Announcement Announcement Module
Collapse
No announcement yet.
Run-As configuration Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Run-As configuration

    Hi Folks!

    I'm migrating from 2.0.5 to 3.0.2.

    Encouraged by the documentation, I'm trying to switch my old beans-style configuration to the new namespace-approach.

    But I'm not able, to get the run-as part of the configuration back to work.
    I always get this error:
    Code:
    Error creating bean with name 'org.springframework.security.web.access.intercept.FilterSecurityInterceptor#0': Invocation of init method failed; nested exception is java.lang.IllegalArgumentException: Unsupported configuration attributes: [RUN_AS_SMALLADS]
    Here is my new namespace-configuration:
    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <beans:beans xmlns="http://www.springframework.org/schema/security"
        xmlns:beans="http://www.springframework.org/schema/beans"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="
            http://www.springframework.org/schema/beans
            http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
            http://www.springframework.org/schema/security
            http://www.springframework.org/schema/security/spring-security-3.0.xsd">
    
      <global-method-security run-as-manager-ref="runAsManager"/>
    
      <http use-expressions="false">
        <intercept-url pattern="/kleinanzeigen/**/merken/*.html" access="ROLE_USER,RUN_AS_SMALLADS" requires-channel="https"/>
        <form-login />
        <logout />
        <remember-me key="XX"/>
      </http>
    
      <beans:bean id="runAsManager" class="org.springframework.security.access.intercept.RunAsManagerImpl">
        <beans:property name="key" value="XX"/>
      </beans:bean>
      <beans:bean id="runAsAuthenticationProvider" class="org.springframework.security.access.intercept.RunAsImplAuthenticationProvider">
        <beans:property name="key" value="XX"/>
      </beans:bean>
    
      <authentication-manager alias="authenticationManager">
        <authentication-provider ref="daoAuthenticationProvider"/>
        <authentication-provider ref="runAsAuthenticationProvider"/>
      </authentication-manager>
    
    </beans:beans>
    For clearity, I deleted all intercept-url rules except the one, which is causing the error.

    In the old bean-style configuration the notation:
    Code:
    /kleinanzeigen/**/merken/*.html*=ROLE_ADMIN,ROLE_USER,RUN_AS_SMALLADS
    did the same job.

    I found this thread, with a solution, but they don't have my problem, because they are only using the run-as manager at the method-level.

    The thread also points to the issue-entry SEC-1118, but I'm not sure, if that fix made it into 3.0.2, because I can't find the mentioned "run-as-manager-ref" in the XSD-file for Spring-Security 3.0.x

    I hope, someone can give me a hint on this problem, because I'm working on this problem for two days now and I'm totally lost!

  • #2
    There isn't any RunAs support in the namespace.

    The RunAs functionality isn't used by many people and it's something I'd like to refactor and probably remove from the security interceptor hierarchy to make it more flexible.

    You can always modify the FilterSecurityInterceptor using a BeanPostProcessor and inject your RunAsManager in that. There's a FAQ entry on how to do stuff this kind of thing.

    Comment


    • #3
      Thank you for that quick answer.

      I decided to switch back to bean-style configuration, because in my opinion, it is more convenient to have all configuration in one place, rather than have it scatterd across source-code (the BeanPreProcessor) and configuration.

      I would suggest to add notes in the documentation, that explicitly say, which parts could not be configured using the new namespace configuration approach. That would have saved me a lot of time, trying to convert my old configuration to the new namspace-style and than back to the old bean-style.

      I will post my resulting configuration as an example, because I wasn't able to find an example for the old bean-style configuration in the new documentation. (Or is it somewhere there or in the sample code and just not referenced from the core-documentation?)

      It would have saved me a lot of time, if I had a configuration examle that I could have boiled down to fit my needs

      Comment


      • #4
        Here is my configuration. Not perfect, but it works for me. I patched it up from my old configuration, the small bits in the HTML-documentation and your excellent Blog post: Behind the Spring Security Namespace.

        I didn't check the RememberMe-Feature yet. But the run-as stuff works

        Configuring the channelProccessingFilter by creating the SecurityConfig-instances by hand looks very awkward to me. But I didn't found another way to get it working!


        I would like to see comments and improvements!

        Comment

        Working...
        X