acess="RUN_AS....

[phanbu]

I have an application in which a user has extra rights when browsing in her own stuff. In order to accomplish this, I have a virtual folder in the application (/my) in which the controller makes sure that the thing that you picked is yours, and displays it to you. I have granted a ROLE_RUN_AS_ME role to this folder in the following way:

Code:

    <bean
      id="filterInvocationInterceptor"
      class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor"
    >
        <property name="authenticationManager" ref="authenticationManager" />
        <property name="accessDecisionManager" ref="httpRequestAccessDecisionManager" />
        <property name="runAsManager" ref="runAsManager" />
        <property name="securityMetadataSource">
            <security:filter-security-metadata-source path-type="ant">
                <security:intercept-url pattern="/home/**" access="ROLE_ANONYMOUS,ROLE_USER" />
                <security:intercept-url pattern="/my/**" access="ROLE_USER,RUN_AS_ME"  />
                <security:intercept-url pattern="/search/**" access="ROLE_SYSTEM_SEARCH" />
                <security:intercept-url pattern="/user/**" access="ROLE_SYSTEM_SEARCH,RUN_AS_SEARCH" />
                <security:intercept-url pattern="/appl/**" access="ROLE_SYSTEM_APPL" />
                <security:intercept-url pattern="/area/**" access="ROLE_SYSTEM_AREA" />
            </security:filter-security-metadata-source>
        </property>
    </bean>

Some users (those who have ROLE_SYSTEM_SEARCH rights) can look at other users' stuff. However, if I have more than one browser window open, and one of those windows is looking at my own stuff, sometimes I have the ROLE_RUN_AS_ME role in the window where I am looking at the other person's stuff. To confirm that this is true, I have added the tag

Code:

<authz:authentication property="authorities" />

at the bottom of my pages. Sometimes the ROLE_RUN_AS_ME is repeated more than once!

When I am looking at my own stuff, or at someone else's stuff, the same JSP files are being used. The /user/** folder has the ROLE_RUN_AS_SEARCH assigned to help keep track of who's stuff I am viewing. Currently, both of these roles are being assigned at the same time. ... sometimes multiple times.

Is this a bug, or am I supposed to be doing something differently? Is there a place where I am supposed to tell Spring Security to stop running as...?


Thanks,

Paul Hanbury

[Rob Winch]

What version of Spring Security are you using? How are you updating the authentication to have the RunAsRole?

[phanbu]

What version of Spring Security are you using?

3.1.1

How are you updating the authentication to have the RunAsRole?

I'm not quite sure what you are asking here. I simply have a RunAsManager bean (of type org.springframework.security.access.intercept.RunA sManagerImpl) defined in my XML file. This is the runAsManager referenced in my code in the original post.

What it looks like is happening (to me anyway) is that when I click on a link with with a /my/**-shaped URL, the securityInterceptor's beforeInvocation() method calls the runAsManager's buildRunAs() method. This accepts my original Authentication object (which is of type org.springframework.security.authentication.Userna mePasswordAuthenticationToken), a FilterInvocation object (which seems to be ignored), and a Collection of ConfigAttributes (which contains the values "ROLE_USER" and "RUN_AS_ME" from the filterInvocationInterceptor). When it finds the RUN_AS_ME attribute, it creates a new list of authorities containing all of the previous authorities, plus a new ROLE_RUN_AS_ME authority. Then this new list of authorities is used to create a new Authentication object (of type org.springframework.security.access.intercept.RunA sUserToken). Finally, the securityInterceptor saves the old Authentication object so that it can be put back into the security context later (which is done in its afterInvocation() method).

This is all well and good (at normal speed).

However, if I rapidly click on a bunch of /my/**-shaped links, then the calls to afterInvocation() happen in the wrong order. Eventually, my original Authentication object is not in the security context (a RunAsUserToken has taken its place.) Unfortunately, this replacement Authentication token still contains the ROLE_RUN_AS_ME authority, even after I have browsed to a different page.

[Rob Winch]

The reason I asked the version is due to this issue which should not be present in 3.1.1.

What does the rest of your configuration look like? Did you ensure to have the SecurityContextPersistenceFilter as the first filter? It is in charge of removing the SecurityContext from the ThreadLocal.

NOTE: I was able to produce a load of 40 users concurrently requesting a RUN_AS url and a non RUN_AS url without any problems using 3.1.2 (you might try updating to see if that helps).

[phanbu]

What does the rest of your configuration look like?

I can include the XML in a post here if you want to see it.

We do have a custom authenticationProcessingFilter and a custom authenticationProvider. These make sure that the right Authentication object put into the security context. I have been looking at these to see if they might be causing problems. However, no method in either of these classes is ever called during a runAs request (just during authentication).

We are also using Tiles to layout our pages. So we get multiple forwards per request. filterSecurityInterceptor.isObserveOncePerRequest( ) returns true.

Did you ensure to have the SecurityContextPersistenceFilter as the first filter? It is in charge of removing the SecurityContext from the ThreadLocal.

Our channelProcessingFilter was first in the chain. I have moved it so that now the filter chain looks like this:

Code:

    <bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy">
        <security:filter-chain-map path-type="ant">
            <security:filter-chain
            pattern="/**"
            filters
              ="securityContextPersistenceFilter,
                channelProcessingFilter,
                logoutFilter,
                authenticationProcessingFilter,
                securityContextHolderAwareRequestFilter,
                anonymousProcessingFilter,
                exceptionTranslationFilter,
                filterInvocationInterceptor"
          />
        </security:filter-chain-map>
    </bean>

Maybe this could be set up differently/better? Still this change didn't fix the problem.

NOTE: I was able to produce a load of 40 users concurrently requesting a RUN_AS url and a non RUN_AS url without any problems using 3.1.2 (you might try updating to see if that helps).

I did upgrade to 3.1.2. This also does not help either.

It seems that in AbstractSecurityInterceptor, the afterInvocationManager is null. How can I fix this?

Thanks,
Paul

[phanbu]

If I set a breakpoint at AbstractSecurityInterceptor:259, which says:

Code:

SecurityContextHolder.setContext(token.getSecurityContext());

The first time the code breaks when requesting pages with RUN_AS_... roles, token's securityContext holds a UsernamePasswordAuthenticationToken. But on the second request, it holds a RunAsUserToken.