Spring / Acegi / RMI

**bayden** · Apr 6th, 2010, 04:34 PM

Hey there

I'm trying for hours now to find out, if I'm too lazy, stupid or stupid... I just want to secure the methods provided through RMI with Acegi. So here is what I did:

1. I implemented the access over RMI. Works fine.
2. I added in the applicationContext.xml

Code:

<bean id="autoProxyCreator" class="org.springframework.aop.framework.autoproxy.BeanNameAutoProxyCreator">
    <property name="interceptorNames">
      <list><value>securityInterceptor</value></list>
    </property>
    <property name="beanNames">
      <list>
          <value>orderService</value>
          <value>controllerService</value>
          <value>dataService</value>
      </list>
    </property>
  </bean>

  <!-- This bean specifies which roles are authorized to execute which methods. -->
  <bean id="securityInterceptor" class="org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
    <property name="authenticationManager" ref="authenticationManager"/>
    <property name="accessDecisionManager" ref="accessDecisionManager"/>
    <property name="objectDefinitionSource">
      <value>
          ch.hslu.appe.fs1001.service.DataServiceImpl.*=ROLE_TYPIST,ROLE_SYSADMIN,ROLE_SHOPMANAGER
          ch.hslu.appe.fs1001.service.ControllerServiceImpl.*=ROLE_SYSADMIN,ROLE_SHOPMANAGER
          ch.hslu.appe.fs1001.service.OrderServiceImpl.*=ROLE_SYSADMIN,ROLE_SHOPMANAGER,ROLE_VENDOR
      </value>
    </property>
  </bean>

  <!-- This bean specifies which roles are assigned to each user. You"ll notice  -->
  <!-- that I"m using an in-memory database implementation instead of using  -->
  <!-- LDAP or a "real" database. The ACEGI-provided in-memory implementation is great for testing! -->
  <bean id="userDetailsService" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl">
    <property name="userMap">
      <value>
        manager=manager,ROLE_SHOPMANAGER
        worker=worker,ROLE_VENDOR
        typist=typist,ROLE_TYPIST
      </value>
    </property>
  </bean>

  <!-- This bean specifies that a user can access the protected methods -->
  <!-- if they have any one of the roles specified in the objectDefinitionSource above. -->
  <bean id="accessDecisionManager" class="org.acegisecurity.vote.AffirmativeBased">
    <property name="decisionVoters">
      <list><ref bean="roleVoter"/></list>
    </property>
  </bean>

  <!-- The next three beans are boilerplate. They should be the same for nearly all applications. -->
  <bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">
    <property name="providers">
      <list><ref bean="authenticationProvider"/></list>
    </property>
  </bean>

  <bean id="authenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
    <property name="userDetailsService" ref="userDetailsService"/>
  </bean>

  <bean id="roleVoter" class="org.acegisecurity.vote.RoleVoter"/>

3. I start the server once again:

Code:

ApplicationContext appCtx = new ClassPathXmlApplicationContext(
                new String[] { "applicationContext.xml",
                        "context-rmi.xml" });

        OrderAppRMIServer server = (OrderAppRMIServer) appCtx.getBean("server");

        server.run();

4. I start the client, which now should be unable to access the methods... but it does, without even slowing down or something else :-(

In the Log-File I can find, what acegi did:

INFO org.acegisecurity.intercept.method.MethodDefinitio nMap.addSecureMethod(MethodDefinitionMap.java:75) - Adding secure method [public void ch.hslu.appe.fs1001.service.ControllerServiceImpl. setOrderDao(ch.hslu.appe.fs1001.dao.OrderDAO)] with attributes [[ROLE_SYSADMIN, ROLE_SHOPMANAGER]]
2010-04-06 22:50:58,982 INFO org.acegisecurity.intercept.method.MethodDefinitio nMap.addSecureMethod(MethodDefinitionMap.java:75) - Adding secure method [public void ch.hslu.appe.fs1001.service.ControllerServiceImpl. setCustomerDao(ch.hslu.appe.fs1001.dao.CustomerDAO )] with attributes [[ROLE_SYSADMIN, ROLE_SHOPMANAGER]]
2010-04-06 22:50:58,982 INFO org.acegisecurity.intercept.method.MethodDefinitio nMap.addSecureMethod(MethodDefinitionMap.java:75) - Adding secure method [private ch.hslu.appe.fs1001.dto.CustomerDTO ch.hslu.appe.fs1001.service.ControllerServiceImpl. convertCustomerToCustomerDTO(ch.hslu.appe.fs1001.d omain.Customer)] with attributes [[ROLE_SYSADMIN, ROLE_SHOPMANAGER]]
2010-04-06 22:50:58,982 INFO org.acegisecurity.intercept.method.MethodDefinitio nMap.addSecureMethod(MethodDefinitionMap.java:75) - Adding secure method [public java.util.List ch.hslu.appe.fs1001.service.ControllerServiceImpl. getOrdersByClient(int)] with attributes [[ROLE_SYSADMIN, ROLE_SHOPMANAGER]]
2010-04-06 22:50:58,982 INFO org.acegisecurity.intercept.method.MethodDefinitio nMap.addSecureMethod(MethodDefinitionMap.java:75) - Adding secure method [public java.util.List ch.hslu.appe.fs1001.service.ControllerServiceImpl. getOrdersByState(ch.hslu.appe.fs1001.dto.OrderStat e)] with attributes [[ROLE_SYSADMIN, ROLE_SHOPMANAGER]]

What's my mistake (besides my English :-) )????

Thanks a lot
Joe

P.s.: Does anybody knows an example Project for what I'm trying

**bayden** · Apr 8th, 2010, 08:18 AM

There are my mistakes (just for people with the same problem):

1. You have to point to the Interfaces, not the implementations:

Code:

<bean id="securityInterceptor" class="org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
    <property name="authenticationManager" ref="authenticationManager"/>
    <property name="accessDecisionManager" ref="accessDecisionManager"/>
    <property name="objectDefinitionSource">
      <value>
          ch.hslu.appe.fs1001.service.DataService.*=ROLE_TYPIST,ROLE_SYSADMIN,ROLE_SHOPMANAGER
          ch.hslu.appe.fs1001.service.ControllerService.*=ROLE_SYSADMIN,ROLE_SHOPMANAGER
          ch.hslu.appe.fs1001.service.OrderService.*=ROLE_SYSADMIN,ROLE_SHOPMANAGER,ROLE_VENDOR
      </value>
    </property>
  </bean>

2. I work with netbeans. There you have to clean and build the project to substitute the applicationContext.xml for spring (took some hours to find out :-( ) Otherwise changes do have no effect, of course.

3. On the client you have to pass the securityContext:
(for example the dataservice)

Code:

<bean id="dataService"
        class="org.springframework.remoting.rmi.RmiProxyFactoryBean">
        <property name="serviceUrl" value="rmi://localhost:1099/DataService"/>
        <property name="serviceInterface" value="ch.hslu.appe.fs1001.service.DataService"/>
        <property name="remoteInvocationFactory"><ref bean="remoteInvocationFactory"/></property>
    </bean>

    <bean id="remoteInvocationFactory" class="org.acegisecurity.context.rmi.ContextPropagatingRemoteInvocationFactory"/>

In the Programm, define the securityContext:

Code:

//Security ------------------------------------------------------------
        //nur mit dem SecurityContext kann auf den RMI-Service zugegriffen
        //werden
        String username = "manager";
        String password = "manager";

        try{
            Authentication authentication = new UsernamePasswordAuthenticationToken(username, password);
            SecurityContextHolder.getContext().setAuthentication(authentication);
            //Methode ausführen
            client.selectOrder();
        }catch (Exception e){
            System.out.println("falsche Benutzerangaben, es kann nicht auf das System zugegriffen werden");
        }
        //---------------------------------------------------------------------

So, have a nice and secure day B-)
Joe

Thread: Spring / Acegi / RMI

Thread Tools

Display

Spring / Acegi / RMI

Got it

Tags for this Thread

Posting Permissions