-
Mar 2nd, 2007, 02:45 PM
#1
Acegi method security & Command pattern
Hi,
I have a set of Command classes implementing a ICommand interface (with an execute method).
Now, I want to enable role based authorization on the execute method of each command.
I have setup my security advice, and added it to my autoproxy bean:
<bean class="org.springframework.aop.framework.autoproxy .BeanNameAutoProxyCreator">
<property name="beanNames"><value>*Service</value></property>
<property name="interceptorNames">
<list>
<value>commandSecurityAdvice</value>
</list>
</property>
</bean>
The roles are setup in the security advice:
...
<property name="objectDefinitionSource">
<value>
command1.execute=ROLE_SUPERVISOR
command2.execute=ROLE_SUPERVISOR
command3.execute=ROLE_USER,ROLE_SUPERVISOR
</value>
</property>
...
ACEGI is evaluating my secured object (the command) as an ICommand object and therefore would not match any role.
In the ACEGi code, it is only checked against interfaces. So what would be the right approach in my case?
I would like to avoid setting a security advice for each command.
Thanks
Xavier
-
Mar 5th, 2007, 08:54 AM
#2
Does my question have any sense that nobody replied?
Xav.
-
Mar 5th, 2007, 12:18 PM
#3
Where abouts is the code is the problem you are facing?
-
Mar 5th, 2007, 03:23 PM
#4
The ACEGI code that causes me a problem is the one that tries to match the interface of my secured object with the objectDefinitionSource.
The code is in MethodDefinitionMap.lookupAttributes(Method).
It is coded to match the method of my secured object to a method of an interface:
Class[] interfaces = method.getDeclaringClass().getInterfaces();
in my case, even though my class Command1 implements ICommand (with an execute method), I want to be able to specify in the objectDefinitionSource:
Command1.execute=ROLE_USER
But this would match nothing because of the getInterfaces().
I am no saying there is a problem in the lookupAttributes method but rather am asking if there is another way to achieve that: assigning ROLEs to methods defined on classes implementing the same interface.
X.
-
Mar 5th, 2007, 03:43 PM
#5
Cool, wow it works by specifying the following in my BeanNameAutoProxyCreator:
<property name="proxyTargetClass" value="true" />
That uses now the implementation class, not the interface.
Thanks for the help.
X.
-
Mar 5th, 2007, 03:55 PM
#6
Not a problem, glad to help! If you want to understand this more, the reference manual should help.
http://www.springframework.org/docs/...l#aop-proxying
-
Mar 6th, 2007, 02:45 AM
#7
Thank you for this link. That knowledge may have saved me some trouble for my future Acegi stuff.
-
Mar 6th, 2007, 08:15 AM
#8
If in doubt it's always worth while having a read of the reference manual! It saves many hours of frustration and pulling your hair out 
.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
