Announcement Announcement Module
Collapse
No announcement yet.
ACL Voters always return false for supports because attribute.getAttribute() is null Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • ACL Voters always return false for supports because attribute.getAttribute() is null

    Hi.

    I'm trying to run Spring Security 3.0.5 ACL, but my Voter always deny to support any decision.

    My XML is:
    Code:
       	<security:global-method-security pre-post-annotations="enabled" access-decision-manager-ref="businesAccessDecisionManager">
    		<!-- Reference to a custom expression handler with ACL support -->
    		
    		<security:expression-handler ref="expressionHandler" />
    	</security:global-method-security>  
       [...]
        <bean id="businesAccessDecisionManager" class=".....common.acl.CITAffirmativeBased">
        	<property name="allowIfAllAbstainDecisions" value="false"/>
    	    <property name="decisionVoters">
    	        <list>
    	            <ref local="roleVoter"/>
                    <ref local="aclObjectReadVoter"/>
                    <ref local="aclObjectWriteVoter"/>
                    <ref local="aclObjectDeleteVoter"/>
                    <ref local="aclObjectAdminVoter"/>
                    <ref local="aclObjectTestVoter"/>
    	        </list>
    	    </property>
    	</bean>

    My secured method is:

    Code:
        @PostFilter("hasPermission(filterObject, 'read')")
        @PreAuthorize("hasRole('ROLE_USER')")
        public Collection<Shortcode> getAllShortcodes() {
    
            return shortcodeDAO.getAllShortcodes();
        }

    I extended the default AclEntryVoter and took a look into supports().
    The code is:

    Code:
            if ((attribute.getAttribute() != null)
                && attribute.getAttribute().equals(getProcessConfigAttribute())) {
                return true;
            } else {
                return false;
            }
    But attribute.getAttribute() always returns null, so no decision is made.

    The attribute itself is:
    Code:
    attribute: [authorize: 'hasRole('ROLE_USER')', filter: 'null', filterTarget: 'null']
    or
    Code:
    attribute: [authorize: 'null', filter: 'hasPermission(filterObject, 'read')']
    which looks good I think.

    But the class of the attribute object is org.springframework.security.access.expression.met hod.PreInvocationExpressionAttribute
    or
    org.springframework.security.access.expression.met hod.PostInvocationExpressionAttribute

    they extend AbstractExpressionBasedMethodConfigAttribute
    where I found
    Code:
       public String getAttribute() {
            return null;
        }

    So what to do to get this thing running?

    Thanks for any help,

    bye Horst
    Last edited by Horst Krause; Apr 4th, 2011, 06:54 AM.

  • #2
    For @PreAuthorize and @PreFilter, use PreInvocationAuthorizationAdviceVoter instead.

    Comment

    Working...
    X