    	   </property>
    	</bean>
    
    	<!-- An access decision voter that reads ACL_TPOSTIT_ACCEPT configuration settings -->
    	<bean id="aclReportAcceptVoter" class="org.springframework.security.vote.AclEntryVoter">
    		<constructor-arg ref="aclService"/>
    		<constructor-arg value="ACL_TPOSTIT_ACCEPT"/>
    		<constructor-arg>
    		 <list>
    		   <util:constant id="acceptPermission" static-field="security.ExtendedPermission.ACCEPT"/>
    		 </list>
    		</constructor-arg>
    		<property name="internalMethod" value="getUser"/>
    		<property name="objectIdentityRetrievalStrategy">
    		    <bean class="security.UserNameRetrievalStrategy"/>
    		</property>
    		<property name="processDomainObjectClass" value="security.PostitService"/>
    		
    	</bean>
    
    	<bean id="aclService" class="security.InMemoryAclServiceImpl"/>
    
    
    		
    	<bean id="formLoginAuthenticationEntryPoint" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
    		<property name="loginFormUrl">
    			<value>/Start.htm?t=1</value>
    		</property>
    		<property name="forceHttps">
    			<value>false</value>
    		</property>
    	</bean>
    </beans>
    So, I hope someone can tell me, why my TUserDaoImpl gets an annotation assigned and why my Service class not.

    So, hope that I gave you all information you need!

    Kind regards :-)

  • #2
    After banging my head against the screen several nights I finally found out was happening: I instantiated the bean by myself :-D A beginner's mistake, it took me days to found out and I'll never do that again - I promised myself!

    Comment


    • #3
      Thanks HAMB you saved me from another two days of trying to get the annotations workinh.

      Comment

      Working...
      X