Announcement Announcement Module
Collapse
No announcement yet.
@PreAuthorize, ACLs, spEL, and missing debug info Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • @PreAuthorize, ACLs, spEL, and missing debug info

    I am trying to use spring-security 3.0.5 acl features and have it working for post-filtering collections and arrays.
    But I am unable to get it working when selecting a single object because of missing debug symbol information.

    I've read the Peter Mularien book -- Chapter 7, about setting up and using ACLs -- and I know I need to compile the necessary debug info into the classes but can't seem to find out how to get eclipse to do it.

    Here is the annotation on the interface method signature:

    @PreAuthorize("hasAnyRole('ROLE_SUPER_USER','ROLE_ SYSTEM_ADMIN') and hasPermission(#id, 'com.xyz.db.domain.impl.XyzConfigImpl', 'read')")
    public XyzConfig get(Long id);

    Here is the warning:
    [110224-19:22:25.155 WARN ] o.s.s.a.e.m.MethodSecurityEvaluationContext - Unable to resolve method parameter names for method: public final com.xyz.db.domain.XyzConfig $Proxy77.get(java.lang.Long). Debug symbol information is required if you are using parameter names in expressions.

    Here is the exception:
    Exception in thread "main" java.lang.IllegalArgumentException: identifier required
    at org.springframework.util.Assert.notNull(Assert.jav a:112)
    at org.springframework.security.acls.domain.ObjectIde ntityImpl.<init>(ObjectIdentityImpl.java:43)
    at org.springframework.security.acls.domain.ObjectIde ntityRetrievalStrategyImpl.createObjectIdentity(Ob jectIdentityRetrievalStrategyImpl.java:38)
    at org.springframework.security.acls.AclPermissionEva luator.hasPermission(AclPermissionEvaluator.java:6 3)
    at org.springframework.security.access.expression.met hod.MethodSecurityExpressionRoot.hasPermission(Met hodSecurityExpressionRoot.java:35)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Nativ e Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Native MethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(De legatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at org.springframework.expression.spel.support.Reflec tiveMethodExecutor.execute(ReflectiveMethodExecuto r.java:69)

    I am using eclipse 3.6.1 to compile and run this spring/hibernate based java application (not ant,, with a javac -g compiler option).

    Is using parameter names in expressions not possible when compiling with eclipse, instead of and ant build file (using the javac.debug=on option)?
    Could the problem be related to trying to find a param name in a proxy?
    Please help! I'm am really keen to use this feature.

    Thanks,
    Stan

  • #2
    Window -> Preferences -> Java -> Compiler

    Check the boxes in Classfile Generation

    Comment


    • #3
      Fixed -- moved annotations from interface to class

      Thanks... I had already set those compiler settings, but that did not fix the problem.

      What did fix it was moving the annotation...

      @PreAuthorize("hasAnyRole('ROLE_SUPER_USER','ROLE_ SYSTEM_ADMIN') and hasPermission(#id, 'com.xyz.db.domain.impl.XyzConfigImpl', 'read')")
      public XyzConfig get(Long id);

      ...from the interface to the class. I would prefer to put the method security annotation on the interfaces, but no big deal. I can move them back when this problem is fixed in a future release.

      Note: it is only the presence of the expression's method parameter which prevents me from annotating the interface.
      Last edited by exitstan; Feb 25th, 2011, 09:21 AM. Reason: Problem solved

      Comment


      • #4
        That is interesting, I'll have to dig into the code later to see if the SpEL bits that pick up the method params don't work with interfaces. Do you know if you are using CGLIB or AspectJ proxying? (Do you have any aop: declarations in your config files?)

        Comment


        • #5
          I am using AspectJ proxying.

          The CGLIB jar is not on the classpath.

          My parent spring config file contains:

          <aop:aspectj-autoproxy proxy-target-class="false"/>

          ( proxy-target-class="false" is the default... I was experimenting with proxy-target-class="true" )

          Comment


          • #6
            Originally posted by pmularien View Post
            That is interesting, I'll have to dig into the code later to see if the SpEL bits that pick up the method params don't work with interfaces. Do you know if you are using CGLIB or AspectJ proxying? (Do you have any aop: declarations in your config files?)
            I have the same issue as well. Upon digging into the code, I found that in method LocalVariableTableParameterNameDiscoverer.inspectC lass(Class<?> clazz), it reads on the implementation class file only.

            Thus it can't resolve the argument variable name specified in the hasPermission()
            Last edited by winarto; May 10th, 2012, 02:16 AM.

            Comment


            • #7
              I am able to secure my services by placing on the interfaces, so I am guessing you are doing something differently Can you provide a sample project that reproduces the issue? Ideally the project would be one that is as simple as possible to reproduce the problem, built with gradle, or maven. If you need a place to place the project you could put it on github or even attach to the forum as a zip file.

              Comment


              • #8
                Hi Rob,

                I think it's a little bit difficult for me to attach my project here or in github (due to company's network policy). But here is what I did:
                1. Create a project using Roo
                2. Create entities and fields
                3. Create Services for entities
                4. Create controller scaffolding of the entities
                5. Apply the web security using
                security setup
                command and amends the URL to be secured
                6. Push ITD's of methods from *_Roo_Service.aj to .java
                7. Apply the following
                @PreAuthorize("hasPermission(#reminder, 'ADMINISTRATION')")
                public abstract Reminder updateReminder(Reminder reminder);
                It is also compiled using aspectj compiler (just in case you think it has any effect).

                Any pointer is appreciated.

                Comment


                • #9
                  Can you put together a dummy project that replicates the issue?

                  Comment


                  • #10
                    Originally posted by rwinch View Post
                    Can you put together a dummy project that replicates the issue?
                    Will do. Once I've gotten the dummy project, I'll put it here.

                    Comment


                    • #11
                      Hi,
                      I am also facing the same issue and moving the annotation to the impl works for me as well. But, I dont want to do that.
                      Any pointers on how I could get this working in the interface layer?

                      Thanks.

                      Originally posted by exitstan View Post
                      Thanks... I had already set those compiler settings, but that did not fix the problem.

                      What did fix it was moving the annotation...

                      @PreAuthorize("hasAnyRole('ROLE_SUPER_USER','ROLE_ SYSTEM_ADMIN') and hasPermission(#id, 'com.xyz.db.domain.impl.XyzConfigImpl', 'read')")
                      public XyzConfig get(Long id);

                      ...from the interface to the class. I would prefer to put the method security annotation on the interfaces, but no big deal. I can move them back when this problem is fixed in a future release.

                      Note: it is only the presence of the expression's method parameter which prevents me from annotating the interface.

                      Comment


                      • #12
                        Again I was unable to reproduce the issue, so I will need some more guidance on how to reproduce it. If you can come up with a dummy project that reproduces your issue that would be ideal.

                        Comment


                        • #13
                          Hi Rob,
                          Thanks for your response
                          I will try and put a sample app today.
                          Incase it helps, these are the steps.
                          0. I am deploying my app on virgo (3.0.3.RELEASE)
                          1. I have a core bundle which exposes a service and has @PreAuth anotations on the interface
                          2. A web bundle which uses this service.
                          3. After I deploy and try to load the url, I am getting the below exception.
                          [2012-08-24 12:04:29.178] INFO http-bio-8080-exec-3 System.out org.springframework.security.access.AccessDeniedEx ception: Access is denied
                          [2012-08-24 12:04:29.178] INFO http-bio-8080-exec-3 System.out 252881 [http-bio-8080-exec-3] ERROR c.w.HomeController - handleAccessDeniedException####Access is denied
                          (attached stack trace)
                          Attachment
                          Attached Files

                          Comment


                          • #14
                            what i just learnt is.. in the osgi context spring-security is not working.
                            1. when the authorize annotations are on interface, it always throws AccessDenied irrespective of the roles.
                            2. when the annotations are on impl, its allowing all users despite not having the role.

                            Comment


                            • #15
                              Its working..

                              I used @preAuthorize annotations in one bundle and defined the global-security-bean in another bundle.
                              After I moved them to the same bundle It started working fine.

                              Hope this helps someone and saves some time.

                              Comment

                              Working...
                              X