Method Security

**kukudas** · Jun 16th, 2008, 04:46 AM

Hi everyone,

i'm trying to secure methods. somehow i only can use this feature on interfaces.
when i try to secure for example a struts 2 action by adding this on front of the method:

Code:

@Secured({"ROLE_ADMIN"})

i get this exception:

Code:

java.lang.NoSuchMethodException: $Proxy36.execute()
	at java.lang.Class.getMethod(Class.java:1605)
	at org.apache.struts2.interceptor.validation.AnnotationValidationInterceptor.getActionMethod(AnnotationValidationInterceptor.java:55)
	at org.apache.struts2.interceptor.validation.AnnotationValidationInterceptor.doIntercept(AnnotationValidationInterceptor.java:41)
.........

This are the configurations i'm using:

Code:

	<bean id="securityInterceptor" class="org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
		<property name="validateConfigAttributes"><value>false</value></property>
  		<property name="authenticationManager"><ref bean="authenticationManager"/></property>
  		<property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property>
  		<property name="objectDefinitionSource"><ref bean="objectDefinitionSource"/></property>
	</bean>

<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"/>

    <bean class="org.acegisecurity.intercept.method.aopalliance.MethodDefinitionSourceAdvisor">
    	<constructor-arg><ref bean="securityInterceptor" /></constructor-arg>
   	</bean>

 	<bean id="objectDefinitionSource" class="org.acegisecurity.intercept.method.MethodDefinitionAttributes">
    	<property name="attributes">
        	<bean class="org.acegisecurity.annotation.SecurityAnnotationAttributes" />
      	</property>
    </bean>

i hope someone can help me. thx in advance kukudas.

**michael.i** · Jun 17th, 2008, 10:41 AM

Hi kukudas,
you're trying to use the @Secured annotation with Acegi 1.0 instead of Spring Security 2.0. I think this is not possible. Secured annotation is only available since Spring Security 2.0 (unless I missed something ??).

**kukudas** · Jun 18th, 2008, 02:04 AM

i'm using acegi 1.0.5 and it worked with securing an methods of an interface. but when it is not an interface i get an exception.

**michael.i** · Jun 18th, 2008, 02:13 AM

ok sorry for that, I have just checked Acegi's documentation and it looks like it can work with @Secured on interfaces. I don't know whether it's possible to use it on implementation classes. Sorry I can't help you more on this matter...

Just one more thing: isn't it possible for you to migrate on Spring Security 2.0? I believe your problem will be solved and ACEGI 1.0 is meant to become deprecated sooner or later...

**kukudas** · Jun 18th, 2008, 03:09 AM

yes i probably will migrate, i think the problem is that the struts 2 action are instantiated before the DefaultAdvisorAutoProxyCreator is.

**kukudas** · Jun 19th, 2008, 07:58 AM

still same problem after migrating it has something to do with the proxy.

**kukudas** · Jun 19th, 2008, 08:23 AM

if i add this:

Code:

 <security:global-method-security secured-annotations="enabled" jsr250-annotations="enabled"/>

i get this exception:

Code:

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'userDao' defined in ServletContext resource [/WEB-INF/applicationContext.xml]: Initialization of bean failed; nested exception is java.lang.NoClassDefFoundError: javax/annotation/security/DenyAll
Caused by: 
java.lang.NoClassDefFoundError: javax/annotation/security/DenyAll
	at org.springframework.security.annotation.Jsr250MethodDefinitionSource.processAnnotations(Jsr250MethodDefinitionSource.java:59)
	at org.springframework.security.annotation.Jsr250MethodDefinitionSource.findAttributes(Jsr250MethodDefinitionSource.java:47)
	at org.springframework.security.intercept.method.AbstractFallbackMethodDefinitionSource.computeAttributes(AbstractFallbackMethodDefinitionSource.java:117)
	at org.springframework.security.intercept.method.AbstractFallbackMethodDefinitionSource.getAttributes(AbstractFallbackMethodDefinitionSource.java:90)
	at org.springframework.security.intercept.method.DelegatingMethodDefinitionSource.getAttributes(DelegatingMethodDefinitionSource.java:32)
	at org.springframework.security.intercept.method.aopalliance.MethodDefinitionSourceAdvisor$MethodDefinitionSourcePointcut.matches(MethodDefinitionSourceAdvisor.java:120)
	at org.springframework.aop.support.AopUtils.canApply(AopUtils.java:205)
	at org.springframework.aop.support.AopUtils.canApply(AopUtils.java:244)
	at org.springframework.aop.support.AopUtils.findAdvisorsThatCanApply(AopUtils.java:278)
	at org.springframework.aop.framework.autoproxy.AbstractAdvisorAutoProxyCreator.findEligibleAdvisors(AbstractAdvisorAutoProxyCreator.java:83)
	at org.springframework.aop.framework.autoproxy.AbstractAdvisorAutoProxyCreator.getAdvicesAndAdvisorsForBean(AbstractAdvisorAutoProxyCreator.java:66)
	at org.springframework.aop.framework.autoproxy.AbstractAutoProxyCreator.postProcessAfterInitialization(AbstractAutoProxyCreator.java:296)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyBeanPostProcessorsAfterInitialization(AbstractAutowireCapableBeanFactory.java:313)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1181)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:427)
	at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:249)
	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:155)
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:246)
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:160)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:285)
	at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:352)
	at org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader.java:246)
	at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:189)
	at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:49)
	at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:3764)
	at org.apache.catalina.core.StandardContext.start(StandardContext.java:4216)
	at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1014)
	at org.apache.catalina.core.StandardHost.start(StandardHost.java:736)
	at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1014)
	at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
	at org.apache.catalina.core.StandardService.start(StandardService.java:448)
	at org.apache.catalina.core.StandardServer.start(StandardServer.java:700)
	at org.apache.catalina.startup.Catalina.start(Catalina.java:552)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:597)
	at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:295)
	at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:433)

really strange ..

**michael.i** · Jun 19th, 2008, 08:38 AM

Hi, usually you don't use both secured-annotations and jsr250-annotations attributes.
You have to choose between them.

secured-annotations -> @Secured
jsr250-annotations -> @RolesAllowed

Which annotations are you using?

I believe the error you're getting is related to @RolesAllowed. If you're not using it, can you remove jsr250-annotations="true" and see if you still get an error?

Originally Posted by kukudas

if i add this:

Code:

 <security:global-method-security secured-annotations="enabled" jsr250-annotations="enabled"/>

i get this exception:

Code:

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'userDao' defined in ServletContext resource [/WEB-INF/applicationContext.xml]: Initialization of bean failed; nested exception is java.lang.NoClassDefFoundError: javax/annotation/security/DenyAll
Caused by: 
java.lang.NoClassDefFoundError: javax/annotation/security/DenyAll
	at org.springframework.security.annotation.Jsr250MethodDefinitionSource.processAnnotations(Jsr250MethodDefinitionSource.java:59)
	at org.springframework.security.annotation.Jsr250MethodDefinitionSource.findAttributes(Jsr250MethodDefinitionSource.java:47)
	at org.springframework.security.intercept.method.AbstractFallbackMethodDefinitionSource.computeAttributes(AbstractFallbackMethodDefinitionSource.java:117)
	at org.springframework.security.intercept.method.AbstractFallbackMethodDefinitionSource.getAttributes(AbstractFallbackMethodDefinitionSource.java:90)
	at org.springframework.security.intercept.method.DelegatingMethodDefinitionSource.getAttributes(DelegatingMethodDefinitionSource.java:32)
	at org.springframework.security.intercept.method.aopalliance.MethodDefinitionSourceAdvisor$MethodDefinitionSourcePointcut.matches(MethodDefinitionSourceAdvisor.java:120)
	at org.springframework.aop.support.AopUtils.canApply(AopUtils.java:205)
	at org.springframework.aop.support.AopUtils.canApply(AopUtils.java:244)
	at org.springframework.aop.support.AopUtils.findAdvisorsThatCanApply(AopUtils.java:278)
	at org.springframework.aop.framework.autoproxy.AbstractAdvisorAutoProxyCreator.findEligibleAdvisors(AbstractAdvisorAutoProxyCreator.java:83)
	at org.springframework.aop.framework.autoproxy.AbstractAdvisorAutoProxyCreator.getAdvicesAndAdvisorsForBean(AbstractAdvisorAutoProxyCreator.java:66)
	at org.springframework.aop.framework.autoproxy.AbstractAutoProxyCreator.postProcessAfterInitialization(AbstractAutoProxyCreator.java:296)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyBeanPostProcessorsAfterInitialization(AbstractAutowireCapableBeanFactory.java:313)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1181)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:427)
	at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:249)
	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:155)
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:246)
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:160)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:285)
	at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:352)
	at org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader.java:246)
	at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:189)
	at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:49)
	at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:3764)
	at org.apache.catalina.core.StandardContext.start(StandardContext.java:4216)
	at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1014)
	at org.apache.catalina.core.StandardHost.start(StandardHost.java:736)
	at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1014)
	at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
	at org.apache.catalina.core.StandardService.start(StandardService.java:448)
	at org.apache.catalina.core.StandardServer.start(StandardServer.java:700)
	at org.apache.catalina.startup.Catalina.start(Catalina.java:552)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:597)
	at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:295)
	at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:433)

really strange ..

**kukudas** · Jun 19th, 2008, 08:46 AM

Hi,

i'm using @Secured and i delted jsr250-annotations="true".
now i can startup without any error and when i enter a secured area
i don't get this error with the proxy but it seams it still does not work because
i have access to those methods even with not secured roles.
edit: is it really enough to just add this:

<security:global-method-security secured-annotations="enabled"/>
and with @Secured({"ROLE"}) make the restriction ?

edit2: it seems to work on interfaces but not on other classes hm..

edit3: somehow i referenced to the old acegi libarys ive updated it now and now i get again the first exception

java.lang.NoSuchMethodException: $Proxy36.execute()

somtimes its even 35 or 37

**michael.i** · Jun 19th, 2008, 10:38 AM

I'm not sure the role name you have used is correct. Can you try something more conventional such as ROLE_ADMIN?

Besides, can you try to put a breakpoint inside the class that holds the @Secured annotation, run in debug mode, and check the type of the instantiated object? It should be using a proxy called $$Proxy1 or something similar. If not, your annotation is not taken into account.

Also, is your target class (the one that holds the @Secured annotation) declared as a Spring bean? (it has to).

Originally Posted by kukudas

Hi,

i'm using @Secured and i delted jsr250-annotations="true".
now i can startup without any error and when i enter a secured area
i don't get this error with the proxy but it seams it still does not work because
i have access to those methods even with not secured roles.
edit: is it really enough to just add this:

<security:global-method-security secured-annotations="enabled"/>
and with @Secured({"ROLE"}) make the restriction ?

edit2: it seems to work on interfaces but not on other classes hm..

edit3: somehow i referenced to the old acegi libarys ive updated it now and now i get again the first exception

java.lang.NoSuchMethodException: $Proxy36.execute()

somtimes its even 35 or 37

Thread: Method Security

Thread Tools

Display

Method Security

Re: Method security

Posting Permissions