Announcement Announcement Module
Collapse
No announcement yet.
Protected methods not seems realy protected Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Protected methods not seems realy protected

    Hello everybody!
    I'm newbe in Spring security. Documentation says I can protect methods of every bean I want.

    Like this:

    HTML Code:
    <bean:bean id="target" class="com.mycompany.myapp.MyBean">
        <intercept-methods>
            <protect method="set*" access="ROLE_ADMIN" />
            <protect method="get*" access="ROLE_ADMIN,ROLE_USER" />
            <protect method="doSomething" access="ROLE_USER" />
        </intercept-methods>
    </bean:bean>
    I'm trying to protect only one method of only one bean

    First I put following in my applicationContext.xml

    HTML Code:
    <bean id="budget" class="wapapers.budget.model.Budget"/>
    then put following in applicationContext-security.xml

    HTML Code:
    <global-method-security/>
             
            <beans:bean id="target" class="wapapers.budget.model.Budget">
                <intercept-methods>
                    <protect method="deletePosition" access="ROLE_SUPERVISOR" />
                </intercept-methods>
            </beans:bean>
    Now when I start my app, I can understand that it's clear to spring what I want

    HTML Code:
    2009-09-10 18:09:02,703 INFO [org.springframework.security.intercept.method.MapBasedMethodDefinitionSource] - Adding secure method [RegisteredMethod[wapapers.budget.model.Budget; public void wapapers.budget.model.Budget.deletePosition(wapapers.budget.model.BudgetPos)]] with attributes [[ROLE_SUPERVISOR]]
    But application still alows do execute this method to every ROLE

    What's wrong?

    Thank you

  • #2
    You have 2 instances of your Bucket, 1 is protected the other isn't. You must add the intercept stuff to the object you want to protect not some additional object.

    Comment


    • #3
      What intercept stuff I need?

      Marten! Tell me please a little bit more about
      intercept stuff
      I have a filling I must place some additional spring beans in my configuration, but can't find what beans.

      May be you have samples or resourses to read about the subject. The documentation distributed with Sping Security distribution is to short.

      Thank you

      Comment


      • #4
        I have a filling I must place some additional spring beans in my configuration, but can't find what beans.
        You don't need additional beans. You just don't configure 2 beans 1 with and 1 without security configuration.

        Comment


        • #5
          Marten! Thank you for quick answer
          I followed your instructions and now I have only one entry in securitu-applicationContext.xml

          HTML Code:
          <global-method-security/>
                   
                  <beans:bean id="budget" class="wapapers.budget.model.Budget">
                      <intercept-methods>
                          <protect method="deletePosition" access="ROLE_SUPERVISOR" />
                      </intercept-methods>
                  </beans:bean>
          Debug messages says that spring understand restrictions

          HTML Code:
          2009-09-11 10:59:24,031 INFO [Adding secure method [RegisteredMethod[wapapers.budget.model.Budget; public void
          wapapers.budget.model.Budget.deletePosition
          (wapapers.budget.model.BudgetPos)]]
          with attributes [[ROLE_SUPERVISOR]]
          But I still have the same behavior. Everyone can execue sequred method.

          You told me about intercept stuff. May be I need interseptor?

          P.S. If you'd like we can contact in ICQ 327-970-467

          Comment


          • #6
            You told me about intercept stuff. May be I need interseptor?
            No you don't.

            I assume you have spring security (login etc.) setup correctly? If not your settings are useless.

            I wasn't mention 1 entry in the security stuff I was mentioning 1 instance in your WHOLE application.

            Comment


            • #7
              Ok. I have one instance of my unfortunate been. Spring knows about it from
              security-applicationContext (may be it's wrong place )

              While starting application a have standart Spring Security loggin in page
              I know that I am authorised when loged in.

              I made two logins - one has role ROLE_USER and other ROLE_SUPERVISOR

              The unlucky method deletePosition is not secured for both roles.

              May be i should publish all my config files?

              Comment


              • #8
                wapapers.budget.model.Budget - is it domain model object? How is it instantiated in the application? Is it read from database?

                Comment


                • #9
                  Yes. It is a database object. But it contain method which I want to be secured. To be honest I must make it clear - I took the very first bean to make sure Spring security documentation says true - I can secure every method of every bean.

                  Now, after your question I have a doubt... May be there are some differences when securing database object methods and different kinds of managers or controllers?

                  Tell me please, Andrei!

                  Comment


                  • #10
                    You cannot secure objects from a database in that way, you can only secure beans that are used and obtained from the ApplicationContext.

                    Comment


                    • #11
                      Even if I put this bean in ApplicationContext?

                      Comment


                      • #12
                        It depends on how object is instantiated in the application. If object is obtained from application context, as Marten said, applicationContext.getBean(...) then target object is wrapped by proxy, proxy does authorization. Spring AOP is proxy-based.

                        The alternative ways can be:
                        - using AspectJ-Spring integration via load-time weaving
                        http://static.springsource.org/sprin...-using-aspectj
                        - trying to use some extention points during domain object retriving, for example, in Hibernate curtom PojoEntityTuplizer + custom PojoInstantiator; in spring jdbc support custom RowMapper or custom ResultSetExtractor

                        Comment


                        • #13
                          Thank you for your answers

                          I'm afraid I have no one bean in my application wich I get like this

                          HTML Code:
                          applicationContext.getBean(...)
                          There was no need to do it, while I stupidly follow sample given in book

                          Agile Java Development with Spring, Hibernate and Eclipse
                          by Anil Hemrajani


                          http://my.safaribooksonline.com/0672328968

                          May be I should have another tuturial. Please give me links to the simpliest hands on project on the subject of Spring security

                          Thank you!

                          Comment

                          Working...
                          X