Mar 20th, 2006, 02:56 PM
axis, wss4j, spring and acegi
I'm an acegi newbee and I'm trying to use axis, wss4j, spring and acegi together. I'm using the example (http://ws.apache.org/wss4j/axis.html) but in the PWCallback class I use acegi for authentication and that works fine.
The problem I have is when trying out the acegi method security. I have set up the MethodSecurityInterceptor to intercept the method exposed as a web service and a user that is not allowed to execute the method. In PWCallback I do acegi authentication and then set the Authentication object in the SecuityContext in the SecurityContextHolder. After PWCallback the method exposed as a webservice is called and executed, even though it should not be accessible by the user.
When trying out the same setup with only acegi in a Junit test it works fine.
I assume that the problem is that the SecurityContextHolder does not live after the PWCallback thread is ended and the MethodSecurityInterceptor is kicked off. How can I save SecurityContextHolder to when the MethodSecurityInterceptor is kicked off? Do I use the servlet context somehow?
Apr 14th, 2006, 05:09 AM
Good question! I don't know the answer, though. :-) You'd need to look closely at the threading that's taking place. If on the server you're setting SecurityContextHolder, but the SecurityContextHolder is null by the time MethodSecurityInterceptor gets called, there's a good chance a different thread is being used. A simple way of checking which thread is being used is to use Log4J and its log pattern that reports the thread ID. That way you can see which thread is outputting to the log at different times.
If different threads are indeed being used, you need a solution that is beyond the scope of Acegi Security. You might want to consider using the callback to populate an InheritableThreadLocal, and then an AOP around advice that occurs before MethodSecurityInterceptor which duplicates the InheritableThreadLocal contents into the (single thread aware) SecurityContextHolder. That might be a quick solution for you, and only really requires writing a simple InheritableThreadLocal and implementation of MethodInterceptor.
May 31st, 2006, 11:37 AM
Ben, could you grab out a piece of example code that illustrates your approach with the InheritableThreadLocal (and works with Acegi 0.8.3)?