-
Feb 18th, 2011, 08:47 AM
#1
No security check for inherited methods.
I use spring-security-3.0.5 and got two class like
class BaseClass {
public methodOne() {
}
public methodTwo(){
}
}
@PreAuthorize("hasRole('ROLE_ADMIN')")
class CustomeClass extends BaseClass {
public methodThree() {
}
}
When I call the CustomeClass.methodThree() and I am not ADMIN I get AccessDeniedException,
but when I try to call the inherited methods nothing happens I can do it without to get the exception.
Do I miss a configuration or its not possible with spring security to do this ?
-
Feb 18th, 2011, 01:10 PM
#2
Sorry, I'm having a hard time understanding what you have calling what, can you post some source of what you are doing, and what you think should be happening?
Peter Mularien | Blog
Author, Spring Security 3 (Book) - Packt Publishing, Available in print and eBook form
SCJP 5, Oracle DBA
Any postings are my own opinion, and should not be attributed to my employer or clients.
-
Feb 20th, 2011, 08:48 AM
#3
When I login with a user ROLE_USER and I call
CustomeClass.methodThree() => AccessDeniedException
but when I try to call the inherited methods from the base class
CustomeClass.methodOne() or CustomeClass.methodTwo() there is no security exception.
What I expect is that if I give the @PreAuthorize("hasRole('ROLE_ADMIN')") annotation on the class level then all methods inside the class including the inherited ones should have the same security restrictions.
Its seems someone else got his problem http://forum.springsource.org/showthread.php?t=78917 but no aswer.
-
Feb 21st, 2011, 09:24 PM
#4
I believe this should work as you describe. The logic in PrePostAnnotationSecurityMetadataSource will work its way back from a method or class with an annotation to find the annotation on the declaring class. Try starting up the application with Spr Sec DEBUG logging enabled and look for log statements like this: "PreAuthorize found on: methodOne".
Peter Mularien | Blog
Author, Spring Security 3 (Book) - Packt Publishing, Available in print and eBook form
SCJP 5, Oracle DBA
Any postings are my own opinion, and should not be attributed to my employer or clients.
-
Feb 22nd, 2011, 07:49 AM
#5
Hi
I created a sample project that demonstrates the problem.
https://github.com/ralscha/spring-security-test
Start with mvn jetty:run
Login with user bob and password bobspassword
With @Secured annotation
http://localhost:8080/action/callSubMethod --> OK. Access denied
http://localhost:8080/action/callSuperMethod --> Wrong. Access allowed
With @PreAuthorize annotation
http://localhost:8080/action/callSubPreMethod --> OK. Access denied
http://localhost:8080/action/callSuperPreMethod --> Wrong. Access allowed
Regards
Ralph
-
Mar 1st, 2011, 11:01 AM
#6
I turn on the logging for spring security (log4j.logger.org.springframework.security=DEBUG),
but it did not show to much.
-- START LOG --
17:12:06,250 DEBUG DelegatingMethodSecurityMetadataSource:66 - Adding security method [CacheKey[CustomeClass; public ResultClass CustomeClass.methodThree()]] with attributes [ROLE_ADMIN]
-- CustomeClass.methodThree() CALL LOG --
16:51:06,750 DEBUG MethodSecurityInterceptor:191 - Secure object: ReflectiveMethodInvocation: public ResultClass CustomeClass.methodThree(); target is of class [CustomeClass]; Attributes: [ROLE_ADMIN]
16:51:06,796 DEBUG MethodSecurityInterceptor:292 - Previously Authenticated: org.springframework.security.authentication.Userna mePasswordAuthenticationToken@46e2d0da: Principal: UserClass@364492: Username: test; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_READ - Fullname: Test User; User ID: 1; Authority: ROLE_READ; ; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.We bAuthenticationDetails@0: RemoteIpAddress: 127.0.0.1; SessionId: 62BC35A8D07E3BCDF056476E73D2B97C; Granted Authorities: ROLE_READ
16:51:06,906 DEBUG AffirmativeBased:53 - Voter: org.springframework.security.access.prepost.PreInv ocationAuthorizationAdviceVoter@1a52fe6, returned: 0
16:51:06,906 DEBUG AffirmativeBased:53 - Voter: org.springframework.security.access.vote.RoleVoter @1ebd825, returned: -1
16:51:06,906 DEBUG AffirmativeBased:53 - Voter: org.springframework.security.access.vote.Authentic atedVoter@bb9f91, returned: 0
16:51:06,906 DEBUG AffirmativeBased:53 - Voter: org.springframework.security.access.annotation.Jsr 250Voter@1e9029c, returned: -1
16:51:07,000 ERROR RouterController:211 - Error calling method: methodThree
org.springframework.security.access.AccessDeniedEx ception: Access is denied
and there is nothing about the CustomeClass.methodOne() or CustomeClass.methodTwo() .
-
Mar 20th, 2011, 09:13 AM
#7
I give a up for this, lets hope that someone can answer it.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
Junior Member
Reply With Quote