@Secured working... sometimes

**Hamb** · Jun 8th, 2009, 01:40 PM

Hi Spring Sec experts,

currently I'm working on a Spring Application using Spring Security and we try to implement the annotation based approach and ACL.

But, to be honest, I think I'm too stupid to get the annotations running correctly.

Let me say it clearly:

The following class is secured with @Secured and here the @Secured annotation works.

Code:

@Transactional
@Secured({"ROLE_ADMIN", "ACL_TPOSTIT_ACCEPT"})
public class TUserDaoImpl extends AbstractDao<TUser> implements TUserDao {

	...

}

The following class is also Secured, but the @Secured anbnotation won't work at all. We even tracked down to the SecuredMethodDefinitionSource.class to see, that the annotation is not being processed at this class (but with TUserDaoImpl the annotation is processed!)

Code:

@Secured({"ROLE_ADMIN", "ACL_TPOSTIT_ACCEPT"})
@Transactional
public class PostitService implements PostitServiceInterface {

	...
	
	}

Okay, we've split the config into several files and include those through a central config:

web-aaplication-config.xml:

Code:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:context="http://www.springframework.org/schema/context"
       xsi:schemaLocation="
           http://www.springframework.org/schema/beans
           http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
           http://www.springframework.org/schema/context
           http://www.springframework.org/schema/context/spring-context-2.5.xsd">

 <!-- Activates annotation-based bean configuration -->
	<context:annotation-config />
	<context:component-scan base-package="com.test.controller" />


	<!-- Imports the configurations of the different infrastructure systems of the application -->
	<import resource="dao.xml" />
	<import resource="data-access-config.xml" />
	<import resource="security-config.xml" />
	<import resource="dwr-config.xml" />
</beans>

In dao.xml we define all DAOs, so nothing special in there, as well as in dwr-config.xml

But here is the data-access-config.xml:

<context:component-scan base-package="com.test.controller"/>


<tx:annotation-driven />

<aop:aspectj-autoproxy />

<bean class="org.springframework.web.servlet.mvc.annotat ion.DefaultAnnotationHandlerMapping"/>
<bean class="org.springframework.web.servlet.mvc.annotat ion.AnnotationMethodHandlerAdapter"/>

<bean id="dataSource"
...
</bean>

<bean id="redisDS"
...
</bean>

<bean id="sessionFactory" class="org.springframework.orm.hibernate3.annotati on.AnnotationSessionFactoryBean">
...
<property name="annotatedClasses">
<list>
<value>entities.MAnswerPrice</value>
<value>entities.MAnswerService</value>
... (All annoated entities)
</list>
</property>
<property name="dataSource" ref="dataSource" />
</bean>

<bean id="transactionManager" class="org.springframework.orm.hibernate3.Hibernat eTransactionManager">
<property name="sessionFactory" ref="sessionFactory" />
</bean>

<bean id="masterExHandler" class="errorhandling.exceptions.MasterExceptionHan dler" />
</beans>

Okay, and here spring-security.xml:

Code:

	
	<bean id="filterChainProxy" class="org.springframework.security.util.FilterChainProxy">
		<property name="filterInvocationDefinitionSource">
			<value>
				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
				PATTERN_TYPE_APACHE_ANT
				/**=httpSessionContextIntegrationFilter,formAuthenticationProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor
			</value>
		</property>	
	</bean>

	
	
	<!-- enable Annotations -->
	<security:global-method-security secured-annotations="enabled" access-decision-manager-ref="businessAccessDecisionManager"/>

	<security:http auto-config="true">
			<!-- 
				login-page: That's the place where the user is taken when he is not logged in but the section of the page needs authentication; example: login-page="/Login.htm" 
			 -->
			<security:form-login login-page="/login.vev" authentication-failure-url="/login.vev?login_error=true" default-target-url="/app/default.vev"	login-processing-url="/j_spring_security_check"/> 
			<security:logout invalidate-session="true" logout-url="/j_spring_logout" logout-success-url="/?logout=true"/>
			<security:intercept-url pattern="/app/**" access="ROLE_USER, ROLE_MASTER_ADMIN, ROLE_ADMIN" />
			<!--  <security:intercept-url pattern="/admin/**" access="ROLE_ADMIN, ROLE_SUPPORT" /> -->
			
		</security:http>

<bean id="PostitService" class="security.PostitService"></bean>

	<bean id="formAuthenticationProcessingFilter" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter">
		<property name="defaultTargetUrl">
			<value>/app/default.vev</value>
		</property>
		
		<property name="authenticationManager">
			<ref bean="authenticationManager" />
		</property>
	</bean>
	
	<bean id="userDetails" class="security.VeventionUserDetailService" /> 
    
	<bean id="daoAuthenticationProvider" class="org.springframework.security.providers.dao.DaoAuthenticationProvider"> <!-- org.springframework.security.providers.dao.DaoAuthenticationProvider -->
		<security:custom-authentication-provider/>
	 	<property name="userDetailsService" ref="userDetails" />
	 	<!-- <property name="saltSource" ref="salt" />-->
	 	<property name="passwordEncoder" ref="encoder"/>
	 	<property name="userCache">
			<bean class="org.springframework.security.providers.dao.cache.EhCacheBasedUserCache">
				<property name="cache" ref="ehcache" />
			</bean>
		</property>
	</bean>
	
	<bean id="encoder" class="org.springframework.security.providers.encoding.Md5PasswordEncoder" />
	<bean id="salt" class="org.springframework.security.providers.dao.salt.SystemWideSaltSource">
		<property name="systemWideSalt" value="mySalt" />
	</bean>

	<bean id="ehcache" class="org.springframework.cache.ehcache.EhCacheFactoryBean">
		<property name="cacheManager" ref="cacheManager" />
		<property name="cacheName" value="userCache" />
	</bean>
	
	<bean id="cacheManager" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean">
		<property name="configLocation" value="/WEB-INF/config/ehcache.xml" />
	</bean>
		
	<bean id="httpSessionContextIntegrationFilter"
		class="org.springframework.security.context.HttpSessionContextIntegrationFilter" />

	<bean id="exceptionTranslationFilter" class="org.springframework.security.ui.ExceptionTranslationFilter">
		<property name="authenticationEntryPoint">
			<ref bean="formLoginAuthenticationEntryPoint" />
		</property>
	</bean>

	 <bean id="filterSecurityInterceptor" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
		<property name="authenticationManager">
			<ref bean="authenticationManager" />
		</property>
		<property name="accessDecisionManager">
			<ref bean="accessDecisionManager" />
		</property>
		<property name="objectDefinitionSource">
			<value>
				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
				
				PATTERN_TYPE_APACHE_ANT
			</value>
		</property> 
	</bean>


	<bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
	  <property name="providers">
	    <list>
	      <ref local="daoAuthenticationProvider" />
	    </list>
	  </property>
	</bean>
	
	<!-- accessDecisionManager for HTTP -->
	<bean id="accessDecisionManager" class="org.springframework.security.vote.AffirmativeBased">
		<property name="allowIfAllAbstainDecisions" value="true"/>
		<property name="decisionVoters">
			<list>
				<ref bean="roleVoter" />
			</list>
		</property>
	</bean>
	
	<bean id="roleVoter" class="org.springframework.security.vote.RoleVoter" />

	<!-- ACL Decision Manager -->
	<bean id="businessAccessDecisionManager" class="org.springframework.security.vote.UnanimousBased">
	   <property name="allowIfAllAbstainDecisions" value="false"/>
	   <property name="decisionVoters">
	       <list>
	           <ref local="aclReportAcceptVoter"/>        
	       </list>
	   </property>
	</bean>

	<!-- An access decision voter that reads ACL_TPOSTIT_ACCEPT configuration settings -->
	<bean id="aclReportAcceptVoter" class="org.springframework.security.vote.AclEntryVoter">
		<constructor-arg ref="aclService"/>
		<constructor-arg value="ACL_TPOSTIT_ACCEPT"/>
		<constructor-arg>
		 <list>
		   <util:constant id="acceptPermission" static-field="security.ExtendedPermission.ACCEPT"/>
		 </list>
		</constructor-arg>
		<property name="internalMethod" value="getUser"/>
		<property name="objectIdentityRetrievalStrategy">
		    <bean class="security.UserNameRetrievalStrategy"/>
		</property>
		<property name="processDomainObjectClass" value="security.PostitService"/>
		
	</bean>

	<bean id="aclService" class="security.InMemoryAclServiceImpl"/>


		
	<bean id="formLoginAuthenticationEntryPoint" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
		<property name="loginFormUrl">
			<value>/Start.htm?t=1</value>
		</property>
		<property name="forceHttps">
			<value>false</value>
		</property>
	</bean>
</beans>

So, I hope someone can tell me, why my TUserDaoImpl gets an annotation assigned and why my Service class not.

So, hope that I gave you all information you need!

Kind regards :-)

**Hamb** · Jun 10th, 2009, 03:13 AM

After banging my head against the screen several nights I finally found out was happening: I instantiated the bean by myself :-D A beginner's mistake, it took me days to found out and I'll never do that again - I promised myself!

**hivie** · Jul 6th, 2009, 12:34 PM

Thanks HAMB you saved me from another two days of trying to get the annotations workinh.

Thread: @Secured working... sometimes

Thread Tools

Display

@Secured working... sometimes

Posting Permissions