@PreAuthorize, ACLs, spEL, and missing debug info

[exitstan]

I am trying to use spring-security 3.0.5 acl features and have it working for post-filtering collections and arrays.
But I am unable to get it working when selecting a single object because of missing debug symbol information.

I've read the Peter Mularien book -- Chapter 7, about setting up and using ACLs -- and I know I need to compile the necessary debug info into the classes but can't seem to find out how to get eclipse to do it.

Here is the annotation on the interface method signature:

@PreAuthorize("hasAnyRole('ROLE_SUPER_USER','ROLE_ SYSTEM_ADMIN') and hasPermission(#id, 'com.xyz.db.domain.impl.XyzConfigImpl', 'read')")
public XyzConfig get(Long id);

Here is the warning:
[110224-19:22:25.155 WARN ] o.s.s.a.e.m.MethodSecurityEvaluationContext - Unable to resolve method parameter names for method: public final com.xyz.db.domain.XyzConfig $Proxy77.get(java.lang.Long). Debug symbol information is required if you are using parameter names in expressions.

Here is the exception:
Exception in thread "main" java.lang.IllegalArgumentException: identifier required
at org.springframework.util.Assert.notNull(Assert.jav a:112)
at org.springframework.security.acls.domain.ObjectIde ntityImpl.<init>(ObjectIdentityImpl.java:43)
at org.springframework.security.acls.domain.ObjectIde ntityRetrievalStrategyImpl.createObjectIdentity(Ob jectIdentityRetrievalStrategyImpl.java:38)
at org.springframework.security.acls.AclPermissionEva luator.hasPermission(AclPermissionEvaluator.java:6 3)
at org.springframework.security.access.expression.met hod.MethodSecurityExpressionRoot.hasPermission(Met hodSecurityExpressionRoot.java:35)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Nativ e Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Native MethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(De legatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.expression.spel.support.Reflec tiveMethodExecutor.execute(ReflectiveMethodExecuto r.java:69)

I am using eclipse 3.6.1 to compile and run this spring/hibernate based java application (not ant,, with a javac -g compiler option).

Is using parameter names in expressions not possible when compiling with eclipse, instead of and ant build file (using the javac.debug=on option)?
Could the problem be related to trying to find a param name in a proxy?
Please help! I'm am really keen to use this feature.

Thanks,
Stan

[Rob Winch]

Window -> Preferences -> Java -> Compiler

Check the boxes in Classfile Generation

[exitstan]

Thanks... I had already set those compiler settings, but that did not fix the problem.

What did fix it was moving the annotation...

@PreAuthorize("hasAnyRole('ROLE_SUPER_USER','ROLE_ SYSTEM_ADMIN') and hasPermission(#id, 'com.xyz.db.domain.impl.XyzConfigImpl', 'read')")
public XyzConfig get(Long id);

...from the interface to the class. I would prefer to put the method security annotation on the interfaces, but no big deal. I can move them back when this problem is fixed in a future release.

Note: it is only the presence of the expression's method parameter which prevents me from annotating the interface.

[pmularien]

That is interesting, I'll have to dig into the code later to see if the SpEL bits that pick up the method params don't work with interfaces. Do you know if you are using CGLIB or AspectJ proxying? (Do you have any aop: declarations in your config files?)

[exitstan]

The CGLIB jar is not on the classpath.

My parent spring config file contains:

<aop:aspectj-autoproxy proxy-target-class="false"/>

( proxy-target-class="false" is the default... I was experimenting with proxy-target-class="true" )

[winarto]

That is interesting, I'll have to dig into the code later to see if the SpEL bits that pick up the method params don't work with interfaces. Do you know if you are using CGLIB or AspectJ proxying? (Do you have any aop: declarations in your config files?)

I have the same issue as well. Upon digging into the code, I found that in method LocalVariableTableParameterNameDiscoverer.inspectC lass(Class<?> clazz), it reads on the implementation class file only.

Thus it can't resolve the argument variable name specified in the hasPermission()

[Rob Winch]

I am able to secure my services by placing on the interfaces, so I am guessing you are doing something differently Can you provide a sample project that reproduces the issue? Ideally the project would be one that is as simple as possible to reproduce the problem, built with gradle, or maven. If you need a place to place the project you could put it on github or even attach to the forum as a zip file.

[winarto]

Hi Rob,

I think it's a little bit difficult for me to attach my project here or in github (due to company's network policy). But here is what I did:
1. Create a project using Roo
2. Create entities and fields
3. Create Services for entities
4. Create controller scaffolding of the entities
5. Apply the web security using

security setup

command and amends the URL to be secured
6. Push ITD's of methods from *_Roo_Service.aj to .java
7. Apply the following

@PreAuthorize("hasPermission(#reminder, 'ADMINISTRATION')")
public abstract Reminder updateReminder(Reminder reminder);

It is also compiled using aspectj compiler (just in case you think it has any effect).

Any pointer is appreciated.

[Rob Winch]

Can you put together a dummy project that replicates the issue?

[winarto]

Can you put together a dummy project that replicates the issue?

Will do. Once I've gotten the dummy project, I'll put it here.