Dynamic Authorization

[smccrory]

mavisaka or Ben,

If I use a daoAuthenticationProvider as my authenticationManager, and I hang my role set off of the user's object graph, I get a LazyInstantiationException when the DatabaseDrivenMethodDefinitionSource tries to iterate through the roles. I think this is because the lifespan of the Hibernate Session ends after the authentication process, making the roles unavailable for instantiation. I've tried to make the role set non-lazy to no avail, and I've also tried to use BeanUtils.copyProperties() in my daoAuthenticationProvider to return a more fully instantiated user object, but that doesn't work either.

Any recommendations? Big thanks in advance...
Scott

[Ben Alex]

Have you tried the Hibernate.initialize(Object) static method?

[smccrory]

I tried (thanks for the tip) but it didn't work, so I ended up creating an additional non-lazy object and Hibernate mapping specifically for authentication and authorization.

[yfmoan]

Hi ,

Code:

protected ConfigAttributeDefinition lookupAttributes(MethodInvocation mi) {
		//construct secureObjectName 
		String secureObjectName=mi.getMethod().getDeclaringClass().getName() +"."+ mi.getMethod().getName();
		SecureObject secureObject=securityManager.getSecureObject(secureObjectName);
		if(secureObject==null)//if secure object not exist in database
			return null;
		//retrieving roles associated with this secure object
		List secureObjectRoles=(List)securityManager.getSecureObjectRoles(secureObject);
		//creating ConfigAttributeDefinition
		if(!secureObjectRoles.isEmpty()){
			ConfigAttributeEditor configAttrEditor=new ConfigAttributeEditor();
			StringBuffer rolesStr=new StringBuffer();
			for(int i=0;i<secureObjectRoles.size();i++){
				SecureObjectRole sor=(SecureObjectRole)secureObjectRoles.get(i);
				rolesStr.append(sor.getRole().getRoleName()).append(",");
			}
			configAttrEditor.setAsText( rolesStr.toString().substring(0,rolesStr.length()-1) );
			ConfigAttributeDefinition configAttrDef=(ConfigAttributeDefinition)configAttrEditor.getValue();
			return configAttrDef;
		}
		return null;
		
	}

It seem to me that the implementation above still cannot avoid hitting the database , even you use a cache suggested by Ben for every method invocation (OR what object to cache in this implementation ?).

Sure, just use a caching layer like EH-CACHE. Take a look at the implementation of DaoAuthenticationProvider and UserCache for a guide.

moon

[Ben Alex]

Why are you even writing a database-driven MethodDefinitionSource? I can't see a strong need for database metadata for method invocations - unlike web URIs where I can see a lot of potential value in some applications.

[yfmoan]

Hi Ben,

Why are you even writing a database-driven MethodDefinitionSource? I can't see a strong need for database metadata for method invocations - unlike web URIs where I can see a lot of potential value in some applications.

From my point of view , URIs interception is coarse grained security and method invocation is fine grained.
Once you use URIs interception , you have to categorize the similar functions to a page , each page look like a function's (method) category , sometime you can do this , but sometime you cannot because of the cross boundary business logic , so method blocking is a way out.

l do think that database-driven MethodDefinitionSource is a normal need. AspectJ in action use a whole chapter (Chapter 10) to discuss Authentication and authorization , so let's see some code snipplet in pg 339 ,

Code:

public void credit(float amount) {

   AccessController.checkPermission(new BankingPermission("credit"));
...
}
public void debit(float amount)
     throws InsufficientBalanceException {
   AccessController.checkPermission(new BankingPermission("debit"));
...
}

this is a typical JAAS sample code , AccessController.checkPermission(..) look like a "method interception" for me , and this is a need in JAAS , . Further , the view no. of this thread show a lot people interested in dynamic authorization.

Back to the question of database-driven MethodDefinitionSource , l think it is nice to have this feature support in acegi security , but how to do it ?

l think there are some criteria for the implemention . let's assume that l have 3 tables,

Users <--M:M--> Roles <--M:M--> AccessMethods

Criteria :

1. the whole relationship (Roles and AccessMethods) must be retrieved from the database to form the (method = ROLE_1,ROLE_2,...) pairs once the application start , that means l have the whole authorization table from the start.

2. we then caching authorization table after that.

3. if some of the relationship change , the authorization table have to be refresh , and cache it agian.

But , it seem to me that , neither MethodDefinitionMap nor MethodDefinitionAttributes provide support for this .

moon

[yfmoan]

l have make some code , but l don't know whether it is "save" or not , so comments is needed ,

DBDrivenMethodDefinitionSource.java

Code:

package org.acegi.intercept.method;

import java.lang.reflect.Method;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;

import org.acegi.providers.dao.MethodMapCache;
import org.acegi.providers.dao.cache.NullMethodMapCache;
import org.acegisecurity.ConfigAttribute;
import org.acegisecurity.ConfigAttributeEditor;
import org.acegisecurity.ConfigAttributeDefinition;
import org.acegisecurity.intercept.method.AbstractMethodDefinitionSource;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.yourschool.library.domain.AccessMethod;
import org.yourschool.library.domain.Role;
import org.yourschool.library.domain.logic.SecurityFacade;

public class  DBDrivenMethodDefinitionSource extends AbstractMethodDefinitionSource {
	
    private static final Log logger = LogFactory.getLog(DBDrivenMethodDefinitionSource.class);
    
    private static final String METHOD_MAP = "methodMap";
    private Map methodMap;
    private Map nameMap;
    private SecurityFacade securityManager;
    private MethodMapCache methodMapCache = new NullMethodMapCache();
  	
	public SecurityFacade getSecurityManager() {
		return securityManager;
	}

	public void setSecurityManager(SecurityFacade securityManager) {
		this.securityManager = securityManager;
	}

	public MethodMapCache getMethodMapCache() {
		return methodMapCache;
	}

	public void setMethodMapCache(MethodMapCache methodMapCache) {
		this.methodMapCache = methodMapCache;
	}

	public void buildMethodMapFromDB(){
		
		nameMap = new HashMap();
		methodMap = new HashMap();

		List accessMethods = (List) this.securityManager.loadAllAccessMethod();

		ConfigAttributeEditor configAttrEditor = new ConfigAttributeEditor();

		for(int i = 0 ; i < accessMethods.size() ; i++){

			AccessMethod accessMethod = (AccessMethod)accessMethods.get(i);
			Iterator it = accessMethod.getRoles().iterator();

			StringBuffer rolesStr = new StringBuffer();
			
			while(it.hasNext()) {
				Role role = (Role)it.next();
				rolesStr.append(role.getRoleName()).append(",");
			}
			
			String accessMethodName = accessMethod.getAccessMethodName();
			
			// System.out.println(rolesStr.toString().substring(0,rolesStr.length()-1));
			configAttrEditor.setAsText(rolesStr.toString().substring(0,rolesStr.length()-1));
			ConfigAttributeDefinition attr = 
				(ConfigAttributeDefinition)configAttrEditor.getValue();
			
			// Register name and attribute
            addSecureMethod(accessMethodName, attr);
            
		}
		// put it into cache
		this.methodMapCache.putMethodMapInCache(METHOD_MAP,this.methodMap);
		
	}

    public Iterator getConfigAttributeDefinitions() {

    	Map mMap = this.methodMapCache.getMethodMapFromCache(METHOD_MAP);
    	if(mMap != null)
    		return mMap.values().iterator();
        return null;

    }

    public int getMethodMapSize() {
 	
    	Map mMap = this.methodMapCache.getMethodMapFromCache(METHOD_MAP);
    	if(mMap != null)
    		return mMap.size();
        return 0;
 
    }

    private void addSecureMethod(Method method, ConfigAttributeDefinition attr) {
        logger.info("Adding secure method [" + method + "] with attributes ["
                + attr + "]");
        this.methodMap.put(method, attr);
    }

    private void addSecureMethod(String name, ConfigAttributeDefinition attr) {
        int lastDotIndex = name.lastIndexOf(".");

        if (lastDotIndex == -1) {
            throw new IllegalArgumentException("'" + name
                + "' is not a valid method name: format is FQN.methodName");
        }

        String className = name.substring(0, lastDotIndex);
        String methodName = name.substring(lastDotIndex + 1);

        try {
            Class clazz = Class.forName(className, true,
                    Thread.currentThread().getContextClassLoader());
            addSecureMethod(clazz, methodName, attr);
        } catch (ClassNotFoundException ex) {
            throw new IllegalArgumentException("Class '" + className
                + "' not found");
        }
    }

    private void addSecureMethod(Class clazz, String mappedName,
        ConfigAttributeDefinition attr) {
        String name = clazz.getName() + '.' + mappedName;

        if (logger.isDebugEnabled()) {
            logger.debug("Adding secure method [" + name
                + "] with attributes [" + attr + "]");
        }

        Method[] methods = clazz.getDeclaredMethods();
        List matchingMethods = new ArrayList();

        for (int i = 0; i < methods.length; i++) {
            if (methods[i].getName().equals(mappedName)
                || isMatch(methods[i].getName(), mappedName)) {
                matchingMethods.add(methods[i]);
            }
        }

        if (matchingMethods.isEmpty()) {
            throw new IllegalArgumentException("Couldn't find method '"
                + mappedName + "' on " + clazz);
        }

        // register all matching methods
        for (Iterator it = matchingMethods.iterator(); it.hasNext();) {
            Method method = (Method) it.next();
            String regMethodName = (String) this.nameMap.get(method);

            if ((regMethodName == null)
                || (!regMethodName.equals(name)
                && (regMethodName.length() <= name.length()))) {
                // no already registered method name, or more specific
                // method name specification now -> (re-)register method
                if (regMethodName != null) {
                    logger.debug("Replacing attributes for secure method ["
                        + method + "]: current name [" + name
                        + "] is more specific than [" + regMethodName + "]");
                }

                this.nameMap.put(method, name);
                addSecureMethod(method, attr);
            } else {
                logger.debug("Keeping attributes for secure method [" + method
                    + "]: current name [" + name
                    + "] is not more specific than [" + regMethodName + "]");
            }
        }
    }

    private void checkMethodMap(){
    	
     	if(this.methodMapCache.getMethodMapFromCache(METHOD_MAP) == null){
    		buildMethodMapFromDB();
    	}
    }
    
    protected ConfigAttributeDefinition lookupAttributes(Method method) {
    	
        ConfigAttributeDefinition definition = new ConfigAttributeDefinition();

       	checkMethodMap();

        // Add attributes explictly defined for this method invocation
        ConfigAttributeDefinition directlyAssigned = 
        	(ConfigAttributeDefinition) this.methodMapCache.getMethodMapFromCache(METHOD_MAP).get(method);
        merge(definition, directlyAssigned);

        // Add attributes explicitly defined for this method invocation's interfaces
        Class[] interfaces = method.getDeclaringClass().getInterfaces();

        for (int i = 0; i < interfaces.length; i++) {
            Class clazz = interfaces[i];

            try {
                // Look for the method on the current interface
                Method interfaceMethod = clazz.getDeclaredMethod(method.getName(),
                        (Class[]) method.getParameterTypes());
                ConfigAttributeDefinition interfaceAssigned = 
                	(ConfigAttributeDefinition) this.methodMapCache.getMethodMapFromCache(METHOD_MAP).get(interfaceMethod);
                merge(definition, interfaceAssigned);
            } catch (Exception e) {
                // skip this interface
            }
        }

        // Return null if empty, as per abstract superclass contract
        if (definition.size() == 0) {
            return null;
        } else {
            return definition;
        }
    }

    private boolean isMatch(String methodName, String mappedName) {
        return (mappedName.endsWith("*")
        && methodName.startsWith(mappedName.substring(0, mappedName.length()
                - 1)))
        || (mappedName.startsWith("*")
        && methodName.endsWith(mappedName.substring(1, mappedName.length())));
    }

    private void merge(ConfigAttributeDefinition definition,
        ConfigAttributeDefinition toMerge) {
        if (toMerge == null) {
            return;
        }

        Iterator attribs = toMerge.getConfigAttributes();

        while (attribs.hasNext()) {
            definition.addConfigAttribute((ConfigAttribute) attribs.next());
        }
    }

}

DBDrivenMethodDefinitionSource (most of it's methods are copy from MethodDefinitionMap with little modification) is serving the criteria 1 & 2 , with a little change of criteria 1 -- the authorization table is not make from the DB at the beginning , not until the first invocation of a method . l changed it because l meet an NPE if l do it this way ,

Code:

public class  DBDrivenMethodDefinitionSource extends AbstractMethodDefinitionSource {
   public DBDrivenMethodDefinitionSource () {
       buildMethodMapFromDB();
   }
...
}

this happened while loading applicationContext-common-authorization.xml (l don't know how to do this with spring ioc , )

MethodMapCache.java

Code:

package org.acegi.providers.dao;

import java.util.Map;

public interface MethodMapCache {

    public Map getMethodMapFromCache(String mapName);

    public void putMethodMapInCache(String mapName,Map methodMap);

    public void removeMethodMapFromCache(String mapName);
}

to be continue ..

[yfmoan]

EhCacheBasedMethodMapCache.java

Code:

package org.acegi.providers.dao.cache;

import java.util.HashMap;
import java.util.Map;

import org.acegi.providers.dao.MethodMapCache;
import net.sf.ehcache.Cache;
import net.sf.ehcache.CacheException;
import net.sf.ehcache.Element;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

import org.springframework.beans.factory.InitializingBean;

import org.springframework.dao.DataRetrievalFailureException;
import org.springframework.util.Assert;

public class EhCacheBasedMethodMapCache implements MethodMapCache, InitializingBean {

    private static final Log logger = LogFactory.getLog(EhCacheBasedMethodMapCache.class);
    private Cache cache;

    public void setCache(Cache cache) {
        this.cache = cache;
    }

    public Cache getCache() {
        return cache;
    }

    public Map getMethodMapFromCache(String mapName) {
        Element element = null;

        try {
            element = cache.get(mapName);
        } catch (CacheException cacheException) {
            throw new DataRetrievalFailureException("Cache failure: "
                + cacheException.getMessage());
        }

        if (logger.isDebugEnabled()) {
            logger.debug("Cache hit: " + (element != null) + "; mapName: "
                + mapName);
        }

        if (element == null) {
            return null;
        } else {
            return (Map) element.getValue();
        }
    }

    public void afterPropertiesSet() throws Exception {
        Assert.notNull(cache, "cache mandatory");
    }

    public void putMethodMapInCache(String mapName,Map methodMap) {
        Element element = new Element(mapName, new HashMap(methodMap));

        if (logger.isDebugEnabled()) {
            logger.debug("Cache put: " + element.getKey());
        }

        cache.put(element);
    }

    public void removeMethodMapFromCache(String mapName) {
        cache.remove(mapName);
    }
}

NullMethodMapCache.java

Code:

package org.acegi.providers.dao.cache;

import java.util.Map;

import org.acegi.providers.dao.MethodMapCache;

public class NullMethodMapCache implements MethodMapCache {

	public Map getMethodMapFromCache(String mapName){
		return null;
	}

    public void putMethodMapInCache(String mapName,Map methodMap) {}

    public void removeMethodMapFromCache(String mapName) {}
    
}

Remark:

1. This is first part of the complete code , second part will be using an interceptor to detect the change of the modification of the authorization table . l am using hibernate , so it is nature to use hibernate interceptor to do the job , althought l not yet implement , but l think the idea can be work theoretically . May be the code above is garbage , but what l am trying to prove is that dynamic authorization is useful , and is worth more attention for a complete security system like acegisecurity.

2. Because l avoid study all the codes , it may be not "save" , just to prove whether it can be implement easily into the current status of acegi (1.0 RC1).

Is this a working idea or there is other way to do it ?

moon

[yfmoan]

detect the changes of authorization table by using hibernate event , and then caching the table again , this serve criteria 3.

applicationContext.xml

Code:

...
	<bean id="authorizationSaveOrUpdateEventListener" class="org.acegi.providers.dao.hibernate.AuthorizationSaveOrUpdateEventListener">
		<property name="methodDefSource"><ref bean="dbDrivenMethodDefinitionSource"/></property>
	</bean>
	
	<bean id="authorizationDeleteEventListener" class="org.acegi.providers.dao.hibernate.AuthorizationDeleteEventListener">	
		<property name="methodDefSource"><ref bean="dbDrivenMethodDefinitionSource"/></property>
	</bean>
		
	<bean id="sessionFactory" class="org.springframework.orm.hibernate3.LocalSessionFactoryBean">
		<property name="dataSource"><ref local="dataSource"/></property>
		<property name="eventListeners">
			<map>
				<entry key="save-update"><ref local="authorizationSaveOrUpdateEventListener" /></entry>
				<entry key="delete"><ref local="authorizationDeleteEventListener" /></entry>
			</map>
		</property>
		<property name="mappingResources">
			<list>
			.....
			</list>
		</property>
		<property name="hibernateProperties">
			<props>
			.....
			</props>
		</property>
	
	</bean>
...

AuthorizationSaveOrUpdateEventListener.java

Code:

package org.acegi.providers.dao.hibernate;

import org.hibernate.HibernateException;
import org.hibernate.event.SaveOrUpdateEvent;
import org.hibernate.event.def.DefaultSaveOrUpdateEventListener;
import org.yourschool.library.domain.Role;

import org.acegi.intercept.method.DBDrivenMethodDefinitionSource;

public class AuthorizationSaveOrUpdateEventListener extends DefaultSaveOrUpdateEventListener {

	private DBDrivenMethodDefinitionSource methodDefSource;
	
	public void setMethodDefSource(DBDrivenMethodDefinitionSource methodDefSource) {
		this.methodDefSource = methodDefSource;
	}

	public void onSaveOrUpdate(SaveOrUpdateEvent event) throws HibernateException {
		
		super.onSaveOrUpdate(event);
		
		if(event.getEntity() instanceof Role)
			methodDefSource.buildMethodMapFromDB();
		
	}
	
}

similar for AuthorizationDeleteEventListener.java.

applicationContext-common-authorization.xml

Code:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">

<beans>

   <!-- An access decision manager used by the business objects -->
   <bean id="businessAccessDecisionManager" class="org.acegisecurity.vote.AffirmativeBased">
      <property name="allowIfAllAbstainDecisions"><value>false</value></property>
      <property name="decisionVoters">
         <list>
            <ref local="roleVoter"/>
         </list>
      </property>
   </bean>

   <bean id="roleVoter" class="org.acegisecurity.vote.RoleVoter"/>
   
   <!-- ================= METHOD INVOCATION AUTHORIZATION ==================== -->

	<bean id="cacheManager" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"/>
    
	<bean id="methodMapCacheBackend" class="org.springframework.cache.ehcache.EhCacheFactoryBean">
		<property name="cacheManager">
			<ref local="cacheManager"/>
		</property>
		<property name="cacheName">
			<value>methodMapCache</value>
		</property>
	</bean>
   
	<bean id="methodMapCache" class="org.acegi.providers.dao.cache.EhCacheBasedMethodMapCache">
		<property name="cache"><ref local="methodMapCacheBackend"/></property>
	</bean>
		
	<bean id="dbDrivenMethodDefinitionSource" class="org.acegi.intercept.method.DBDrivenMethodDefinitionSource">
		<property name="securityManager"><ref bean="security"/></property>
		<property name="methodMapCache"><ref local="methodMapCache"/></property>
	</bean>
		
	<bean id="librarySecurity" class="org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
		<property name="authenticationManager"><ref bean="authenticationManager"/></property>
		<property name="accessDecisionManager"><ref local="businessAccessDecisionManager"/></property>
		<property name="objectDefinitionSource"><ref local="dbDrivenMethodDefinitionSource"/></property>
	</bean>	

</beans>

moon

[yfmoan]

Sorry , the AuthorizationSaveOrUpdateEventListener.java above is not working correctly when l first save a entity (whatever object that intercepted by the hibernate event), it cause an endless loop . l guess l used the wrong listeners , and l make it work again by using another 3 listeners , AuthorizationInsertEventListener , AuthorizationUpdateEventListener and AuthorizationDeleteEventListener .

AuthorizationPostInsertEventListener.java

Code:

package org.acegi.providers.dao.hibernate;

import org.hibernate.event.PostInsertEvent;
import org.hibernate.event.PostInsertEventListener;
import org.yourschool.library.domain.Role;
import org.acegi.intercept.method.DBDrivenMethodDefinitionSource;

public class AuthorizationPostInsertEventListener implements PostInsertEventListener {

	private DBDrivenMethodDefinitionSource methodDefSource;

	public void setMethodDefSource(
			DBDrivenMethodDefinitionSource methodDefSource) {
		this.methodDefSource = methodDefSource;
	}

	public void onPostInsert(PostInsertEvent arg0) {
		
		if (arg0.getEntity() instanceof Role){
			methodDefSource.buildMethodMapFromDB();
		}
		
	}

}

similar for AuthorizationPostUpdateEventListener.java and AuthorizationPostDeleteEventListener.java

applicationContext.xml

Code:

	<bean id="authorizationPostInsertEventListener" class="org.acegi.providers.dao.hibernate.AuthorizationPostInsertEventListener">
		<property name="methodDefSource"><ref bean="dbDrivenMethodDefinitionSource"/></property>
	</bean>
	
		<bean id="authorizationPostUpdateEventListener" class="org.acegi.providers.dao.hibernate.AuthorizationPostUpdateEventListener">
		<property name="methodDefSource"><ref bean="dbDrivenMethodDefinitionSource"/></property>
	</bean>
	
	<bean id="authorizationPostDeleteEventListener" class="org.acegi.providers.dao.hibernate.AuthorizationPostDeleteEventListener">	
		<property name="methodDefSource"><ref bean="dbDrivenMethodDefinitionSource"/></property>
	</bean>
		
	<bean id="sessionFactory" class="org.springframework.orm.hibernate3.LocalSessionFactoryBean">
		<property name="dataSource"><ref local="dataSource"/></property>
		<property name="eventListeners">
			<map>
				<entry key="post-commit-insert"><ref local="authorizationPostInsertEventListener" /></entry>
				<entry key="post-commit-update"><ref local="authorizationPostUpdateEventListener" /></entry>
				<entry key="post-commit-delete"><ref local="authorizationPostDeleteEventListener" /></entry>
			</map>
		</property>
.....

l am not confirm all this implementations correct or not , but working for me now.

moon