MethodSecurityInterceptor is intercepting from Action classes in struts.

**gd007** · Jan 30th, 2007, 07:18 PM

<bean name="/foo/fooPath"
class="org.springframework.aop.framework.ProxyFact oryBean">
<property name="target">
<bean class="org.foo.web.actions.path.SomeAction">
</property>
<property name="interceptorNames">
<list>
<value>securityAdvice</value>
</list>
</property>
</bean>

<bean id="securityAdvice"
class="org.acegisecurity.intercept.method.aopallia nce.MethodSecurityInterceptor">
<property name="validateConfigAttributes" value="true"/>
<property name="authenticationManager" ref="authenticationManager"/>
<property name="accessDecisionManager" ref="accessDecisionManager"/>
<property name="objectDefinitionSource">
org.foo.web.actions.some.SomeAction.*=ROLE_CEO
</property>

</bean>

**Andreas Senft** · Jan 31st, 2007, 02:10 AM

Originally Posted by gd007

<property name="objectDefinitionSource">
org.foo.web.actions.some.SomeAction.*=ROLE_CEO
</property>

Should be "org.foo.web.actions.path.SomeAction.*=ROLE_CE O" to match the above (is it a typo?).

Besides that: Is the method in question declared in the class itself or perhaps in an implemented interface? If the latter is the case, then the interface method has to be declared in the "objectDefinitionSource" property.

If that does not help, please turn on debug logging and see what happens. Maybe that can provide a clue.

Regards,
Andreas

**karldmoore** · Jan 31st, 2007, 02:44 PM

Just out of interesting, I wondered why you are trying to intercept methods on the Struts action instead of the URLs? Does it make more sense to use FilterSecurityInterceptor instead of MethodSecurityInterceptor? As for the action which method were you trying to intercept?

http://www.acegisecurity.org/multipr...terceptor.html
http://www.acegisecurity.org/multipr...terceptor.html

**gd007** · Jan 31st, 2007, 05:04 PM

Andreas,
Yeah that was a typo, and I don't see in the logs that methods are being secured.

karldmoore,

That was good catch. We are intercepting uris first. We are also trying to secure methods on top of that. URI part is working just fine.

--

**karldmoore** · Feb 1st, 2007, 02:38 AM

I've not actually seen people doing this before. Usually the URLs are intecepted and then the service layer. How are you integrating Struts and Spring? The article below shows a few ways of doing it, which are you using?
http://www-128.ibm.com/developerwork...ary/j-sr2.html

**gd007** · Feb 1st, 2007, 08:41 PM

karldmoore,

We are using the second approach of struts and spring applying the RequestProcessor. We have no problem in that. But don't know why
the MethodSecurityInterceptor is not firing.

**karldmoore** · Feb 2nd, 2007, 02:46 AM

Hmmm, I wondered if there were any issues with internal calls hence no proxying. I'll try and have a look at this later as I'm quite interested myself. In the mean time, I'd stick the debugger on it and see what happens.
http://www.springframework.org/docs/...ng-aop-proxies

**gd007** · Feb 2nd, 2007, 05:15 PM

There is no problem with proxying. I have debugged into the code and it is going
in MethodSecurityInterceptor. But after it goes there my debugger gets messed up. Problem is with the objectDefinitionSource. I don't see that the methods are being secured in the logs. I have tuned the logging level to debug.

**karldmoore** · Feb 4th, 2007, 04:24 PM

I'm just trying the same thing at the moment, with the same result. Haven't managed to track down what's going on yet, but I'll post back when I know more.

**gd007** · Feb 5th, 2007, 12:28 AM

Nice to see that it is reproducible. Keep us posted on any progress.

Thread: MethodSecurityInterceptor is intercepting from Action classes in struts.

Thread Tools

Display

MethodSecurityInterceptor is not intercepting method in Action classes in struts.

objectDefinitionSource problem

It is reproducible

Posting Permissions