Spring Security ACL tutorial

[Martin.Trummer]

there's something I don't understand in the tutorial concerning roles

the example uses a RoleVoter
each principal (logged-in user) will have an authority (=role) which is ROLE_USER or ROLE_CLERK

why do you need to explicitly create an acl_entry for the SID "ROLE_CLERK"?

example:

Code:

    @Secured({"ROLE_CLERK","AFTER_ACL_READ"})
    public Clerk getClerk(long id);

in this case the RoleVoter will GRANT access, because the principal has ROLE_CLERK.

so there should be no need to exlicitly add a permission for each clerk:

Code:

    public void setClerkPermissions(Clerk clerk) {
        Sid sid = new PrincipalSid(clerk.getUser().getUsername());
        aclSecurityUtil.addPermission(clerk, sid, BasePermission.ADMINISTRATION, Clerk.class);
    }

I think this is redundant. What do you think?

BTW: thanks for the great tutorial

[dart]

I think you are right, but where did you find this code? I looked throw Denksoft tutorial and didn't found anything similar =/

[Martin.Trummer]

I looked directly at the sourcecode of the sample application.
The link to the sourcecode is under Reference [5] of the Tutorial
see classes:

• ClerkService: security annotations
• SecurityServiceImpl: setClerkPermissions() function
• PublicServiceImpl: will populate the database

[dart]

look closer..

aclSecurityUtil.addPermission(clerk, sid, BasePermission.ADMINISTRATION, Clerk.class);

this string adds ADMINISTRATION permission to clerk, not ROLE_CLERK

[dart]

BUG found:

PostgresqlJdbcMutableAclService.createOrRetrieveCl assPrimaryKey(Class, boolean)
PostgresqlJdbcMutableAclService.createOrRetrieveSi dPrimaryKey(Sid, boolean)

are not thread safe!


these methods can cause a SQL exception: constraint violation UNIQUE_UK_1

CREATE TABLE ACL_SID (
id BIGSERIAL NOT NULL PRIMARY KEY,
principal BOOLEAN NOT NULL,
sid VARCHAR(100) NOT NULL,
CONSTRAINT UNIQUE_UK_1 UNIQUE(sid,principal)
);
p.s. this code was copypasted from denksof blog

[Martin.Trummer]

D'oh! I've mixed this up.
thanks, it's time for the WEEKEND

[dart]

bug with "get or create" fixed with some magic
look throw file in attachment

!!! analogous situation with createOrRetrieveClassPrimaryKey.

hope it helps

[bdrhoa]

I'm having a lot of trouble getting this to run. Can anyone give me a .war file or instructions on getting this going?

In general it seems like files and directories are missing, in the wrong the location or misnamed. For example:
1. There is no /app directory. I assume that’s really the /jsp directory. Also, the /jsp directory is under WEB-INF???
2. The login screen is in /resources not /.
3. There is no index.task file anywhere. I assume that’s really index.jsp???

I don’t see where any of these issues are resolved in the various xml/config files. But I’m new to Spring. Anyway, a .war file would make the set up easy.

Thanks!

[dart]

you can find example on denksoft site.
here is direct link

[bdrhoa]

you can find example on denksoft site.
here is direct link

That's what I'm having trouble getting to work. I'm sure I'm doing something wrong with the installation, but I don't what it could be. I'd think besides setting up the database, all I'd have to is unzip it and drop it into my tomcat webapps directory. But it doesn't work for me. Besides the things I listed above, here's one problem I have.

If I got to:
http://localhost:8080/SpringStarter/resources/login.jsp
and click submit, I get:
HTTP Status 404 - /SpringStarter/login.jsp

Any ideas what I could be doing wrong? Is there something else I need to do to get the app installed properly?

Thanks for the help.