Announcement Announcement Module
Collapse
No announcement yet.
Spring / Acegi / RMI Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring / Acegi / RMI

    Hey there

    I'm trying for hours now to find out, if I'm too lazy, stupid or stupid... I just want to secure the methods provided through RMI with Acegi. So here is what I did:

    1. I implemented the access over RMI. Works fine.
    2. I added in the applicationContext.xml
    Code:
    <bean id="autoProxyCreator" class="org.springframework.aop.framework.autoproxy.BeanNameAutoProxyCreator">
        <property name="interceptorNames">
          <list><value>securityInterceptor</value></list>
        </property>
        <property name="beanNames">
          <list>
              <value>orderService</value>
              <value>controllerService</value>
              <value>dataService</value>
          </list>
        </property>
      </bean>
    
      <!-- This bean specifies which roles are authorized to execute which methods. -->
      <bean id="securityInterceptor" class="org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
        <property name="authenticationManager" ref="authenticationManager"/>
        <property name="accessDecisionManager" ref="accessDecisionManager"/>
        <property name="objectDefinitionSource">
          <value>
              ch.hslu.appe.fs1001.service.DataServiceImpl.*=ROLE_TYPIST,ROLE_SYSADMIN,ROLE_SHOPMANAGER
              ch.hslu.appe.fs1001.service.ControllerServiceImpl.*=ROLE_SYSADMIN,ROLE_SHOPMANAGER
              ch.hslu.appe.fs1001.service.OrderServiceImpl.*=ROLE_SYSADMIN,ROLE_SHOPMANAGER,ROLE_VENDOR
          </value>
        </property>
      </bean>
    
      <!-- This bean specifies which roles are assigned to each user. You"ll notice  -->
      <!-- that I"m using an in-memory database implementation instead of using  -->
      <!-- LDAP or a "real" database. The ACEGI-provided in-memory implementation is great for testing! -->
      <bean id="userDetailsService" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl">
        <property name="userMap">
          <value>
            manager=manager,ROLE_SHOPMANAGER
            worker=worker,ROLE_VENDOR
            typist=typist,ROLE_TYPIST
          </value>
        </property>
      </bean>
    
      <!-- This bean specifies that a user can access the protected methods -->
      <!-- if they have any one of the roles specified in the objectDefinitionSource above. -->
      <bean id="accessDecisionManager" class="org.acegisecurity.vote.AffirmativeBased">
        <property name="decisionVoters">
          <list><ref bean="roleVoter"/></list>
        </property>
      </bean>
    
      <!-- The next three beans are boilerplate. They should be the same for nearly all applications. -->
      <bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">
        <property name="providers">
          <list><ref bean="authenticationProvider"/></list>
        </property>
      </bean>
    
      <bean id="authenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
        <property name="userDetailsService" ref="userDetailsService"/>
      </bean>
    
      <bean id="roleVoter" class="org.acegisecurity.vote.RoleVoter"/>
    3. I start the server once again:
    Code:
    ApplicationContext appCtx = new ClassPathXmlApplicationContext(
                    new String[] { "applicationContext.xml",
                            "context-rmi.xml" });
    
            OrderAppRMIServer server = (OrderAppRMIServer) appCtx.getBean("server");
    
            server.run();
    4. I start the client, which now should be unable to access the methods... but it does, without even slowing down or something else :-(

    In the Log-File I can find, what acegi did:
    INFO org.acegisecurity.intercept.method.MethodDefinitio nMap.addSecureMethod(MethodDefinitionMap.java:75) - Adding secure method [public void ch.hslu.appe.fs1001.service.ControllerServiceImpl. setOrderDao(ch.hslu.appe.fs1001.dao.OrderDAO)] with attributes [[ROLE_SYSADMIN, ROLE_SHOPMANAGER]]
    2010-04-06 22:50:58,982 INFO org.acegisecurity.intercept.method.MethodDefinitio nMap.addSecureMethod(MethodDefinitionMap.java:75) - Adding secure method [public void ch.hslu.appe.fs1001.service.ControllerServiceImpl. setCustomerDao(ch.hslu.appe.fs1001.dao.CustomerDAO )] with attributes [[ROLE_SYSADMIN, ROLE_SHOPMANAGER]]
    2010-04-06 22:50:58,982 INFO org.acegisecurity.intercept.method.MethodDefinitio nMap.addSecureMethod(MethodDefinitionMap.java:75) - Adding secure method [private ch.hslu.appe.fs1001.dto.CustomerDTO ch.hslu.appe.fs1001.service.ControllerServiceImpl. convertCustomerToCustomerDTO(ch.hslu.appe.fs1001.d omain.Customer)] with attributes [[ROLE_SYSADMIN, ROLE_SHOPMANAGER]]
    2010-04-06 22:50:58,982 INFO org.acegisecurity.intercept.method.MethodDefinitio nMap.addSecureMethod(MethodDefinitionMap.java:75) - Adding secure method [public java.util.List ch.hslu.appe.fs1001.service.ControllerServiceImpl. getOrdersByClient(int)] with attributes [[ROLE_SYSADMIN, ROLE_SHOPMANAGER]]
    2010-04-06 22:50:58,982 INFO org.acegisecurity.intercept.method.MethodDefinitio nMap.addSecureMethod(MethodDefinitionMap.java:75) - Adding secure method [public java.util.List ch.hslu.appe.fs1001.service.ControllerServiceImpl. getOrdersByState(ch.hslu.appe.fs1001.dto.OrderStat e)] with attributes [[ROLE_SYSADMIN, ROLE_SHOPMANAGER]]
    What's my mistake (besides my English :-) )????

    Thanks a lot
    Joe

    P.s.: Does anybody knows an example Project for what I'm trying
    Last edited by bayden; Apr 6th, 2010, 04:40 PM.

  • #2
    Got it

    There are my mistakes (just for people with the same problem):

    1. You have to point to the Interfaces, not the implementations:
    Code:
    <bean id="securityInterceptor" class="org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
        <property name="authenticationManager" ref="authenticationManager"/>
        <property name="accessDecisionManager" ref="accessDecisionManager"/>
        <property name="objectDefinitionSource">
          <value>
              ch.hslu.appe.fs1001.service.DataService.*=ROLE_TYPIST,ROLE_SYSADMIN,ROLE_SHOPMANAGER
              ch.hslu.appe.fs1001.service.ControllerService.*=ROLE_SYSADMIN,ROLE_SHOPMANAGER
              ch.hslu.appe.fs1001.service.OrderService.*=ROLE_SYSADMIN,ROLE_SHOPMANAGER,ROLE_VENDOR
          </value>
        </property>
      </bean>
    2. I work with netbeans. There you have to clean and build the project to substitute the applicationContext.xml for spring (took some hours to find out :-( ) Otherwise changes do have no effect, of course.

    3. On the client you have to pass the securityContext:
    (for example the dataservice)
    Code:
    <bean id="dataService"
            class="org.springframework.remoting.rmi.RmiProxyFactoryBean">
            <property name="serviceUrl" value="rmi://localhost:1099/DataService"/>
            <property name="serviceInterface" value="ch.hslu.appe.fs1001.service.DataService"/>
            <property name="remoteInvocationFactory"><ref bean="remoteInvocationFactory"/></property>
        </bean>
    
        <bean id="remoteInvocationFactory" class="org.acegisecurity.context.rmi.ContextPropagatingRemoteInvocationFactory"/>
    In the Programm, define the securityContext:
    Code:
    //Security ------------------------------------------------------------
            //nur mit dem SecurityContext kann auf den RMI-Service zugegriffen
            //werden
            String username = "manager";
            String password = "manager";
    
            try{
                Authentication authentication = new UsernamePasswordAuthenticationToken(username, password);
                SecurityContextHolder.getContext().setAuthentication(authentication);
                //Methode ausführen
                client.selectOrder();
            }catch (Exception e){
                System.out.println("falsche Benutzerangaben, es kann nicht auf das System zugegriffen werden");
            }
            //---------------------------------------------------------------------
    So, have a nice and secure day B-)
    Joe

    Comment

    Working...
    X