AFTER_ACL_COLLECTION_READ not intercepting with MethodSecurityInterceptor

[TechSiobhan]

I'm using an Oracle DB and have my AclService populating the tables like so:

ACL_SID
ID PRINCIPAL SID
1 1 siobhan
2 0 ROLE_USER

ACL_CLASS
ID CLASS
1 model.coso.impl.BusinessUnit

ACL_OBJECT_IDENTITY
ID OBJECT_ID_CLASS OBJECT_ID_IDENTITY PARENT_OBJECT OWNER_SID ENTRIES_INHERITING
1 1 3 1 1

ACL_ENTRY
ID ACL_OBJECT_IDENTITY ACE_ORDER SID MASK GRANTING AUDIT_SUCCESS AUDIT_FAILURE
1 1 0 2 1 1 0 0

So I am expecting that only ROLE_USER can read my object - BusinessUnit#3

The config uses an AclEntryAfterInvocationCollectionFilteringProvider as in the DMS example:

Code:

   <!-- ============== "AFTER INTERCEPTION" AUTHORIZATION DEFINITIONS =========== -->

   <bean id="afterInvocationManager" class="org.springframework.security.afterinvocation.AfterInvocationProviderManager">
      <property name="providers">
         <list>
            <ref local="afterAclCollectionRead"/>
         </list>
      </property>
   </bean>

   <!-- Processes AFTER_ACL_COLLECTION_READ configuration settings -->
   <bean id="afterAclCollectionRead" class="org.springframework.security.afterinvocation.AclEntryAfterInvocationCollectionFilteringProvider">
      <constructor-arg ref="aclService"/>
      <constructor-arg>
      	<list>
          <ref local="org.springframework.security.acls.domain.BasePermission.READ"/>
      	</list>
      </constructor-arg>
   </bean>
   

   <!-- ================= METHOD INVOCATION AUTHORIZATION ==================== -->

	<bean id="methodSecurityAdvisor" class="org.springframework.security.intercept.method.aopalliance.MethodDefinitionSourceAdvisor" autowire="constructor"/>

   <bean id="methodSecurityInterceptor" class="org.springframework.security.intercept.method.aopalliance.MethodSecurityInterceptor">
      <property name="authenticationManager"><ref bean="authenticationManager"/></property>
      <property name="accessDecisionManager"><ref local="businessAccessDecisionManager"/></property>
      <property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
      <property name="objectDefinitionSource">
         <value>
            dao.ISecureRiskDao.getSecureRisksViewByBU=ROLE_USER,AFTER_ACL_COLLECTION_READ          
         </value>
      </property>
   </bean>

The secured method queries the DB using findByCriteria:

Code:

DetachedCriteria c = DetachedCriteria.forClass(BusinessUnit.class);
List bus = getHibernateTemplate().findByCriteria(c);

When logged in as ROLE_OTHER in the SecurityContext Authentication this returns all domain objects, when I am expecting the one with id=3 to be excluded by the filter.

I have the Spring Security code from SVN and can debug into AbstractSecurityInterceptor.afterPropertiesSet() on startup but none of my breakpoints in MethodSecurityInterceptor, AbstractSecurityInterceptor, or AfterInvocationProviderManager are stopping when the secured method is called.

Is there anything I am missing?

Thanks in advance for your help!

[Luke Taylor]

How are you applying the interceptor to your ISecureRiskDao bean?

[TechSiobhan]

I was applying like so:

Code:

 <bean id="methodSecurityInterceptor" class="org.springframework.security.intercept.method.aopalliance.MethodSecurityInterceptor">
      <property name="authenticationManager"><ref bean="authenticationManager"/></property>
      <property name="accessDecisionManager"><ref local="businessAccessDecisionManager"/></property>
      <property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
      <property name="objectDefinitionSource">
         <value>
            dao.ISecureRiskDao.getSecureRisksViewByBU=AFTER_ACL_COLLECTION_READ          
         </value>
      </property>
   </bean>

however I changed my config to use the <sec:intercept-methods> tags on the config of my manager bean and this did the trick.