Announcement Announcement Module
Collapse
No announcement yet.
Using Customized securityMetadataSource (Spring-security3) Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Using Customized securityMetadataSource (Spring-security3)

    Hi all,

    I'm trying to use the database as source of authorization instead of the XML configuration files (like in http://java.dzone.com/tips/pathway-a...ty-#viewSource) using springSecurity3.
    I've got a problem when injecting securityMetadataSource in the filterInvocationInterceptor.
    After debuging I discovered that mySecurityMetadataSource is set to the interceptor, but then it's overridden by defaultSecurityMetadataSource, so that the securedObject is considered as needing AnonymousAuthentication instead of authentication defined in the database!

    config:

    Code:
    <beans:beans xmlns="http://www.springframework.org/schema/security"
    	xmlns:beans="http://www.springframework.org/schema/beans"
    	xmlns:security="http://www.springframework.org/schema/security"
    	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
                            http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
    	<authentication-manager alias="authenticationManager" />
    	<beans:bean id="accessDecisionManager"
    		class="org.springframework.security.access.vote.AffirmativeBased">
    		<beans:property name="allowIfAllAbstainDecisions"
    			value="false" />
    		<beans:property name="decisionVoters">
    			<beans:list>
    				<beans:bean class="org.springframework.security.access.vote.RoleVoter" />
    				<beans:bean
    					class="org.springframework.security.access.vote.AuthenticatedVoter" />
    			</beans:list>
    		</beans:property>
    	</beans:bean>
    	<beans:bean id="filterInvocationInterceptor"
    		class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
    		<beans:property name="authenticationManager" ref="authenticationManager" />
    		<beans:property name="accessDecisionManager" ref="accessDecisionManager" />
    		<beans:property name="securityMetadataSource" ref="mySecureResourceFilter" />
    	</beans:bean>
    	
    <beans:bean id="mySecureResourceFilter" class="com.sabbat.afsa.mamchetech.MySecureResourceFilter" />
    	
    	<beans:bean id="myFilter" class="com.mycompany.MySpecialAuthenticationFilter">
    		<custom-filter position="AUTHENTICATION_PROCESSING_FILTER" />
    	</beans:bean>
    	
    	<http auto-config="false" access-denied-page="/403.jsp">
    		<concurrent-session-control max-sessions="1" exception-if-maximum-exceeded="true" />
    		<form-login login-page="/login.jsp"
    			authentication-failure-url="/login-failure.jsp" default-target-url="/" />
    		<logout logout-success-url="/login.jsp" />
    	</http>
    
    	<authentication-provider>
    		<password-encoder hash="md5" />
    		<user-service>
    			<user name="rod" password="a564de63c2d0da68cf47586ee05984d7"
    				authorities="ROLE_SUPERVISOR, ROLE_USER, ROLE_TELLER" />
    		</user-service>
    	</authentication-provider>

  • #2
    If you are using the namespace then you can't replace the FilterSecurityInterceptor that it uses. You have to use an explicitly configured FilterChainProxy if you want to do this.

    Comment

    Working...
    X