Announcement Announcement Module
Collapse
No announcement yet.
@Endpoint & @PayloadRoot in conjunction with global-method-security @Secured Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • @Endpoint & @PayloadRoot in conjunction with global-method-security @Secured

    G'day!

    I have successfully built up a Spring-WS project using:
    * JAXB2 OXMs and a GenericMarshallingMethodEndpointAdapter for marshalling/unmarshalling,
    * Saaj soap message factory,
    * a PayloadRootAnnotationMethodEndpointMapping,
    * Interfaces and implementations for our endpoints (@Endpoint) with @PayloadRoot marking endpoint methods as handlers for incoming messages, and
    * Spring security for container-based authentication (utilising the a PreAuthenticatedAuthenticationProvider and authentication-manager) - and coarse-grained authorisation (ie: can the user access the context uri, or not...).

    This all works beautifully. If only that was the end of it!

    I'm also looking to utilise global-method-security to authorise execution of endpoint methods, and if not authorised, throw the appropriate exceptions up back through the stack to be translated into soap faults.

    My question is: is it possible to use @PayloadRoot in conjunction with @Secured? Has this been tested?

    It seems that any time I try to do this (ie add @Secured to an Endpoint method), I get:
    java.lang.IllegalArgumentException: au.com.company.application.ws.endpoint.impl.profil e.user.UserProfileEndpoint@1747de0
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Nativ e Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Native MethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(De legatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:585)
    at org.springframework.ws.server.endpoint.MethodEndpo int.invoke(MethodEndpoint.java:115)
    at org.springframework.ws.server.endpoint.adapter.Mar shallingMethodEndpointAdapter.invokeInternal(Marsh allingMethodEndpointAdapter.java:135)
    at org.springframework.ws.server.endpoint.adapter.Abs tractMethodEndpointAdapter.invoke(AbstractMethodEn dpointAdapter.java:58)
    at org.springframework.ws.server.MessageDispatcher.di spatch(MessageDispatcher.java:221)
    at org.springframework.ws.server.MessageDispatcher.re ceive(MessageDispatcher.java:168)
    at org.springframework.ws.transport.support.WebServic eMessageReceiverObjectSupport.handleConnection(Web ServiceMessageReceiverObjectSupport.java:88)
    at org.springframework.ws.transport.http.WebServiceMe ssageReceiverHandlerAdapter.handle(WebServiceMessa geReceiverHandlerAdapter.java:57)
    at org.springframework.ws.transport.http.MessageDispa tcherServlet.doService(MessageDispatcherServlet.ja va:230)
    at org.springframework.web.servlet.FrameworkServlet.p rocessRequest(FrameworkServlet.java:571)
    at org.springframework.web.servlet.FrameworkServlet.d oPost(FrameworkServlet.java:511)
    at javax.servlet.http.HttpServlet.service(HttpServlet .java:727)
    at javax.servlet.http.HttpServlet.service(HttpServlet .java:820)
    at weblogic.servlet.internal.StubSecurityHelper$Servl etServiceAction.run(StubSecurityHelper.java:226)
    at weblogic.servlet.internal.StubSecurityHelper.invok eServlet(StubSecurityHelper.java:124)
    at weblogic.servlet.internal.ServletStubImpl.execute( ServletStubImpl.java:283)
    at weblogic.servlet.internal.TailFilter.doFilter(Tail Filter.java:26)
    at weblogic.servlet.internal.FilterChainImpl.doFilter (FilterChainImpl.java:42)
    at org.springframework.security.util.FilterChainProxy $VirtualFilterChain.doFilter(FilterChainProxy.java :378)
    at org.springframework.security.intercept.web.FilterS ecurityInterceptor.invoke(FilterSecurityIntercepto r.java:109)
    at org.springframework.security.intercept.web.FilterS ecurityInterceptor.doFilter(FilterSecurityIntercep tor.java:83)
    at org.springframework.security.util.FilterChainProxy $VirtualFilterChain.doFilter(FilterChainProxy.java :390)
    at org.springframework.security.ui.ExceptionTranslati onFilter.doFilterHttp(ExceptionTranslationFilter.j ava:101)
    at org.springframework.security.ui.SpringSecurityFilt er.doFilter(SpringSecurityFilter.java:53)
    at org.springframework.security.util.FilterChainProxy $VirtualFilterChain.doFilter(FilterChainProxy.java :390)
    at org.springframework.security.ui.preauth.AbstractPr eAuthenticatedProcessingFilter.doFilterHttp(Abstra ctPreAuthenticatedProcessingFilter.java:69)
    at org.springframework.security.ui.SpringSecurityFilt er.doFilter(SpringSecurityFilter.java:53)
    at org.springframework.security.util.FilterChainProxy $VirtualFilterChain.doFilter(FilterChainProxy.java :390)
    at org.springframework.security.context.HttpSessionCo ntextIntegrationFilter.doFilterHttp(HttpSessionCon textIntegrationFilter.java:235)
    at org.springframework.security.ui.SpringSecurityFilt er.doFilter(SpringSecurityFilter.java:53)
    at org.springframework.security.util.FilterChainProxy $VirtualFilterChain.doFilter(FilterChainProxy.java :390)
    at org.springframework.security.util.FilterChainProxy .doFilter(FilterChainProxy.java:175)
    at org.springframework.web.filter.DelegatingFilterPro xy.invokeDelegate(DelegatingFilterProxy.java:236)
    at org.springframework.web.filter.DelegatingFilterPro xy.doFilter(DelegatingFilterProxy.java:167)
    at weblogic.servlet.internal.FilterChainImpl.doFilter (FilterChainImpl.java:42)
    at weblogic.servlet.internal.WebAppServletContext$Ser vletInvocationAction.run(WebAppServletContext.java :3393)
    at weblogic.security.acl.internal.AuthenticatedSubjec t.doAs(AuthenticatedSubject.java:321)
    at weblogic.security.service.SecurityManager.runAs(Un known Source)
    at weblogic.servlet.internal.WebAppServletContext.sec uredExecute(WebAppServletContext.java:2140)
    at weblogic.servlet.internal.WebAppServletContext.exe cute(WebAppServletContext.java:2046)
    at weblogic.servlet.internal.ServletRequestImpl.run(S ervletRequestImpl.java:1366)
    at weblogic.work.ExecuteThread.execute(ExecuteThread. java:200)
    at weblogic.work.ExecuteThread.run(ExecuteThread.java :172)
    I've noticed that providing a pointcut (and removing all @Secured annotations) incurs the same IllegalArgumentException problem:

    Code:
    <sec:global-method-security secured-annotations="enabled" >
            <!-- Add all cross-cutting security constraints here -->
            <sec:protect-pointcut expression="execution(* au.com.mycompany.application.ws.endpoint.impl.profile.user.UserProfileEndpoint.get*(..))" access="ROLE_APP_FN_READ"/>
    </sec:global-method-security>
    I've also noticed this when the bean factory for my XmlWebApplicationContext initialises, a number of beans are not eligible for getting processed by all BeanPostProcessors. Is this important (I think it may be), and how can I fix this?
    Code:
    78333 [[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'] INFO  org.springframework.web.context.support.XmlWebApplicationContext  - Bean factory for application context [[email protected]2c8072b]: org.springframework.beans.factory.support.DefaultListableBeanFactory@1648af6
    88755 [[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'] INFO  org.springframework.web.context.support.XmlWebApplicationContext  - Bean '(inner bean)' is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
    89105 [[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'] INFO  org.springframework.web.context.support.XmlWebApplicationContext  - Bean '_delegatingMethodDefinitionSource' is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
    90209 [[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'] INFO  org.springframework.web.context.support.XmlWebApplicationContext  - Bean '_methodDefinitionSourceAdvisor' is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
    Anyone have any ideas or suggestions?

    Cheers,
    Shaun

    Deployment specs:
    AppServer: Weblogic (also tried on JBoss)
    JDK: JRockit and SUN JDK 1.5
    Spring Security 2.0.4
    Spring-WS 1.5.7
    Spring-OXM 1.5.7
    AspectJ 1.6.5
    Xerces Impl 2.9.1
    JAXB-Api 2.0
    wsdl4j 1.6.2

  • #2
    Hi again,

    I've tried every combination in the book, but could not get this going.

    Webservices work fine, but as soon as I apply @Secured or even global-method-security pointcuts against them: IllegalArgumentException. I think there may be some out of the box autoproxying problems that stop this from working properly.

    Looks like I'm going to need to apply authorisation constraints at the business layer (instead of at the payloadroot/ws endpoint).

    If anyone has any suggestions, I'd be very excited to hear from you.

    Cheers,
    Shaun

    Comment


    • #3
      I've encountered similar issue. Just asked for improvement on this Spring-WS JIRA issue.

      Comment


      • #4
        Thanks for raising this jira improvement Stevo.

        Great to hear I'm not the only one facing this problem.

        Cheers,
        Shaun

        Comment

        Working...
        X