Announcement Announcement Module
Collapse
No announcement yet.
AccessDecisionManager doesn't react Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • AccessDecisionManager doesn't react

    Goodmorning,

    I'm trying to implement a basic form of S.S ACLs in order to understand it. Itried a basic configuration but the AccessDecisionManager doesn't seem to react.
    these are my configuration files :
    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    
    <beans:beans xmlns="http://www.springframework.org/schema/security"
                 xmlns:beans="http://www.springframework.org/schema/beans"
                 xmlns:security="http://www.springframework.org/schema/security"
                 xmlns:util="http://www.springframework.org/schema/util"
                 xmlns:jdbc="http://www.springframework.org/schema/jdbc"             
                 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                       xsi:schemaLocation="http://www.springframework.org/schema/beans
                                           http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                                           http://www.springframework.org/schema/util
                                           http://www.springframework.org/schema/util/spring-util-3.0.xsd
                                           http://www.springframework.org/schema/jdbc
    									   http://www.springframework.org/schema/jdbc/spring-jdbc-3.0.xsd
                                           http://www.springframework.org/schema/security
                                           http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">
    
        <global-method-security secured-annotations="enabled" access-decision-manager-ref="unanimousBased" />
        
        <security:http >
            <security:intercept-url pattern="/index.htm*" filters="none" />
            <security:intercept-url pattern="/logo*" filters="none" />
            <security:intercept-url pattern="/vermeg.css" filters="none" />
            <security:intercept-url pattern="/login.jsp*" filters="none" />
            <security:intercept-url pattern="/Managing.html" access="ROLE_ADMIN" />
            <security:intercept-url pattern="/Application.html" access="ROLE_USER" />
            <security:intercept-url pattern="/**" access="ROLE_USER" />
            <security:form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?login_error=1" />
            <security:logout logout-success-url="/index.htm" />	
        </security:http>
        
        
        <beans:bean class="org.springframework.security.access.vote.UnanimousBased" id="unanimousBased">
         	<beans:property name="decisionVoters">
    			<beans:list>
    				<beans:ref bean="roleVoter"/>
    				<beans:ref bean="categoryWriteVoter"/>
    			</beans:list>
    		</beans:property>
    	</beans:bean>
    	<beans:bean class="org.springframework.security.access.vote.RoleVoter" id="roleVoter"/>
        
        <authentication-manager>
            <authentication-provider>
                <user-service>
                    <user name="toto" password="toto" authorities="ROLE_USER, ROLE_ADMIN" />
                    <user name="tata" password="tata" authorities="ROLE_SUPER, ROLE_USER" />
                    <user name="titi" password="titi" authorities="ROLE_USER" />
                </user-service>
            </authentication-provider>
        </authentication-manager>
    
    	<beans:bean class="org.springframework.security.acls.AclEntryVoter" id="categoryWriteVoter">
    		<beans:constructor-arg ref="aclService"/>
    		<beans:constructor-arg value="VOTE_CATEGORY_WRITE"/>
    		<beans:constructor-arg>
    			<beans:array>
    				<util:constant static-field="org.springframework.security.acls.domain.BasePermission.WRITE"/>
    			</beans:array>
    		</beans:constructor-arg>
    	    <beans:property name="processDomainObjectClass" value="com.pack.s.s.data.secure.Contact"/>
    	</beans:bean>
    	
    	<beans:bean class="org.springframework.security.acls.jdbc.JdbcAclService" id="aclService">
    		<beans:constructor-arg ref="dataSource"/>
    		<beans:constructor-arg ref="lookupStrategy"/>
    	</beans:bean>
    	
    	<beans:bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource" >
            <beans:property name="driverClassName" value="oracle.jdbc.driver.OracleDriver"/>
            <beans:property name="url" value="jdbc:oracle:thin:@localhost:1521:orcl"/>
            <beans:property name="username" value="a"/>
            <beans:property name="password" value="a"/>      
        </beans:bean>
    
     	<beans:bean class="org.springframework.security.acls.jdbc.BasicLookupStrategy" id="lookupStrategy">
    		<beans:constructor-arg ref="dataSource"/>
    		<beans:constructor-arg ref="ehCacheAclCache"/>
    		<beans:constructor-arg ref="aclAuthzStrategy"/>
    		<beans:constructor-arg ref="aclAuditLogger"/>
    	</beans:bean>
    	
    	<beans:bean class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean" id="ehCacheManagerBean"/>
    	<beans:bean class="org.springframework.cache.ehcache.EhCacheFactoryBean" id="ehCacheFactoryBean">
    		<beans:property name="cacheManager" ref="ehCacheManagerBean"/>
        </beans:bean>
        
        <beans:bean class="org.springframework.security.acls.domain.EhCacheBasedAclCache" id="ehCacheAclCache">
    		<beans:constructor-arg ref="ehCacheFactoryBean"/>
    	</beans:bean>
    
         
        <beans:bean class="org.springframework.security.acls.domain.AclAuthorizationStrategyImpl" id="aclAuthzStrategy">
    		<beans:constructor-arg>
    			<beans:array>
    				<beans:ref local="aclAdminAuthority"/>
    				<beans:ref local="aclAdminAuthority"/>
    				<beans:ref local="aclAdminAuthority"/>
    			</beans:array>
    		</beans:constructor-arg>
    	</beans:bean>
        
        <beans:bean class="org.springframework.security.acls.domain.ConsoleAuditLogger" id="aclAuditLogger"/>
    	
    	<beans:bean class="org.springframework.security.core.authority.GrantedAuthorityImpl" id="aclAdminAuthority">
    		<beans:constructor-arg value="ROLE_ADMIN"/>
    	</beans:bean>
    	
     </beans:beans>
    this is the method I'm trying to control
    Code:
    	 @Secured({"ROLE_ADMIN","VOTE_CATEGORY_WRITE"})
    	 public  void add(String param1, String param2)
    	 {
    		 
    		 Contact c = new Contact();
    		 c.setName(param1);
    		 c.setEmail(param2);
    		 System.out.println("****************************I'm here****************** "+c.getName());
    	
    	 }
    and this is my population in the database:
    Code:
    insert into acl_class (class) values ('com.pack.s.s.data.secure.Contact');
    
    insert into acl_sid (principal, sid) values (0, 'ROLE_USER');
    insert into acl_sid (principal, sid) values (0, 'ROLE_ADMIN');
    
    insert into acl_object_identity (object_id_class,object_id_identity,parent_object,owner_sid,entries_inheriting)
    select cl.id, 1, null, sid.id, 0
    from acl_class cl, acl_sid sid
    where cl.class='com.pack.s.s.data.secure.Contact' and sid.sid='ROLE_ADMIN';
    
    insert into acl_entry (acl_object_identity, ace_order, sid, mask,granting, audit_success, audit_failure)
    select oi.id, 1, si.id, 1, 1, 1, 1
    from acl_object_identity oi, acl_sid si
    where si.sid = 'ROLE_ADMIN';
    and finally this is what I got always when I try to exécute the method with any user
    Code:
    08:56:14,894 INFO  [STDOUT] [DEBUG,FilterSecurityInterceptor,http-localhost%2F127.0.0.1-8080-2] Secure object: FilterInvocation: URL: /ServletAddUser?LoginUserA=ee&passwordUser=ee; Attributes: [ROLE_USER]
    08:56:14,894 INFO  [STDOUT] [DEBUG,FilterSecurityInterceptor,http-localhost%2F127.0.0.1-8080-2] Previously Authenticated: org.springframew[email protected]bbe17d3c: Principal: [email protected]: Username: titi; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.sprin[email protected]fffc7f0c: RemoteIpAddress: 127.0.0.1; SessionId: B2B7528D51A6E76314F24B434E99404A; Granted Authorities: ROLE_USER
    08:56:14,894 INFO  [STDOUT] [DEBUG,AffirmativeBased,http-localhost%2F127.0.0.1-8080-2] Voter: [email protected], returned: 1
    08:56:14,894 INFO  [STDOUT] [DEBUG,FilterSecurityInterceptor,http-localhost%2F127.0.0.1-8080-2] Authorization successful
    08:56:14,894 INFO  [STDOUT] [DEBUG,FilterSecurityInterceptor,http-localhost%2F127.0.0.1-8080-2] RunAsManager did not change Authentication object
    08:56:14,894 INFO  [STDOUT] [DEBUG,FilterChainProxy,http-localhost%2F127.0.0.1-8080-2] /ServletAddUser?LoginUserA=ee&passwordUser=ee reached end of additional filter chain; proceeding with original chain
    08:56:14,894 INFO  [STDOUT] ****************************I'm here****************** ee
    08:56:14,894 INFO  [STDOUT] I Added the useree
    it uses an affirmative based acces controller even when I put a unanimous one.
    Please any help.
    Best Regards

  • #2
    The log message you've posted is for web authorization, whereas you are setting the AccessDecisionManager for the global method security interceptor.

    Comment


    • #3
      I don't understand me nether why it do not consider the access devision Manager while I did configure it un the global method security!!
      this is the hole log message:

      Code:
      11:26:02,283 INFO  [STDOUT] [DEBUG,FilterChainProxy,http-localhost%2F127.0.0.1-8080-2] Candidate is: '/servletadduser'; pattern is /vermeg.css; matched=false
      11:26:02,283 INFO  [STDOUT] [DEBUG,FilterChainProxy,http-localhost%2F127.0.0.1-8080-2] Converted URL to lowercase, from: '/servletadduser'; to: '/servletadduser'
      11:26:02,283 INFO  [STDOUT] [DEBUG,FilterChainProxy,http-localhost%2F127.0.0.1-8080-2] Candidate is: '/servletadduser'; pattern is /login.jsp*; matched=false
      11:26:02,283 INFO  [STDOUT] [DEBUG,FilterChainProxy,http-localhost%2F127.0.0.1-8080-2] Converted URL to lowercase, from: '/servletadduser'; to: '/servletadduser'
      11:26:02,283 INFO  [STDOUT] [DEBUG,FilterChainProxy,http-localhost%2F127.0.0.1-8080-2] Candidate is: '/servletadduser'; pattern is /**; matched=true
      11:26:02,283 INFO  [STDOUT] [DEBUG,FilterChainProxy,http-localhost%2F127.0.0.1-8080-2] /ServletAddUser?LoginUserA=&passwordUser= at position 1 of 9 in additional filter chain; firing Filter: 'org.spring[email protected]3cb1e1'
      11:26:02,283 INFO  [STDOUT] [DEBUG,HttpSessionSecurityContextRepository,http-localhost%2F127.0.0.1-8080-2] Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: '[email protected]80df6e: Authentication: org.springframew[email protected]7b80df6e: Principal: [email protected]: Username: tata; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_SUPER,ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.sprin[email protected]fffc7f0c: RemoteIpAddress: 127.0.0.1; SessionId: B2B7528D51A6E76314F24B434E99404A; Granted Authorities: ROLE_SUPER, ROLE_USER'
      11:26:02,283 INFO  [STDOUT] [DEBUG,FilterChainProxy,http-localhost%2F127.0.0.1-8080-2] /ServletAddUser?LoginUserA=&passwordUser= at position 2 of 9 in additional filter chain; firing Filter: 'org.[email protected]1166179'
      11:26:02,283 INFO  [STDOUT] [DEBUG,FilterChainProxy,http-localhost%2F127.0.0.1-8080-2] /ServletAddUser?LoginUserA=&passwordUser= at position 3 of 9 in additional filter chain; firing Filter: 'org.springframework.s[email protected]595bcd'
      11:26:02,283 INFO  [STDOUT] [DEBUG,FilterChainProxy,http-localhost%2F127.0.0.1-8080-2] /ServletAddUser?LoginUserA=&passwordUser= at position 4 of 9 in additional filter chain; firing Filter: 'org.sp[email protected]99f610'
      11:26:02,283 INFO  [STDOUT] [DEBUG,FilterChainProxy,http-localhost%2F127.0.0.1-8080-2] /ServletAddUser?LoginUserA=&passwordUser= at position 5 of 9 in additional filter chain; firing Filter: 'org.springframework.[email protected]1e9b48b'
      11:26:02,283 INFO  [STDOUT] [DEBUG,FilterChainProxy,http-localhost%2F127.0.0.1-8080-2] /ServletAddUser?LoginUserA=&passwordUser= at position 6 of 9 in additional filter chain; firing Filter: 'org.springfram[email protected]17e7f88'
      11:26:02,283 INFO  [STDOUT] [DEBUG,AnonymousAuthenticationFilter,http-localhost%2F127.0.0.1-8080-2] SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframew[email protected]7b80df6e: Principal: [email protected]: Username: tata; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_SUPER,ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.sprin[email protected]fffc7f0c: RemoteIpAddress: 127.0.0.1; SessionId: B2B7528D51A6E76314F24B434E99404A; Granted Authorities: ROLE_SUPER, ROLE_USER'
      11:26:02,283 INFO  [STDOUT] [DEBUG,FilterChainProxy,http-localhost%2F127.0.0.1-8080-2] /ServletAddUser?LoginUserA=&passwordUser= at position 7 of 9 in additional filter chain; firing Filter: 'o[email protected]1e6e48b'
      11:26:02,283 INFO  [STDOUT] [DEBUG,FilterChainProxy,http-localhost%2F127.0.0.1-8080-2] /ServletAddUser?LoginUserA=&passwordUser= at position 8 of 9 in additional filter chain; firing Filter: 'org[email protected]1a66ce8'
      11:26:02,283 INFO  [STDOUT] [DEBUG,FilterChainProxy,http-localhost%2F127.0.0.1-8080-2] /ServletAddUser?LoginUserA=&passwordUser= at position 9 of 9 in additional filter chain; firing Filter: 'org.springfr[email protected]1382988'
      11:26:02,283 INFO  [STDOUT] [DEBUG,DefaultFilterInvocationSecurityMetadataSource,http-localhost%2F127.0.0.1-8080-2] Converted URL to lowercase, from: '/servletadduser'; to: '/servletadduser'
      11:26:02,283 INFO  [STDOUT] [DEBUG,DefaultFilterInvocationSecurityMetadataSource,http-localhost%2F127.0.0.1-8080-2] Candidate is: '/servletadduser'; pattern is /managing.html; matched=false
      11:26:02,283 INFO  [STDOUT] [DEBUG,DefaultFilterInvocationSecurityMetadataSource,http-localhost%2F127.0.0.1-8080-2] Candidate is: '/servletadduser'; pattern is /application.html; matched=false
      11:26:02,283 INFO  [STDOUT] [DEBUG,DefaultFilterInvocationSecurityMetadataSource,http-localhost%2F127.0.0.1-8080-2] Candidate is: '/servletadduser'; pattern is /**; matched=true
      11:26:02,283 INFO  [STDOUT] [DEBUG,FilterSecurityInterceptor,http-localhost%2F127.0.0.1-8080-2] Secure object: FilterInvocation: URL: /ServletAddUser?LoginUserA=&passwordUser=; Attributes: [ROLE_USER]
      11:26:02,283 INFO  [STDOUT] [DEBUG,FilterSecurityInterceptor,http-localhost%2F127.0.0.1-8080-2] Previously Authenticated: org.springframew[email protected]7b80df6e: Principal: [email protected]: Username: tata; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_SUPER,ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.sprin[email protected]fffc7f0c: RemoteIpAddress: 127.0.0.1; SessionId: B2B7528D51A6E76314F24B434E99404A; Granted Authorities: ROLE_SUPER, ROLE_USER
      11:26:02,283 INFO  [STDOUT] [DEBUG,AffirmativeBased,http-localhost%2F127.0.0.1-8080-2] Voter: [email protected], returned: 1
      11:26:02,283 INFO  [STDOUT] [DEBUG,FilterSecurityInterceptor,http-localhost%2F127.0.0.1-8080-2] Authorization successful
      11:26:02,283 INFO  [STDOUT] [DEBUG,FilterSecurityInterceptor,http-localhost%2F127.0.0.1-8080-2] RunAsManager did not change Authentication object
      11:26:02,283 INFO  [STDOUT] [DEBUG,FilterChainProxy,http-localhost%2F127.0.0.1-8080-2] /ServletAddUser?LoginUserA=&passwordUser= reached end of additional filter chain; proceeding with original chain
      11:26:02,314 INFO  [STDOUT] ****************************I'm here****************** 
      11:26:02,314 INFO  [STDOUT] I Added the user
      11:26:02,361 INFO  [STDOUT] [DEBUG,ExceptionTranslationFilter,http-localhost%2F127.0.0.1-8080-2] Chain processed normally
      11:26:02,361 INFO  [STDOUT] [DEBUG,SecurityContextPersistenceFilter,http-localhost%2F127.0.0.1-8080-2] SecurityContextHolder now cleared, as request processing completed

      Comment


      • #4
        It doesn't look like your "add" method is being intercepted at all, so it's most likely a case of it not being visible from the application context with the global-method-security definition.
        Where is the bean defined which implements the method?

        Either that or it's a typical AOP proxying issue. Where is the method being called from and what does the class look like which implements it? Is the method part of an interface?

        Comment


        • #5
          Sorry but it's a simple example to show how can I use it after that in my project. so I didn't enrich the example.
          I just have a conact class et and the ContoleContact have a one method wich is the add method. I didn't define a bean that implements the method (should I do it? and how)

          the method is not a part of an interface it's just a class that supposed to controle an entity (MVC Model). and then this controller is used by a Servlet.

          Thanks a lot for helping me

          Comment


          • #6
            Hi,
            I tried to change my configuration file so I adedd an Object Security Manager
            this way
            Code:
             	<bean id="objectManagerSecurity" class="org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor" autowire="byType">        
                    <property name="accessDecisionManager" ref="businessAccessDecisionManager"/>
                    <property name="authenticationManager" ref="authenticationManager"/>
                </bean>
              
            	 <bean id="controller" class="com.pack.s.s.data.services.ControlContact"/>
            	 <bean id="Service" class="org.springframework.aop.framework.ProxyFactoryBean">
                    <qualifier value="Service"/>
                    <property name="interceptorNames">
                        <list>
                            <idref local="controller"/>
                        </list>
                    </property>
                </bean>
            In the logs I noticed that he did lunch the methodSecurityInterceptor something that didn't do with the last config?
            Code:
            10:46:07,397 INFO  [STDOUT] [INFO,MethodSecurityInterceptor,RMI TCP Connection(6)-127.0.0.1] Validated configuration attributes
            10:46:07,678 INFO  [STDOUT] [DEBUG,DefaultFilterInvocationSecurityMetadataSource,RMI TCP Connection(6)-127.0.0.1] Added URL pattern: /Managing.html; attributes: [ROLE_ADMIN]
            10:46:07,678 INFO  [STDOUT] [DEBUG,DefaultFilterInvocationSecurityMetadataSource,RMI TCP Connection(6)-127.0.0.1] Added URL pattern: /Application.html; attributes: [ROLE_USER]
            10:46:07,694 INFO  [STDOUT] [DEBUG,DefaultFilterInvocationSecurityMetadataSource,RMI TCP Connection(6)-127.0.0.1] Added URL pattern: /**; attributes: [ROLE_USER]
            10:46:07,694 INFO  [STDOUT] [INFO,FilterSecurityInterceptor,RMI TCP Connection(6)-127.0.0.1] Validated configuration attributes
            10:46:08,069 INFO  [STDOUT] [INFO,MethodSecurityInterceptor,RMI TCP Connection(6)-127.0.0.1] Validated configuration attributes
            10:46:08,069 INFO  [STDOUT] [DEBUG,DelegatingMethodSecurityMetadataSource,RMI TCP Connection(6)-127.0.0.1] Adding security method [CacheKey[com.pack.s.s.data.services.ControlContact; public void com.pack.s.s.data.services.ControlContact.add(java.lang.String,java.lang.String)]] with attributes [ROLE_ADMIN, ACL_OBJECT_READ]
            but it still don't react when I use the method it still uses the default FilterSecurityInterceptor.

            Please any help
            Best Regards

            Comment


            • #7
              You still haven't explained where the bean is declared, which is most likely what's causing the issue. Please read this FAQ.

              Comment


              • #8
                the bean is declared in a acl-context.xml file
                and the global method is declared in context.xml file.
                I readed that FAQ issue and I tried to create a file where I 've defined my bean and the global method ans still don't want to react when I call that method

                Best Regards

                Comment


                • #9
                  Any help please

                  Best Regards
                  Afef

                  Comment

                  Working...
                  X