Spring Authentication With DWR

**nickar** · Jun 8th, 2009, 02:13 PM

I'm already protecting method calls (we started the threa from there

).
The point is that i don't want to ask for permission to use it, but to ask 'if i ask permission, would you let me?'.
the difference is that it should not trigger any event.

Regards,

**nickar** · Jun 8th, 2009, 02:44 PM

What we should do is to call the AccessDecisionManager decide method with a

- ConfigAttributeDefinition object ,
- authentication defined in securityContext ,
- object comes from the query (this is the one we have to define),
- ConfigAttributeDefinition config

How will we fill all this?
i have been doing some research, and we have to go deep into the reflection api, and aop part... (i'm really a newbie here, but we will figure it out!).

Regards,

**ole.ersoy** · Jun 8th, 2009, 02:45 PM

AK - I get it

...Finally

I'm pretty new to that as well. It would be nice if the AccessDecisionManager had something like:

AccessDecisionManager.isCallable(/*String*/ qualifiedClassName, /*String*/ methodName);

So the AccessDecisionManager would look up the roles the principal has, and for each role test to see whether the role is allowed to call the method.

Or we could just implement it like that by creating a Map<role, Set<methods> and then seeing whether the method is in the set returned per role.

I'll open another thread and see whether Spring has something like this as part of the AccessDecisionManager API, unless you already know or have a different idea?

**nickar** · Jun 8th, 2009, 02:48 PM

Not even a clue!!!
Just ask!, i will keep looking into it,
I think that we have to craft an object with the request, and just skip the hard parts for start (like parameters, and extensibility).
You can write to dwr mailing list to notify our achievements!

Regards,

**ole.ersoy** · Jun 8th, 2009, 03:34 PM

Hmm...Shoot you're right - we need to think about method argument types.

I guess we need to pass:
- className
- methodName
- argTypes

And look up the method.

I guess for each method we could construct a string using the class name, argumentTypes, and method name like this:

className: com.example.ServiceClass
methodName: specialService
sequencedArgumentType: Map(<String, Set<String, int>), String, int

And the qualified name of the method would be

com.example.ServiceClass + "." + specialService + "." + Map(<String, Set<String, int>)Stringint

Or something like that...

**ole.ersoy** · Jun 8th, 2009, 09:50 PM

OK - I asked about isCallable here:
http://forum.springsource.org/showth...022#post245022

**nickar** · Jun 9th, 2009, 08:52 AM

Hi!,
they have already implementede something like this!!!
http://jira.springframework.org/browse/SEC-18
http://forum.springsource.org/showth...isionMan ager

it is already implemented in org.acegisecurity.intercept.method.MethodInvocatio nPriviledgeEvaluator

Code:

public boolean isAllowed(MethodInvocation mi, Authentication authentication)

And to build MethodInvocation object there is a utility class called org.acegisecurity.util.MethodInvocationUtils that has some methods for that, like

Code:

MethodInvocation create(Object object, String methodName)

We just have to do the mapping from javascript object to spring instance from DWR.
I'm looking into it,

regards,

**nickar** · Jun 9th, 2009, 09:50 AM

Originally Posted by nickar

Hi!,
they have already implementede something like this!!!
http://jira.springframework.org/browse/SEC-18
http://forum.springsource.org/showth...isionMan ager

it is already implemented in org.acegisecurity.intercept.method.MethodInvocatio nPriviledgeEvaluator

Code:

public boolean isAllowed(MethodInvocation mi, Authentication authentication)

And to build MethodInvocation object there is a utility class called org.acegisecurity.util.MethodInvocationUtils that has some methods for that, like

Code:

MethodInvocation create(Object object, String methodName)

We just have to do the mapping from javascript object to spring instance from DWR.
I'm looking into it,

regards,

Soooo..., i've found what we where looking for.

Code:

org.directwebremoting.Container ct = org.directwebremoting.ServerContext.get(javax.servlet.ServletContext ctx);
Object obj = ct.getBean(String jsObjName);

MethodInvocation mi = org.acegisecurity.util.MethodInvocationUtils.create(obj, methodName);

return org.acegisecurity.intercept.method.MethodInvocationPriviledgeEvaluator.isAllowed(mi, authentication);

I haven't tested it, but i think it seems right!
I'll test this.
Regards,

**ole.ersoy** · Jun 9th, 2009, 10:18 AM

That rocks! I was up until 3 a.m. playing with reflection and attempting an algorithm to understand how it could work. Thank God we don't need to go down that route!

**nickar** · Jun 9th, 2009, 10:24 AM

Originally Posted by ole.ersoy

That rocks! I was up until 3 a.m. playing with reflection and attempting an algorithm to understand how it could work. Thank God we don't need to go down that route!

I'm almost there.
Check this out:

Code:

    public boolean isCallable(String jsBeanName, String methodName){
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        Container ct = ServerContextFactory.get(null).getContainer();
        Object obj = ct.getBean(jsBeanName);

        MethodInvocation mi = MethodInvocationUtils.create(obj, methodName);

        return MethodInvocationPrivilegeEvaluator.isAllowed(mi, authentication);
    };

The only thing that is not working is MethodInvocationPrivilegeEvaluator, that it's methods are not static, so i have to get an instance of this object from somewhere (i guess from spring configuration).

Let's finish with this!!!

Regards,

Thread: Spring Authentication With DWR

Thread Tools

Display

Posting Permissions