Run-as configuration via namespace?

[aharris]

I've been searching the forum and google and haven't found an answer for how to configure Run-As Authentication Replacement with the namespace configuration or if it's possible.

I've followed the configuration outlined in section 20.2 of the reference guide, but my runAsManager isn't overriding the NullRunAsManager that is instantiated by default in AbstractSecurityInterceptor. Therefore my authentication is never replaced.

Also, I'm using the @Secured annotation for securing my method with "RUN_AS_XYZ".

Any one encountered this? Thank you!

[pgoetzin]

Hey aharris,
i have the same problem,
did you fix it ? or did you find a good sample ?

my application context looks like follow

Code:

 <security:global-method-security secured-annotations="enabled" jsr250-annotations="enabled"/>		
              
        <bean id="preAuthenticatedAuthenticationProvider" 
                class="org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationProvider">
                <security:custom-authentication-provider />
		<property name="preAuthenticatedUserDetailsService" ref="preAuthenticatedUserDetailsService" />
	</bean>

	<bean id="preAuthenticatedUserDetailsService"
		class="org.springframework.security.providers.preauth.PreAuthenticatedGrantedAuthoritiesUserDetailsService" />
        
        <security:authentication-manager alias="authenticationManager"/>        
           
        <bean id="runAsManager" class="org.springframework.security.runas.RunAsManagerImpl">
          <property name="key" value="my_run_as_password"/>
        </bean>

        <bean id="runAsAuthenticationProvider"
            class="org.springframework.security.runas.RunAsImplAuthenticationProvider">
          <property name="key" value="my_run_as_password"/>
        </bean>
        
       <bean id="springbean" class="com.tmp.dev.evaluation.clientbean.SpringbeanImpl"></bean>

in the bean i use the annotation

@Secured({"ROLE_PATIENT_MANAGER", "RUN_AS_SUPERUSER" })


here my security log

Code:

2009-03-16 13:09:10,102 INFO  [p: thread-pool-1; w: 12] org.springframework.security.intercept.AbstractSecurityInterceptor: Validated configuration attributes
2009-03-16 13:09:10,133 DEBUG [p: thread-pool-1; w: 12] org.springframework.security.intercept.method.AbstractFallbackMethodDefinitionSource: Adding security method [CacheKey[com.tmp.dev.evaluation.clientbean.SpringbeanImpl; public abstract java.lang.String com.tmp.dev.evaluation.clientbean.Springbean.print2()]] with attribute [[ROLE_PATIENT_MANAGER]]
2009-03-16 13:09:10,180 DEBUG [p: thread-pool-1; w: 12] org.springframework.security.intercept.method.AbstractFallbackMethodDefinitionSource: Adding security method [CacheKey[com.tmp.dev.evaluation.clientbean.SpringbeanImpl; public abstract java.lang.String com.tmp.dev.evaluation.clientbean.Springbean.callWs()]] with attribute [[RUN_AS_SUPERUSER, ROLE_PATIENT_MANAGER]]
2009-03-16 13:09:10,180 DEBUG [p: thread-pool-1; w: 12] org.springframework.security.intercept.AbstractSecurityInterceptor: Secure object: ReflectiveMethodInvocation: public abstract java.lang.String com.tmp.dev.evaluation.clientbean.Springbean.callWs(); target is of class [com.tmp.dev.evaluation.clientbean.SpringbeanImpl]; ConfigAttributes: [RUN_AS_SUPERUSER, ROLE_PATIENT_MANAGER]
2009-03-16 13:09:10,180 DEBUG [p: thread-pool-1; w: 12] org.springframework.security.intercept.AbstractSecurityInterceptor: Previously Authenticated: org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationToken@80e23133: Principal: com.tmp.security.UserDetailsImpl@1f60800: Username: test; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_PATIENT_MANAGER, ROLE_PATIENT_PROCESSOR; Password: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_PATIENT_MANAGER, ROLE_PATIENT_PROCESSOR
2009-03-16 13:09:10,180 DEBUG [p: thread-pool-1; w: 12] org.springframework.security.intercept.AbstractSecurityInterceptor: Authorization successful
2009-03-16 13:09:10,180 DEBUG [p: thread-pool-1; w: 12] org.springframework.security.intercept.AbstractSecurityInterceptor: RunAsManager did not change Authentication object

looks like the annotation is ignored

thanks

Philipp

[aharris]

Hi Philipp,

Looking at your log file, I don't believe the problem is with your annotation, but rather with your configuration. You have two beans for creating the Run-As-Manager, but I don't believe they are actually getting hooked into the AbstractSecurityInterceptor that's being created by by your <security:global-method-security> configuration.

The reason I say this is because the log message "RunAsManager did not change Authentication object" comes directly from AbstractSecurityInterceptor when it is using the default NullRunAsManager. This would indicate to me that your two beans aren't participating.

I've filed a bug (SEC-1118) asking for namespace-configuration support for run-as. No comments on the bug yet from Spring Security team.

For me, I did achieve getting Run-As configured and semi-working through traditional Spring bean fashion, but it won't work with the namespace configuration "<security:global-method-security>" (I had to comment it out). The final problem for me was that some of my other secured methods were no longer working. So, I've abandoned Run-As and just gone a completely different direction.

Here's the configuration that partially worked for me, some of which was taken from the "annotations" sample. YMMV.

PHP Code:

    <bean id="objectDefinitionSource"
        class="org.springframework.security.annotation.SecuredMethodDefinitionSource" />
    <bean id="securityInterceptor"
        class="org.springframework.security.intercept.method.aopalliance.MethodSecurityInterceptor">
        <property name="validateConfigAttributes" value="false"/>
        <property name="authenticationManager" ref="authenticationManager" />
        <property name="accessDecisionManager" ref="accessDecisionManager" />
        <property name="runAsManager" ref="runAsManager" />
        <property name="objectDefinitionSource" ref="objectDefinitionSource" />
    </bean>

    <bean id="autoproxy"        class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator">
    </bean>

    <bean id="methodSecurityAdvisor"
class="org.springframework.security.intercept.method.aopalliance.MethodDefinitionSourceAdvisor"
        autowire="constructor">
    </bean>

    <bean id="runAsManager" class="org.springframework.security.runas.RunAsManagerImpl">
        <property name="key" value="run_as_password" />
    </bean>
    <bean id="runAsAuthenticationProvider"
        class="org.springframework.security.runas.RunAsImplAuthenticationProvider">
        <property name="key" value="run_as_password" />
    </bean> 


regards,
Adam

[pgoetzin]

Hey Adam,
got run_as and the secured annotations working with your sample, thx ! I had to do some mods because i do the authentication in EJB and i use a converter that transfer the EJB/JAAS UserDetails into the SecuriyContextHolder of Spring.

PHP Code:

  <bean id="preAuthenticatedAuthenticationProvider" 
                class="org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationProvider">
                <security:custom-authentication-provider />
        <property name="preAuthenticatedUserDetailsService" ref="preAuthenticatedUserDetailsService" />
    </bean>

    <bean id="preAuthenticatedUserDetailsService"
        class="org.springframework.security.providers.preauth.PreAuthenticatedGrantedAuthoritiesUserDetailsService" />
                    
        <bean id="accessDecisionManager" class="org.springframework.security.vote.UnanimousBased">
            <property name="allowIfAllAbstainDecisions" value="false"/>
            <property name="decisionVoters">
            <list><bean class="org.springframework.security.vote.RoleVoter"/></list>
            </property>
        </bean>

        <bean id="objectDefinitionSource"
            class="org.springframework.security.annotation.SecuredMethodDefinitionSource" />

        <bean id="securityInterceptor"
            class="org.springframework.security.intercept.method.aopalliance.MethodSecurityInterceptor">
            <property name="validateConfigAttributes" value="false"/>
            <property name="authenticationManager" ref="_authenticationManager" />
            <property name="accessDecisionManager" ref="accessDecisionManager" />
            <property name="runAsManager" ref="runAsManager" />
            <property name="objectDefinitionSource" ref="objectDefinitionSource" />
        </bean>

        <bean id="autoproxy" 
            class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator">
        </bean>

        <bean id="methodSecurityAdvisor" 
            class="org.springframework.security.intercept.method.aopalliance.MethodDefinitionSourceAdvisor" autowire="constructor">
        </bean>

        <bean id="runAsManager" class="org.springframework.security.runas.RunAsManagerImpl">
            <property name="key" value="run_as_password" />
        </bean>

        <bean id="runAsAuthenticationProvider"
            class="org.springframework.security.runas.RunAsImplAuthenticationProvider">
            <property name="key" value="run_as_password" />
        </bean> 

        <bean id="springbean" 
            class="com.tmp.dev.evaluation.clientbean.SpringbeanImpl">
        </bean> 


Security.log

Code:

2009-03-17 15:39:32,350 DEBUG [p: thread-pool-1; w: 3] org.springframework.security.intercept.method.AbstractFallbackMethodDefinitionSource: Adding security method [CacheKey[com.tmp.dev.evaluation.clientbean.SpringbeanImpl; public java.lang.String com.tmp.dev.evaluation.clientbean.SpringbeanImpl.print2()]] with attribute [[ROLE_PATIENT_MANAGER]]
2009-03-17 15:39:37,865 DEBUG [p: thread-pool-1; w: 3] org.springframework.security.intercept.method.AbstractFallbackMethodDefinitionSource: Adding security method [CacheKey[com.tmp.dev.evaluation.clientbean.SpringbeanImpl; public abstract java.lang.String com.tmp.dev.evaluation.clientbean.Springbean.callWs()]] with attribute [[RUN_AS_SERVER_IN_CLIENT, ROLE_PATIENT_MANAGER]]
2009-03-17 15:39:37,881 DEBUG [p: thread-pool-1; w: 3] org.springframework.security.intercept.AbstractSecurityInterceptor: Secure object: ReflectiveMethodInvocation: public abstract java.lang.String com.tmp.dev.evaluation.clientbean.Springbean.callWs(); target is of class [com.tmp.dev.evaluation.clientbean.SpringbeanImpl]; ConfigAttributes: [RUN_AS_SERVER_IN_CLIENT, ROLE_PATIENT_MANAGER]
2009-03-17 15:39:37,881 DEBUG [p: thread-pool-1; w: 3] org.springframework.security.intercept.AbstractSecurityInterceptor: Previously Authenticated: org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationToken@80e23133: Principal: com.tmp.security.UserDetailsImpl@1f60800: Username: test; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_PATIENT_MANAGER, ROLE_PATIENT_PROCESSOR; Password: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_PATIENT_MANAGER, ROLE_PATIENT_PROCESSOR
2009-03-17 15:39:37,881 DEBUG [p: thread-pool-1; w: 3] org.springframework.security.intercept.AbstractSecurityInterceptor: Authorization successful
2009-03-17 15:39:37,897 DEBUG [p: thread-pool-1; w: 3] org.springframework.security.intercept.AbstractSecurityInterceptor: Switching to RunAs Authentication: org.springframework.security.runas.RunAsUserToken@665a74ca: Principal: com.tmp.security.UserDetailsImpl@1f60800: Username: test; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_PATIENT_MANAGER, ROLE_PATIENT_PROCESSOR; Password: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: ROLE_RUN_AS_SERVER_IN_CLIENT, ROLE_PATIENT_MANAGER, ROLE_PATIENT_PROCESSOR; Original Class: org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationToken

now the Security.log looks fine. "Switching to RunAs Authentication"
next step for me is, that i have to do a converter that pass the run_as information back to the EJB which calls the Springbean.

I'll keep monitoring the ticket you opend maybe it will make a smaller xml config possible .

thx again


Philipp