<security:accesscontrollist> doesn't do anything

[larry3k]

Hi everybody,

So I have the following code in my xhtml page that does absolutely nothing
<security:accesscontrollist hasPermission="7" domainObject="#{handler.article}">
..... button
</security:accesscontrollist>

From what I understand the button should only be showed if my user has the requested right for that object. Well the button is shown for all users which shouldn't be the case.
Another thing I don't get and haven't been able to find a clear answer about is:
aren't my ACLDecissionManager and the ACLVoters supposed to be called for this tag? Because in my case they aren't.

Could you please help me out with this problem.

Thanks!

[larry3k]

Ok ... so I've debugged the application and the AccessControlListTag class is never called. Does anybody know what the problem could be?

here is my config for the acls:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns="http://www.springframework.org/schema/p"
xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:jdbc="http://www.springframework.org/schema/jdbc"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schem...-beans-3.1.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schem...ontext-3.1.xsd
http://www.springframework.org/schema/tx
http://www.springframework.org/schem...ing-tx-3.1.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schem...g-util-3.1.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schem...ng-aop-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">

<security:global-method-security
secured-annotations="enabled"
access-decision-manager-ref="aclDecisionManager" >
</security:global-method-security>

<!-- ACL Service -->
<bean class="de.localprj.acl.service.MyJdbcMutableAclSer vice" id="mutableAclService">
<constructor-arg ref="dataSource"/>
<constructor-arg ref="lookupStrategy"/>
<constructor-arg ref="aclCache"/>
</bean>

<bean class="de.localprj.acl.util.MyACLLookupStrategy" id="lookupStrategy">
<constructor-arg ref="dataSource"/>
<!-- Ehcache -->
<constructor-arg ref="aclCache"/>
<constructor-arg ref="aclAuthorizationStrategy"/>
<constructor-arg ref="aclAuditLogger"/>
<!-- custom permisison factory -->
<property name="permissionFactory" ref="myPermissionFactory"/>
</bean>
<bean class="de.localprj.acl.util.MyACLPermissionFactory " id="myPermissionFactory"/>

<!-- ACL Caching -->
<bean id="aclCache" class="org.springframework.security.acls.domain.Eh CacheBasedAclCache">
<constructor-arg>
<bean class="org.springframework.cache.ehcache.EhCacheFa ctoryBean">
<property name="cacheManager">
<bean class="org.springframework.cache.ehcache.EhCacheMa nagerFactoryBean"/>
</property>
<property name="cacheName" value="aclCache"/>
</bean>
</constructor-arg>
</bean>

<!-- ACL Authorization Strategy -->
<bean class="org.springframework.security.acls.domain.Ac lAuthorizationStrategyImpl" id="aclAuthorizationStrategy">
<constructor-arg>
<array>
<ref local="aclAdminAuthority"/>
<ref local="aclAdminAuthority"/>
<ref local="aclAdminAuthority"/>
</array>
</constructor-arg>
</bean>

<!-- ACL Audit Logger -->
<bean class="org.springframework.security.acls.domain.Co nsoleAuditLogger" id="aclAuditLogger"/>

<bean class="org.springframework.security.access.vote.Af firmativeBased" id="aclDecisionManager">
<property name="allowIfAllAbstainDecisions" value="false" />
<property name="decisionVoters">
<list>
.......
</list>
</property>
</bean>

....

<bean class="org.springframework.security.core.authority .GrantedAuthorityImpl" id="aclAdminAuthority">
<constructor-arg value="ROLE_ADMIN"/>
</bean>



</beans>

[Rob Winch]

Sounds like you do not have the jsp tag library setup correctly. Is spring-security-taglibs-<version>.jar in your lib folder and does it match the other versions of spring-security jars?

[larry3k]

I have the spring-security-taglibs-3.1.0RC2 in my libs project and it matches the rest of the libraries ans their version (all are 3.1.0RC2 spring security).

I have a question regarding what you said: "Sounds like you do not have the jsp tag library setup correctly."
What do you mean by that? I am actually using xhtml pages not jsp pages but thought the tag should work in both cases.

Configuration looks like this

...
xsi:schemaLocation="http://www.springframework.org/schema/beans

http://www.springframework.org/schem...-beans-3.1.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schem...ontext-3.1.xsd
http://www.springframework.org/schema/tx
http://www.springframework.org/schem...ing-tx-3.1.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schem...g-util-3.1.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schem...ng-aop-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd"
...

xhtml File:
...
xmlns:security="http://www.springframework.org/schema/security"
...
<security:accesscontrollist hasPermission="7" domainObject="#{handler.article}">
button
</security:accesscontrollist>


What am I doing wrong?

Thanks