MethodSecurityInterceptor example does not work

[lakrup]

I have implemented filterSecurityInterCeptor and it works fine. But When I implement Methed Level security it does not work, it allows me to access both methods for a role user. Can any body check whats wrong with the example.I used IS_AUTHENTICATED_REMEMBERED and ROLE_USER, but both did not work.

Entry In applicationContext.xml:
<bean id="methodSecurityInterceptor" class="org.acegisecurity.intercept.method.aopallia nce.MethodSecurityInterceptor">
<property name="authenticationManager">
<ref bean="authenticationManager" />
</property>
<property name="accessDecisionManager">
<bean class="org.acegisecurity.vote.AffirmativeBased">
<property name="allowIfAllAbstainDecisions" value="false" />
<property name="decisionVoters">
<list>
<bean class="org.acegisecurity.vote.RoleVoter" />
<bean class="org.acegisecurity.vote.AuthenticatedVoter" />
</list>
</property>
</bean>
</property>
<property name="objectDefinitionSource">
<value>
com.springtest.manage.ManagerImpl.show=IS_AUTHENTI CATED_REMEMBERED
com.springtest.manage.ManagerImpl.delete=ROLE_ADMI N
</value>
</property>
</bean>

<bean id="autoProxyCreator" class="org.springframework.aop.framework.autoproxy .BeanNameAutoProxyCreator">
<property name="interceptorNames">
<list>
<value>methodSecurityInterceptor</value>
</list>
</property>
<property name="beanNames">
<list>
<value>managerImpl</value>
</list>
</property>
</bean>
<bean id="managerImpl" class="com.springtest.manage.ManagerImpl" />



Here is the controller.
public class SpringappController implements Controller
{

public SpringappController()
{
super();

}
public ModelAndView handleRequest(HttpServletRequest request,
HttpServletResponse response) throws Exception
{
String param = request.getParameter("mode");
ManagerImpl manager = new ManagerImpl();
String returnValue = "You are no Authorized to perform";
String methodName=null;
if(param != null && param.length()>0)
{

if(param.trim().equals("show"))
{
methodName="show";
returnValue = manager.show();

}else
if(param.trim().equals("delete"))
{
methodName="delete";
returnValue= manager.delete();

}
}


return new ModelAndView("index",methodName,returnValue);
}


Here is then MangerImpl.
package com.springtest.manage;

/**
* TODO Document Class
*
* @author RKNello
* @change.history Aug 28, 2007
*/
public class ManagerImpl
{
public ManagerImpl()
{
super();
}
public String delete()
{
return "Only for Admins";
}

public String show()
{
return "Role User View";
}

}

Here is the JSp code:

Method Based Authentication
<p><a href="sp.do?mode=show">Show</a>
<%=request.getAttribute("show")%>
<p><a href="sp.do?mode=delete">delete</a>
<%=request.getAttribute("delete")%>

[mikewiesner]

Hi,

the BeanNameAutoProxyCreator which uses Spring AOP only works if you get your Bean out of the Application Context and not if you create the instance with new like you do in your sample code.

Spring adds a Proxy arround the bean and this proxy delegates to the SecurityInterceptor. If you create the instance by your own you don't have this proxy of course, and therefore you don't have security. So, just inject your bean in your controller or get it with getBean() and it will work. Have also a look here: http://www.acegisecurity.org/guide/s...l#aop-alliance

The other way doing method security checks is AspectJ. This adds the check during the compilation and works therefore also with your own instances. Information how you do this can be found here: http://www.acegisecurity.org/guide/s...y.html#aspectj

Regards,
Mike

[lakrup]

I tried all the three method explained at http://www.acegisecurity.org/guide/s...l#aop-alliance and http://www.acegisecurity.org/guide/s...y.html#aspectj but no success. Acgi still does not secure my methods.
Do you have any working example for Method Security

[Luke Taylor]

The contacts sample app uses method security. You'll find the settings in the app's applicationContext-common-authorization.xml context file.