Try reading the section in method security in the namespace section in the reference. Also the tutorial application is set up to use Secured annotations with the new namespace syntax, so it shouldn't be so hard to work out with both these available.
Printable View
Try reading the section in method security in the namespace section in the reference. Also the tutorial application is set up to use Secured annotations with the new namespace syntax, so it shouldn't be so hard to work out with both these available.
Having the same issue when upgrading from the 1.x series. I will looking more closely at using the new syntax. However the reference documentation is still showing the old way:
http://static.springframework.org/sp...ect-impls.html
There's a section on method security using namespaces here:
http://static.springframework.org/sp...ethod-security
In my existing code (1.x) I have a custom implementation of the MethodDefinitionAttributes class which I have injected a Java5 SecurityAnnotationAttributes object. In other words I have a custom objectDefinitionSource in the MethodSecurityInterceptor - very similar to the example in the docs (which is not applicable since the SecurityAnnotationsAttributes class no longer exists..):
<bean id="objectDefinitionSource"
class="org.springframework.security.intercept.meth od.MethodDefinitionAttributes">
<property name="attributes"><ref local="attributes"/></property>
</bean>
<bean id="bankManagerSecurity"
class="org.springframework.security.intercept.meth od.aopalliance.MethodSecurityInterceptor">
<property name="validateConfigAttributes"><value>false</value></property>
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property>
<property name="runAsManager"><ref bean="runAsManager"/></property>
<property name="objectDefinitionSource"><ref bean="objectDefinitionSource"/></property>
</bean>
I am not sure how I can create the MethodDefinitionAttributes class? Do I just do it without injecting an object into the attributes property of this class? And add <global-method-security secured-annotations="enabled" /> to the context file?
I took tutorial application from SVN and add another controller has ShowAccount
and one method called myAccount as:
@Controller(value = "showAccount")
@RequestMapping("/showAccount.html")
public class ShowAccount {
@RequestMapping(params = "action=myAccount")
@Secured( "ROLE_TELLER" )
public String generate( ModelMap model){
Object obj = SecurityContextHolder.getContext().getAuthenticati on().getPrincipal();
String username = "";
if (obj instanceof UserDetails) {
username = ((UserDetails)obj).getUsername();
} else {
username = obj.toString();
}
model.put("username", username);
return "myAccount";
}
}
But we can go to showAccount.html url without login in!
While this is working fine with Acegi-Security 1.x.
I attached tutorial.zip without WEB-INF/lib, (make sure you put Spring 2.5 libs).
I guess that's because the controller is part of the web application context whose beans aren't visible in the main application context (where you presumbaly have the method security set up).
Do you think the <context:component-scan base-package="bigbank.web" /> is not registering our controller into application context?Quote:
Originally Posted by Luke
The provided tutorial.zip was enhancing Spring Security's Tutorial example by adding one annotation based controller!
The web/MVC beans aren't accessible from the main context. It doesn't matter whether you are using component-scan or configuring all the controllers and mappings explicitly in <yourapp>-servlet.xml, these beans are not visible from the context you define using the ContextLoaderListener in your web.xml file.
Thanks, I did that....my config file looks now like thatQuote:
Originally Posted by Luke
My Voter (NDBJSVoter) is never called. Anybody knows why?Code:<?xml version="1.0" encoding="UTF-8"?>
<b:beans xmlns="http://www.springframework.org/schema/security"
xmlns:b="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd">
<http auto-config='true' >
<remember-me user-service-ref='userDetailsService' />
</http>
<!-- Acegi User Load DAO -->
<b:bean id="userDetailsService" class="security.acegi.hibernate.ExtranetUserDAOHibernate" parent="BaseDAOHibernate">
<b:property name="informationManager" ref="informationManager"/>
<b:property name="personManager" ref="personManager"/>
<b:property name="benutzerManager" ref="benutzerManager"/>
<b:property name="secyManager" ref="secyManager"/>
<b:property name="useramtManager" ref="useramtManager"/>
</b:bean>
<b:bean id="httpSessionContextIntegrationFilter" class="org.springframework.security.context.HttpSessionContextIntegrationFilter">
<custom-filter position="SESSION_CONTEXT_INTEGRATION_FILTER"/>
</b:bean>
<b:bean id="exceptionTranslationFilter" class="org.springframework.security.ui.ExceptionTranslationFilter">
<custom-filter position="EXCEPTION_TRANSLATION_FILTER"/>
<b:property name="authenticationEntryPoint">
<b:bean class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
<b:property name="loginFormUrl" value="/index.jsp"/>
<b:property name="forceHttps" value="false"/>
</b:bean>
</b:property>
<b:property name="accessDeniedHandler">
<b:bean class="org.springframework.security.ui.AccessDeniedHandlerImpl">
<b:property name="errorPage" value="/error.jsp"/>
</b:bean>
</b:property>
</b:bean>
<b:bean id="anonymousProcessingFilter" class="org.springframework.security.providers.anonymous.AnonymousProcessingFilter">
<custom-filter position="ANONYMOUS_FILTER"/>
<b:property name="key" value="changeThis"/>
<b:property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS"/>
</b:bean>
<b:bean id="containerAuthenticationFilter" class="najsre7.webapp.filter.ContainerAuthenticationFilter">
<custom-filter position="AUTHENTICATION_PROCESSING_FILTER"/>
<b:property name="authenticationManager" ref="authenticationManager"/>
</b:bean>
<b:bean id="organisationValidationFilter" class="najsre7.webapp.filter.OrganisationValidationFilter">
<custom-filter after="AUTHENTICATION_PROCESSING_FILTER"/>
<b:property name="informationManager" ref="informationManager"/>
</b:bean>
<!-- Access Descision manager -->
<global-method-security access-decision-manager-ref="unanimousBasedAccessDecisionManager" />
<b:bean id="unanimousBasedAccessDecisionManager" class="org.springframework.security.vote.UnanimousBased">
<b:property name="allowIfAllAbstainDecisions" value="false"/>
<b:property name="decisionVoters">
<b:list>
<b:bean class="org.springframework.security.vote.RoleVoter"/>
<b:bean class="org.springframework.security.vote.AuthenticatedVoter"/>
<b:bean class="security.acegi.NDBJSSecurityVoter"/>
</b:list>
</b:property>
</b:bean>
<authentication-manager alias="authenticationManager"/>
<b:bean id="shaPasswordEncoder" class="org.springframework.security.providers.encoding.ShaPasswordEncoder"/>
<authentication-provider user-service-ref='userDetailsService'>
<password-encoder hash="sha"/>
</authentication-provider>
<global-method-security secured-annotations="enabled" />
<!-- The use of protect-pointcut is particularly powerful, as it allows you to apply security to many beans with only a simple declaration. Consider the following example: -->
<global-method-security>
<protect-pointcut expression="execution(* najs*.service..*Manager*Impl*.*(..))" access="ROLE_USER"/>
</global-method-security>
</b:beans>
regards
Angela
already found the solution....sorry...it was because i had several <global-method-security> in my file...
angela