AOP Interceptors and Principals

[javim]

Hi,

I'm trying to migrate an application using EJB 2.1 to Spring. In the old
version, I have a EJB Dispatcher that audits the applicacion. I'm developing an Spring
AOP Interceptor for do something similar, but I don't know how to obtain the user
principal in a simply manner.

Using acegi or web filter that put the user in the current thread would be a
solution. ¿s there a simpler manner to do this?

Thanks

[kravicha]

Hi ,

You can use HTTPServlet's getUserPrincipal for your above problem.

You can define a filter where you can get a reference to Request Object and then from that request object you can query getUserPrincipal.

Refer to the example below.

Example:

The following example depicts a Web application or servlet using the programmatic security model. The following example is one usage and not necessarily the only usage of the programmatic security model. The application can use the information returned by the getUserPrincipal(), isUserInRole() and getRemoteUser() methods in any other way that is meaningful to that application. Using the declarative security model whenever possible is strongly recommended.


File : HelloServlet.java

public class HelloServlet extends javax.servlet.http.HttpServlet {

public void doPost(
javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
throws javax.servlet.ServletException, java.io.IOException {
}
public void doGet(
javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
throws javax.servlet.ServletException, java.io.IOException {

String s = "Hello";


// get remote user using getUserPrincipal()
java.security.Principal principal = request.getUserPrincipal();
String remoteUserName = "";
if( principal != null )
remoteUserName = principal.getName();
// get remote user using getRemoteUser()
String remoteUser = request.getRemoteUser();

// check if remote user is granted Mgr role
boolean isMgr = request.isUserInRole("Mgr");

// display Hello username for managers and bob.
if ( isMgr || remoteUserName.equals("bob") )
s = "Hello " + remoteUserName;

String message = "<html> \n" +
"<head><title>Hello Servlet</title></head>\n" +
"<body> /n +"
"<h1> " +s+ </h1>/n " +
byte[] bytes = message.getBytes();

// displays "Hello" for ordinary users
// and displays "Hello username" for managers and "bob".
response.getOutputStream().write(bytes);
}

}

After developing the servlet, you can create a security role reference for the HelloServlet as shown in the following example:

Add this entry in web.xml

<security-role-ref>
<description> </description>
<role-name>Mgr</role-name>
</security-role-ref>


Hope this helps

[javim]

Hi kravicha,

Thanks for your advice. Using the Servlet security model I can audit the application at http request level.
I'm looking for a system to do the same but at service level.

For example, I could use a Filter that intercept all the request, then capture the principal using one of the methods of the Request Object and put it in the Thread Local. Later, using a AOP interceptor, obtain the user located in the Thread Local and audit the Service Method calls. I think I could use the SecurityContextHolder Object instead of the Thread Local.

Nevertheless I think this is too complicated. Do anybody know a simpler manner to do the same? I'd like anything more "KISS"

Thanks

[denis.zhdanov]

...
Using acegi or web filter that put the user in the current thread would be a
solution. ¿s there a simpler manner to do this?

Thanks

I'm afraid it's nor clear what do you want to get eventually. All you need is to choose security system to use and integrate your aop interceptors to it. Am I right understanding that you don't want to user acegi and ask about 'simpler' security system?