Rich Client - HttpInvoker - Security

**token** · Oct 11th, 2005, 11:17 PM

Hello,

i have develop a rich client proyect that use httpinvoker, but security dont work in the server, all request made in client are successful, i dont know what is wrong,
i read the forum and the code that implement is:

my aplicationcontext.xml is

Code:

?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http&#58;//www.springframework.org/dtd/spring-beans.dtd">

<beans>

   <bean id="runAsManager" class="net.sf.acegisecurity.runas.RunAsManagerImpl">
      <property name="key"><value>my_run_as_password</value></property>
   </bean>

   <bean id="runAsAuthenticationProvider" class="net.sf.acegisecurity.runas.RunAsImplAuthenticationProvider">
        <property name="key"><value>my_run_as_password</value></property>
    </bean>

   <bean id="authByAdapterProvider" class="net.sf.acegisecurity.adapters.AuthByAdapterProvider">
        <property name="key"><value>my_password</value></property>
    </bean>

	<bean id="remoteAuthenticationManager" class="net.sf.acegisecurity.providers.rcp.RemoteAuthenticationManagerImpl">
        <property name="authenticationManager">
            <ref bean="authenticationManager"/>
        </property>
    </bean>

    <bean id="authenticationManager" class="net.sf.acegisecurity.providers.ProviderManager">
        <property name="providers">
            <list>
                <ref local="daoAuthenticationProvider"/>
                <ref local="runAsAuthenticationProvider"/>
          <ref local="authByAdapterProvider"/>
            </list>
        </property>
    </bean>

    <bean id="daoAuthenticationProvider" class="net.sf.acegisecurity.providers.dao.DaoAuthenticationProvider">
        <property name="authenticationDao">
            <ref local="inMemoryDaoImpl"/>
        </property>
    </bean>

    <bean id="inMemoryDaoImpl" class="net.sf.acegisecurity.providers.dao.memory.InMemoryDaoImpl">
        <property name="userMap">
            <value>
                admin=admin,ROLE_USER,ROLE_SUPERVISOR
                dianne=emu,ROLE_USER
                scott=wombat,ROLE_TELLER
                peter=opal,disabled,ROLE_TELLER
            </value>
        </property>
    </bean>

    <bean id="accessDecisionManager" class="net.sf.acegisecurity.vote.AffirmativeBased">
        <property name="allowIfAllAbstainDecisions">
            <value>false</value>
        </property>
        <property name="decisionVoters">
            <list>
                <ref local="roleVoter"/>
            </list>
        </property>
    </bean>

   <bean id="roleVoter" class="net.sf.acegisecurity.vote.RoleVoter"/>

    <bean id="basicProcessingFilter" class="net.sf.acegisecurity.ui.basicauth.BasicProcessingFilter">
        <property name="authenticationManager">
            <ref local="authenticationManager"/>
        </property>
        <property name="authenticationEntryPoint">
            <ref local="basicProcessingFilterEntryPoint"/>
        </property>
    </bean>

    <bean id="basicProcessingFilterEntryPoint" class="net.sf.acegisecurity.ui.basicauth.BasicProcessingFilterEntryPoint">
        <property name="realmName">
            <value>Contacts Realm</value>
        </property>
    </bean>

    <bean id="httpSessionContextIntegrationFilter" class="net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter">
       <property name="context"><value>net.sf.acegisecurity.context.security.SecureContextImpl</value></property>
    </bean>	

   <bean id="MainFacadeSecurityManager" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
      <property name="authenticationManager"><ref local="authenticationManager"/></property>
      <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
      <property name="runAsManager"><ref local="runAsManager"/></property>
      <property name="objectDefinitionSource">
         <value>
             MainFacade.*=ROLE_SUPERVISOR
         </value>
      </property>
   </bean>
   
	<bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
                <property name="driverClassName"><value>com.mysql.jdbc.Driver</value></property>
                <property name="url"><value>jdbc&#58;mysql&#58;//127.0.0.1/Contable</value></property>
                <property name="username"><value>root</value></property>
                <property name="password"><value>pass</value></property>
    </bean>

	<bean id="sessionFactory" class="org.springframework.orm.hibernate3.LocalSessionFactoryBean">
		<property name="dataSource"><ref local="dataSource"/></property>
		<property name="mappingResources">
			<value>Usuario.hbm.xml</value>
		</property>
		<property name="hibernateProperties">
			<props>
				<prop key="hibernate.show_sql">true</prop>
				<prop key="hibernate.dialect">org.hibernate.dialect.MySQLMyISAMDialect</prop>
				<prop key="hibernate.hbm2ddl.auto">update</prop>
			</props>
		</property>
	</bean>

	<bean id="hibernateTemplate" class="org.springframework.orm.hibernate3.HibernateTemplate">
		<property name="sessionFactory"><ref bean="sessionFactory"/></property>
	</bean>

	<bean id="usuarioDao" class="HibernateUsuarioDao">
		<property name="hibernateTemplate">
			<ref bean="hibernateTemplate"/>
		</property>
	</bean>	
	
	<bean id="transactionManager" class="org.springframework.orm.hibernate3.HibernateTransactionManager">
		<property name="sessionFactory"><ref local="sessionFactory"/></property>
	</bean>

   <bean id="mainFacade" class="MainFacadeImpl">   
		<property name="usuarioDao"><ref bean="usuarioDao"/></property>   
   </bean>
   
    <bean id="mainFacadeProxy" class="org.springframework.aop.framework.ProxyFactoryBean">
      <property name="proxyInterfaces"><value>MainFacade</value></property>
      <property name="interceptorNames">
         <list>
            <idref local="MainFacadeSecurityManager"/>
         </list>
      </property>
      <property name="target">
              <ref bean="mainFacade"/>
      </property>
   </bean>

	<bean id="mainFacadeManager" class="org.springframework.transaction.interceptor.TransactionProxyFactoryBean">
		<property name="transactionManager"><ref bean="transactionManager"/></property>
		<property name="target"><ref bean="mainFacadeProxy"/></property>
		<property name="transactionAttributes">
			<props>
				<prop key="get*">PROPAGATION_REQUIRED</prop>
				<prop key="load*">PROPAGATION_REQUIRED</prop>
				<prop key="set*">PROPAGATION_REQUIRED</prop>				
				<prop key="find*">PROPAGATION_REQUIRED</prop>
				<prop key="store*">PROPAGATION_REQUIRED</prop>
				<prop key="changePassword">PROPAGATION_REQUIRED</prop>
			</props>
		</property>
	</bean>

    <bean id="securityEnforcementFilter" class="net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter">
      <property name="filterSecurityInterceptor"><ref local="filterInvocationInterceptor"/></property>
      <property name="authenticationEntryPoint"><ref local="basicProcessingFilterEntryPoint"/></property>
   </bean>

	    <bean id="filterInvocationInterceptor" class="net.sf.acegisecurity.intercept.web.FilterSecurityInterceptor">
            <property name="authenticationManager">
                <ref local="authenticationManager"/>
            </property>
            <property name="accessDecisionManager">
                <ref local="accessDecisionManager"/>
            </property>
            <property name="objectDefinitionSource">
                <value>
                 CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
                 PATTERN_TYPE_APACHE_ANT
                /**=ROLE_USER
                </value>
            </property>
        </bean>

</beans>

my web.xml is

Code:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN' 'http&#58;//java.sun.com/dtd/web-app_2_3.dtd'>

<web-app>

 <context-param>
  <param-name>contextConfigLocation</param-name>
  <param-value>/WEB-INF/applicationContext.xml</param-value>
 </context-param>


      <filter>
           <filter-name>Acegi_HTTP_BASIC_Authorization_Filter</filter-name>
           <filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
           <init-param>
             <param-name>targetClass</param-name>
             <param-value>net.sf.acegisecurity.ui.basicauth.BasicProcessingFilter</param-value>
           </init-param>
         </filter>

 <filter>
<filter-name>HttpSessionContextIntegrationFilter</filter-name>
<filter-class>net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter</filter-class>
</filter>


     <filter>
        <filter-name>Acegy_http_request_security_filter</filter-name>
        <filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
        <init-param>
             <param-name>targetClass</param-name>
             <param-value>net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter</param-value>
        </init-param>
    </filter>

         <filter-mapping>
           <filter-name>Acegi_HTTP_BASIC_Authorization_Filter</filter-name>
           <url-pattern>/**</url-pattern>
         </filter-mapping>

         <filter-mapping>
           <filter-name>HttpSessionContextIntegrationFilter</filter-name>
           <url-pattern>/**</url-pattern>
         </filter-mapping>

        <filter-mapping>
           <filter-name>Acegy_http_request_security_filter</filter-name>
           <url-pattern>/**</url-pattern>
         </filter-mapping>



    <!-- Listener to initialize the spring application context -->
      <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
      </listener>
	
   <servlet>
      <servlet-name>server</servlet-name>
      <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
      <load-on-startup>2</load-on-startup>
   </servlet>

   <servlet-mapping>
      <servlet-name>server</servlet-name>
      <url-pattern>/remoting/*</url-pattern>
   </servlet-mapping>

	 <session-config>
  <session-timeout>10</session-timeout>
 </session-config>
	
</web-app>

and my server-servlet.xml is

Code:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http&#58;//www.springframework.org/dtd/spring-beans.dtd">
   
<beans>

   <bean name="/MainFacade" class="org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter">
      <property name="service"><ref bean="mainFacadeManager"/></property>
      <property name="serviceInterface">
         <value>MainFacade</value>
      </property>
   </bean>
		
</beans>

thx

**erikvanoosten** · Oct 13th, 2005, 08:54 AM

I had the same problem. When I removed the authentication providers except for one, and changed the voting accessDecisionManager to UnanimousBased, it worked correctly again.

I am still trying to understand what is going on there.

Erik.

**Ben Alex** · Oct 16th, 2005, 11:34 PM

What does your server-side debug log say? Is it trying to authorize each method, or is it assuming they're public (unsecured) methods?

**token** · Oct 17th, 2005, 08:41 AM

thx, but already solve the problem, i have problem in tomcat

Thread: Rich Client - HttpInvoker - Security

Thread Tools

Display

Rich Client - HttpInvoker - Security

Similar Threads

Sharing authentication between webapp & rich client

Rich client + httpInvoker + SecureContext propagation prob

Spring Framework / Spring Rich Client Library Hell?

Rich Client Security Model

Migrating Existing App to Spring Rich Client

Posting Permissions