Announcement Announcement Module
Collapse
No announcement yet.
No security check for inherited methods. Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • No security check for inherited methods.

    I use spring-security-3.0.5 and got two class like

    class BaseClass {
    public methodOne() {
    }
    public methodTwo(){
    }
    }

    @PreAuthorize("hasRole('ROLE_ADMIN')")
    class CustomeClass extends BaseClass {
    public methodThree() {
    }
    }

    When I call the CustomeClass.methodThree() and I am not ADMIN I get AccessDeniedException,
    but when I try to call the inherited methods nothing happens I can do it without to get the exception.

    Do I miss a configuration or its not possible with spring security to do this ?

  • #2
    Sorry, I'm having a hard time understanding what you have calling what, can you post some source of what you are doing, and what you think should be happening?

    Comment


    • #3
      When I login with a user ROLE_USER and I call
      CustomeClass.methodThree() => AccessDeniedException
      but when I try to call the inherited methods from the base class
      CustomeClass.methodOne() or CustomeClass.methodTwo() there is no security exception.

      What I expect is that if I give the @PreAuthorize("hasRole('ROLE_ADMIN')") annotation on the class level then all methods inside the class including the inherited ones should have the same security restrictions.

      Its seems someone else got his problem http://forum.springsource.org/showthread.php?t=78917 but no aswer.

      Comment


      • #4
        I believe this should work as you describe. The logic in PrePostAnnotationSecurityMetadataSource will work its way back from a method or class with an annotation to find the annotation on the declaring class. Try starting up the application with Spr Sec DEBUG logging enabled and look for log statements like this: "PreAuthorize found on: methodOne".

        Comment


        • #5
          Hi

          I created a sample project that demonstrates the problem.
          https://github.com/ralscha/spring-security-test

          Start with mvn jetty:run

          Login with user bob and password bobspassword

          With @Secured annotation
          http://localhost:8080/action/callSubMethod --> OK. Access denied
          http://localhost:8080/action/callSuperMethod --> Wrong. Access allowed

          With @PreAuthorize annotation
          http://localhost:8080/action/callSubPreMethod --> OK. Access denied
          http://localhost:8080/action/callSuperPreMethod --> Wrong. Access allowed


          Regards
          Ralph

          Comment


          • #6
            I turn on the logging for spring security (log4j.logger.org.springframework.security=DEBUG),
            but it did not show to much.


            -- START LOG --
            17:12:06,250 DEBUG DelegatingMethodSecurityMetadataSource:66 - Adding security method [CacheKey[CustomeClass; public ResultClass CustomeClass.methodThree()]] with attributes [ROLE_ADMIN]

            -- CustomeClass.methodThree() CALL LOG --
            16:51:06,750 DEBUG MethodSecurityInterceptor:191 - Secure object: ReflectiveMethodInvocation: public ResultClass CustomeClass.methodThree(); target is of class [CustomeClass]; Attributes: [ROLE_ADMIN]
            16:51:06,796 DEBUG MethodSecurityInterceptor:292 - Previously Authenticated: org.springframework.security.authentication.Userna mePasswordAuthenticationToken@46e2d0da: Principal: UserClass@364492: Username: test; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_READ - Fullname: Test User; User ID: 1; Authority: ROLE_READ; ; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.We bAuthenticationDetails@0: RemoteIpAddress: 127.0.0.1; SessionId: 62BC35A8D07E3BCDF056476E73D2B97C; Granted Authorities: ROLE_READ
            16:51:06,906 DEBUG AffirmativeBased:53 - Voter: org.springframework.security.access.prepost.PreInv ocationAuthorizationAdviceVoter@1a52fe6, returned: 0
            16:51:06,906 DEBUG AffirmativeBased:53 - Voter: org.springframework.security.access.vote.RoleVoter @1ebd825, returned: -1
            16:51:06,906 DEBUG AffirmativeBased:53 - Voter: org.springframework.security.access.vote.Authentic atedVoter@bb9f91, returned: 0
            16:51:06,906 DEBUG AffirmativeBased:53 - Voter: org.springframework.security.access.annotation.Jsr 250Voter@1e9029c, returned: -1
            16:51:07,000 ERROR RouterController:211 - Error calling method: methodThree
            org.springframework.security.access.AccessDeniedEx ception: Access is denied

            and there is nothing about the CustomeClass.methodOne() or CustomeClass.methodTwo() .

            Comment


            • #7
              I give a up for this, lets hope that someone can answer it.

              Comment

              Working...
              X