methodSecurityInterceptor not getting invoked

[shashi2309]

Hi,

I seem to have some basic question. I am deploying my service on jboss and I want to provide authorization to some of the methods in that service.
Mine is a standalone application, I suppose that I don't need to configure any filter for providing authorization?here is jboss-spring.xml which I am placing in jboss/server/default/deploy.
<code>
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">

<beans>
<description>BeanFactory=(auth)</description>

<bean id="securityBean" class="org.myService"/>

<bean id="autoProxyCreator" class="org.springframework.aop.framework.autoproxy .BeanNameAutoProxyCreator">
<property name="interceptorNames">
<list><value>methodSecurity</value></list>
</property>
<property name="beanNames">
<list><value>securityBean</value></list>
</property>
<property name="proxyTargetClass" value="true"/>
</bean>

<bean id="methodSecurity" class="org.acegisecurity.intercept.method.aopallia nce.MethodSecurityInterceptor">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="accessDecisionManager" ref="accessDecisionManager"/>
<property name="objectDefinitionSource">
<value>
org.myServiceMBean.listDetails=ROLE_ADMIN
</value>
</property>
</bean>

<bean id="memoryAuthenticationDao" class="org.acegisecurity.userdetails.memory.InMemo ryDaoImpl">
<property name="userMap">
<value>
mack=contegix,ROLE_ADMIN
prasad=pass,ROLE_USER
</value>
</property>
</bean>

<bean id="accessDecisionManager" class="org.acegisecurity.vote.AffirmativeBased">
<property name="decisionVoters">
<list><bean class="org.acegisecurity.vote.RoleVoter"/></list>
</property>
</bean>

<bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenti cationProvider">
<property name="userDetailsService">
<ref local="memoryAuthenticationDao"/>
</property>
</bean>


<bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager ">
<property name="providers">
<list>
<ref local="daoAuthenticationProvider"/>
</list>
</property>
</bean>
</beans>
</code>

Now when I am trying to invoke my method listDetails through the jmx-console, I am able to access that method. I think I should not be able to access that method as it is one of the secure methods.

Here is the client code through which I am doing the authentication and setting the authentication object into the securityContextholder.

<code>
public String login(String userId, String passWord) throws LoginException {
String userName = userId;
String password = passWord;
StringBuffer buffer = new StringBuffer();
Authentication request = new UsernamePasswordAuthenticationToken(userName, password);
Authentication response = null;
GrantedAuthority authorities[] = null;
try {
Properties jndiProps = new Properties();
InitialContext context = new InitialContext(jndiProps);
BeanFactory beans= (BeanFactory) context.lookup("auth");
authenticationManager = (AuthenticationManager) beans.getBean("authenticationManager");
myLog.debug("the configured authenticationmanager is" +authenticationManager);
try {
response = authenticationManager.authenticate(request);
SecurityContextImpl ctx = new SecurityContextImpl();
ctx.setAuthentication(request);
SecurityContextHolder.setContext(ctx);
//SecurityContextHolder.getContext().setAuthenticati on(response);
myLog.debug("the response is"+ response.toString());
} catch (BadCredentialsException excp){
excp.printStackTrace();
buffer.append("");
return buffer.toString();
}catch (CredentialsExpiredException excp) {
excp.printStackTrace();
buffer.append("");
return buffer.toString();
}
if(response.isAuthenticated()){
authorities = response.getAuthorities();
if(authorities !=null && authorities.length > 0 ) {
for (int i=0; i < authorities.length; i++) {
buffer.append(authorities[i]).append(" ");
}
}
}
} catch (Exception excp){
excp.printStackTrace();
buffer.append("");
return buffer.toString();
}

return buffer.toString();
}
</code>

So basically I am performing the following steps
1)start my jboss server
2)my service is listed as one of the services on the jmx-console
3)I invoke the method which I set as one of the secure methods.The method got invoked and I got the results

I thinks I should not be able to access that method as I have not done the authentication. Is it that my methodSecurityInterceptor is not getting invoked?
Please sugest as whether is it a correct way of providing authorization?

[karldmoore]

You've told it to proxy org.myService and apply security to org.myServiceMBean.listDetails=ROLE_ADMIN. Shouldn't that be org.myService.listDetails=ROLE_ADMIN?

[shashi2309]

karl, I have exposed the method of myService through myServiceMBean. The methods which are declared in myServiceMBean will be listed on the jmx-console which we will be invoking. I thought that I should proxy the method which will be exposed. Basically myService contains the implementation of the methods which are declared in myServiceMBean.
I will try it the other way out and let you know.
Thanks for the suggestion