Announcement Announcement Module
Collapse
No announcement yet.
Using MethodSecurityInterceptor inside HttpSessionListener Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Using MethodSecurityInterceptor inside HttpSessionListener

    Hi all,

    We have MethodSecurityInterceptor working fine elsewhere, but have problems in our HttpSessionListener. When the session expires and before HttpSessionListener is invoked by the container, we are seeing this event in the acegi debug logs:

    Code:
    2005-09-29 08:46:48,477 [net.sf.acegisecurity.ui.session.HttpSessionEventPublisher] - Publishing event: net.sf.acegisecurity.ui.session.HttpSessionDestroyedEvent[source=org.apache.catalina.session.StandardSessionFacade@1dea382]
    Then our HttpSessionListener is invoked. The next line in the acegi logs is:

    Code:
    2005-09-29 08:46:48,498 [net.sf.acegisecurity.intercept.AbstractSecurityInterceptor] - Secure object: invocation: method 'findReservedActivitiesToUser', arguments [10, null]; target is of class [com.siemens.swa.service.ActivityServiceImpl]; ConfigAttributes: [ROLE_NETWORK]
    We have a bean activityService, that we want to use inside our HttpSessionListener to do cleanup work. It has the findReservedActivitiesToUser shown in the logs. We also use this bean elsewhere, and there it works as expected. In our HttpSessionListener, however, after the event above, we execute our methods in activityService and get:

    Code:
    Authentication credentials were not found in the SecurityContext
    Our config is:

    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http&#58;//www.springframework.org/dtd/spring-beans.dtd">
    
    <beans>
    
       <!-- ======================== FILTER CHAIN ======================= -->
    
       <!--  if you wish to use channel security, add "channelProcessingFilter," in front
             of "httpSessionContextIntegrationFilter" in the list below -->
       <!-- Only filter URL's with *login* Struts actions&#58;
       httpSessionContextIntegrationFilter allows authentication/authorization info stored in HttpSession
       authenticationProcessingFilter forces authentication against db
       -->
       <bean id="filterChainProxy" class="net.sf.acegisecurity.util.FilterChainProxy">
          <property name="filterInvocationDefinitionSource">
             <value>
              CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
                \A/.*login.*do.*\Z=httpSessionContextIntegrationFilter,authenticationProcessingFilter,contextHolderAwareRequestFilter
             </value>
          </property>
        </bean>
    
        <!-- ======================== AUTHENTICATION ======================= -->
    
        <!-- Authenticate via SWA DAO -->
        <bean id="passwordAuthenticationDao"
          class="com.siemens.swa.dao.AcegiDAOImpl">
        <property name="sessionFactory"><ref bean="mySessionFactory"/></property>
        </bean>
    
        <!-- Simple Username/Password authentication -->
        <bean id="authenticationProvider"
          class="net.sf.acegisecurity.providers.dao.PasswordDaoAuthenticationProvider">
          <property name="passwordAuthenticationDao">
            <ref local="passwordAuthenticationDao"/>
          </property>
        </bean>
    
        <!-- Control access/authorization via Acegi class, stored in HTTP Session
        -->
        <bean id="authenticationManager"
          class="net.sf.acegisecurity.providers.ProviderManager">
          <property name="providers">
            <list>
              <ref local="authenticationProvider"/>
            </list>
          </property>
          <property name="sessionController"><ref bean="concurrentSessionController"/></property>
        </bean>
    
        <!-- Prevent same login name being used by multiple users
        -->
        <bean id="concurrentSessionController" class="net.sf.acegisecurity.providers.ConcurrentSessionControllerImpl">
          <property name="maxSessions"><value>1</value></property>
        </bean>
    
         <!-- ======================&#91; AUTHORIZATION &#93;======================= -->
         <!-- An access decision voter that reads ROLE_* configuration settings -->
         <bean id="roleVoter" class="net.sf.acegisecurity.vote.RoleVoter"/>
    
         <bean id="accessDecisionManager" class="net.sf.acegisecurity.vote.AffirmativeBased">
           <property name="decisionVoters">
           <list>
             <ref bean="roleVoter" />
           </list>
           </property>
         </bean>
    
         <!-- Control authorization via Roles to appointmentSchedulerService -->
         <bean id="appointmentSchedulerServiceSecurity" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
           <property name="authenticationManager"><ref bean="authenticationManager"/></property>
           <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
           <property name="objectDefinitionSource">
             <value>
                    com.siemens.swa.service.AppointmentSchedulerService.*=ROLE_ACTIVITY
             </value>
           </property>
         </bean>
    
         <!-- Control authorization via Roles to microAreaService -->
         <bean id="microAreaServiceSecurity" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
           <property name="authenticationManager"><ref bean="authenticationManager"/></property>
           <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
           <property name="objectDefinitionSource">
             <value>
                    com.siemens.swa.service.MicroAreaService.find*=ROLE_EVERYONE
                    com.siemens.swa.service.MicroAreaService.*=ROLE_ADMIN
             </value>
           </property>
         </bean>
    
         <!-- Control authorization via Roles to profileService -->
         <bean id="profileServiceSecurity" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
           <property name="authenticationManager"><ref bean="authenticationManager"/></property>
           <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
           <property name="objectDefinitionSource">
             <value>
                    com.siemens.swa.service.ProfileService.*=ROLE_ADMIN
             </value>
           </property>
         </bean>
    
    
         <!-- Control authorization via Roles to technDayWorkHoursService -->
         <bean id="technDayWorkHoursServiceSecurity" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
           <property name="authenticationManager"><ref bean="authenticationManager"/></property>
           <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
           <property name="objectDefinitionSource">
             <value>
                    com.siemens.swa.service.TechnDayWorkHoursService.*=ROLE_ADMIN
             </value>
           </property>
         </bean>
    
    
         <!-- Control authorization via Roles to userService -->
         <bean id="userServiceSecurity" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
           <property name="authenticationManager"><ref bean="authenticationManager"/></property>
           <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
           <property name="objectDefinitionSource">
             <value>
                    com.siemens.swa.service.UserService.update*=ROLE_ADMIN
                    com.siemens.swa.service.UserService.create*=ROLE_ADMIN
                    com.siemens.swa.service.UserService.remove*=ROLE_ADMIN
             </value>
           </property>
         </bean>
    
              <!-- Control authorization via Roles to questionnarieService -->
         <bean id="questionnarieServiceSecurity" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
           <property name="authenticationManager"><ref bean="authenticationManager"/></property>
           <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
           <property name="objectDefinitionSource">
             <value>
                    <!-- com.siemens.swa.service.QuestionnarieService.*=ROLE_EVERYONE -->
             </value>
           </property>
         </bean>
    
    
    
         <!-- Control authorization via Roles to holidayService -->
         <bean id="holidayServiceSecurity" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
           <property name="authenticationManager"><ref bean="authenticationManager"/></property>
           <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
           <property name="objectDefinitionSource">
             <value>
                    com.siemens.swa.service.HolidayService.*=ROLE_ADMIN
             </value>
           </property>
         </bean>
    
    
         <!-- Control authorization via Roles to stationService -->
         <bean id="stationServiceSecurity" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
           <property name="authenticationManager"><ref bean="authenticationManager"/></property>
           <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
           <property name="objectDefinitionSource">
             <value>
                    com.siemens.swa.service.StationService.find*=ROLE_ACTIVITY,ROLE_NETWORK
                    com.siemens.swa.service.StationService.create*=ROLE_ADMIN
                    com.siemens.swa.service.StationService.update*=ROLE_ADMIN
                    com.siemens.swa.service.StationService.removeStation=ROLE_ADMIN
             </value>
           </property>
         </bean>
    
    
         <!-- Control authorization via Roles to equipmentService -->
         <bean id="equipmentServiceSecurity" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
           <property name="authenticationManager"><ref bean="authenticationManager"/></property>
           <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
           <property name="objectDefinitionSource">
             <value>
                    com.siemens.swa.service.EquipmentService.create*=ROLE_ADMIN
                    com.siemens.swa.service.EquipmentService.update*=ROLE_ADMIN
                    com.siemens.swa.service.EquipmentService.remove*=ROLE_ADMIN
             </value>
           </property>
         </bean>
    
    
         <!-- Control authorization via Roles to activityService -->
         <bean id="activityServiceSecurity" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
           <property name="authenticationManager"><ref bean="authenticationManager"/></property>
           <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
           <property name="objectDefinitionSource">
             <value>
                    com.siemens.swa.service.ActivityService.*=ROLE_ACTIVITY
                    com.siemens.swa.service.ActivityService.find*=ROLE_NETWORK
                    <!--
                    com.siemens.swa.service.ActivityService.findReservedActivitiesToUser*=ROLE_EVERYONE
                    -->
                    com.siemens.swa.service.ActivityService.createManualActivity=ROLE_NETWORK <!-- Ação Registrar atividades para um elemento de rede -->
             </value>
           </property>
         </bean>
    
    
         <!-- Control authorization via Roles to preventiveActivityService -->
         <bean id="preventiveActivityServiceSecurity" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
           <property name="authenticationManager"><ref bean="authenticationManager"/></property>
           <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
           <property name="objectDefinitionSource">
             <value>
                    com.siemens.swa.service.PreventiveActivityService.*=ROLE_ACTIVITY
             </value>
           </property>
         </bean>
    
    
         <!-- Control authorization via Roles to techniqueAreaService -->
         <bean id="techniqueAreaServiceSecurity" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
           <property name="authenticationManager"><ref bean="authenticationManager"/></property>
           <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
           <property name="objectDefinitionSource">
             <value>
                    com.siemens.swa.service.TechniqueAreaService.*=ROLE_EVERYONE
             </value>
           </property>
         </bean>
    
    
         <!-- Control authorization via Roles to displacementService -->
         <bean id="displacementServiceSecurity" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
           <property name="authenticationManager"><ref bean="authenticationManager"/></property>
           <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
           <property name="objectDefinitionSource">
             <value>
                    com.siemens.swa.service.DisplacementService.*=ROLE_ACTIVITY
             </value>
           </property>
         </bean>
    
    
         <!-- Control authorization via Roles to netElementService -->
         <bean id="netElementServiceSecurity" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
           <property name="authenticationManager"><ref bean="authenticationManager"/></property>
           <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
           <property name="objectDefinitionSource">
             <value>
                    com.siemens.swa.service.NetElementService.*=ROLE_NETWORK
             </value>
           </property>
         </bean>
    
    
         <!-- Control authorization via Roles to reportService -->
         <bean id="reportServiceSecurity" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
           <property name="authenticationManager"><ref bean="authenticationManager"/></property>
           <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
           <property name="objectDefinitionSource">
             <value>
                    com.siemens.swa.service.ReportService.*=ROLE_REPORT
             </value>
           </property>
         </bean>
    
    
         <!-- Control authorization via Roles to localService -->
         <bean id="localServiceSecurity" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
           <property name="authenticationManager"><ref bean="authenticationManager"/></property>
           <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
           <property name="objectDefinitionSource">
             <value>
                    com.siemens.swa.service.ReportService.*=ROLE_EVERYONE
             </value>
           </property>
         </bean>
    
    
         <!-- ===================== HTTP REQUEST SECURITY ==================== -->
    
         <!-- Allow SWA application to access Roles and other info via HttpServletRequest
              See MenuTag for an example
          -->
         <bean id="contextHolderAwareRequestFilter" class="net.sf.acegisecurity.wrapper.ContextHolderAwareRequestFilter"/>
    
         <!-- Bean definition forcing login on REGEX filters -->
         <bean id="httpSessionContextIntegrationFilter" class="net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter">
         </bean>
    
         <!-- Define login key/value pair capture, pre/post filter tasks, error page, etc -->
         <bean id="authenticationProcessingFilter" class="com.siemens.swa.session.SWAAuthenticationProcessingFilter">
           <property name="authenticationManager"><ref bean="authenticationManager"/></property>
           <property name="authenticationFailureUrl"><value>/loginPage.do?login_error=1</value></property>
           <property name="defaultTargetUrl"><value>/</value></property>
           <property name="filterProcessesUrl"><value>/login.do</value></property>
         </bean>
    
    </beans>
    Please help,
    iksrazal

  • #2
    Using MethodSecurityInterceptor inside HttpSessionListener

    Hi Robert,
    I'm debbuging ConcurrentSessionControllerImpl class and I perceived that the actual session of the principal is removed of class variables principalsToSessions and sessionsToPrincipals Maps before entering in sessionDestroyed method of HttpSessionListener. Perhaps you cannot have methods inside HttpSessionListener configurated with MethodSecurityInterceptor.

    Comment

    Working...
    X