Protected methods not seems realy protected

**chum** · Sep 10th, 2009, 07:31 AM

Hello everybody!
I'm newbe in Spring security. Documentation says I can protect methods of every bean I want.

Like this:

HTML Code:

<bean:bean id="target" class="com.mycompany.myapp.MyBean">
    <intercept-methods>
        <protect method="set*" access="ROLE_ADMIN" />
        <protect method="get*" access="ROLE_ADMIN,ROLE_USER" />
        <protect method="doSomething" access="ROLE_USER" />
    </intercept-methods>
</bean:bean>

I'm trying to protect only one method of only one bean

First I put following in my applicationContext.xml

HTML Code:

<bean id="budget" class="wapapers.budget.model.Budget"/>

then put following in applicationContext-security.xml

HTML Code:

<global-method-security/>
         
        <beans:bean id="target" class="wapapers.budget.model.Budget">
            <intercept-methods>
                <protect method="deletePosition" access="ROLE_SUPERVISOR" />
            </intercept-methods>
        </beans:bean>

Now when I start my app, I can understand that it's clear to spring what I want

HTML Code:

2009-09-10 18:09:02,703 INFO [org.springframework.security.intercept.method.MapBasedMethodDefinitionSource] - Adding secure method [RegisteredMethod[wapapers.budget.model.Budget; public void wapapers.budget.model.Budget.deletePosition(wapapers.budget.model.BudgetPos)]] with attributes [[ROLE_SUPERVISOR]]

But application still alows do execute this method to every ROLE

What's wrong?

Thank you

**Marten Deinum** · Sep 10th, 2009, 01:43 PM

You have 2 instances of your Bucket, 1 is protected the other isn't. You must add the intercept stuff to the object you want to protect not some additional object.

**chum** · Sep 10th, 2009, 10:26 PM

Marten! Tell me please a little bit more about

intercept stuff

I have a filling I must place some additional spring beans in my configuration, but can't find what beans.

May be you have samples or resourses to read about the subject. The documentation distributed with Sping Security distribution is to short.

Thank you

**Marten Deinum** · Sep 10th, 2009, 11:25 PM

I have a filling I must place some additional spring beans in my configuration, but can't find what beans.

You don't need additional beans. You just don't configure 2 beans 1 with and 1 without security configuration.

**chum** · Sep 11th, 2009, 12:14 AM

Marten! Thank you for quick answer
I followed your instructions and now I have only one entry in securitu-applicationContext.xml

HTML Code:

<global-method-security/>
         
        <beans:bean id="budget" class="wapapers.budget.model.Budget">
            <intercept-methods>
                <protect method="deletePosition" access="ROLE_SUPERVISOR" />
            </intercept-methods>
        </beans:bean>

Debug messages says that spring understand restrictions

HTML Code:

2009-09-11 10:59:24,031 INFO [Adding secure method [RegisteredMethod[wapapers.budget.model.Budget; public void
wapapers.budget.model.Budget.deletePosition
(wapapers.budget.model.BudgetPos)]]
with attributes [[ROLE_SUPERVISOR]]

But I still have the same behavior. Everyone can execue sequred method.

You told me about intercept stuff. May be I need interseptor?

P.S. If you'd like we can contact in ICQ 327-970-467

**Marten Deinum** · Sep 11th, 2009, 01:19 AM

You told me about intercept stuff. May be I need interseptor?

No you don't.

I assume you have spring security (login etc.) setup correctly? If not your settings are useless.

I wasn't mention 1 entry in the security stuff I was mentioning 1 instance in your WHOLE application.

**chum** · Sep 11th, 2009, 02:15 AM

Ok. I have one instance of my unfortunate been. Spring knows about it from
security-applicationContext (may be it's wrong place

)

While starting application a have standart Spring Security loggin in page
I know that I am authorised when loged in.

I made two logins - one has role ROLE_USER and other ROLE_SUPERVISOR

The unlucky method deletePosition is not secured for both roles.

May be i should publish all my config files?

**Andrei Tsibets** · Sep 13th, 2009, 07:15 AM

wapapers.budget.model.Budget - is it domain model object? How is it instantiated in the application? Is it read from database?

**chum** · Sep 13th, 2009, 10:02 PM

Yes. It is a database object. But it contain method which I want to be secured. To be honest I must make it clear - I took the very first bean to make sure Spring security documentation says true - I can secure every method of every bean.

Now, after your question I have a doubt... May be there are some differences when securing database object methods and different kinds of managers or controllers?

Tell me please, Andrei!

**Marten Deinum** · Sep 13th, 2009, 11:50 PM

You cannot secure objects from a database in that way, you can only secure beans that are used and obtained from the ApplicationContext.

Thread: Protected methods not seems realy protected

Thread Tools

Display

Protected methods not seems realy protected

What intercept stuff I need?

Posting Permissions