Announcement Announcement Module
Collapse
No announcement yet.
MethodSecurityInterceptor to use Interfaces for privileges Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • MethodSecurityInterceptor to use Interfaces for privileges

    Hi,

    We have recently migrated from using Acegi to Spring security. Majority of things work in a similar way and we have needed only some changes in the XML configuration files to use the new classes in majority of cases.

    But there is one area where we've noticed a big difference, which is when securing method invocations, Acegi's MethodSecurityInterceptor used to take a list of methods to protect, in the objectDefinitionSource property, bases on the fully qualified name of the interface. In the case of Spring Security, this seems to have changed and now it only takes the fully qualified name of the implementation class instead.

    Have a look at the interface and class definitions below:

    Code:
    package com.mycompany.Card;
    public interface Card
    {
      public boolean isExpired();
      ....
    }
    
    package com.mycompany.Card.impl;
    public class CardTypeA implements Card
    {
      public boolean is Expired()
      {
         // Implementation A here
      }
    ....
    }
    
    package com.mycompany.Card.impl;
    public class CardTypeB implements Card
    {
      public boolean is Expired()
      {
         // Implementation B here
      }
    ....
    }
    In Acegi, I'd have had the following configuration:
    Code:
    ....
        <property name="objectDefinitionSource">
          <value>
               com.mycompany.Card.isExpired=ROLE_X
          </value>
    ....
    In Spring Security, it seems that I must do the following instead:
    Code:
    ....
        <property name="objectDefinitionSource">
          <value>
               com.mycompany.Card.impl.CardTypeA.isExpired=ROLE_X
               com.mycompany.Card.impl.CardTypeB.isExpired=ROLE_X
          </value>
    ....
    The inconvenience is that if I happen to have loads of different implementations for a particular Card, I would have to add a lot more entries, one per implementation.


    Does anybody know why this change has been put in place and whether I'm stuck with it or there are any other interceptors in Spring Security that can take the qualified names of interfaces instead of classes?

    Thanks
    Juan Cervera
Working...
X