Results 1 to 2 of 2

Thread: HTTP Security with Method Level Security

  1. Jul 23rd, 2010, 01:18 PM #1
    kevin.jordan
    kevin.jordan is offline Junior Member
    Join Date
    Nov 2007
    Posts
    22

    Default HTTP Security with Method Level Security

    I've got HTTP Security working in my web application with CAS authentication. However, I'm trying to mix it with method level security for some service methods (specifically GWT RPC), but it doesn't seem to be working. It gets to the point where it executes the @PostAuthorize annotation. However, it doesn't seem to pay attention to the configuration I have and executes some other way that does deny access to the returned object.

    Cut down deployerConfigContext.xml read by org.springframework.web.context.ContextLoaderListe ner listener.
    Code:
    <?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:security="http://www.springframework.org/schema/security"
	xmlns:context="http://www.springframework.org/schema/context"
	xmlns:tx="http://www.springframework.org/schema/tx" xmlns:aop="http://www.springframework.org/schema/aop"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://www.springframework.org/schema/beans
	   http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
	   http://www.springframework.org/schema/security
	   http://www.springframework.org/schema/security/spring-security-3.0.xsd
	   http://www.springframework.org/schema/tx 
	   http://www.springframework.org/schema/tx/spring-tx-3.0.xsd
	   http://www.springframework.org/schema/context
	   http://www.springframework.org/schema/context/spring-context-3.0.xsd
	   http://www.springframework.org/schema/aop
	   http://www.springframework.org/schema/aop/spring-aop-3.0.xsd">

	<security:http use-expressions="true"
		entry-point-ref="casProcessingFilterEntryPoint">
		<security:intercept-url pattern="/casfailed.jsp"
			requires-channel="any" access="permitAll" />
		<security:intercept-url pattern="/cas-logout.jsp"
			requires-channel="any" access="permitAll" />
		<security:intercept-url pattern="/**"
			access="isAuthenticated()" requires-channel="https" />
		<security:logout logout-success-url="/cas-logout.jsp" />
		<security:custom-filter ref="casAuthenticationFilter"
			after="CAS_FILTER" />
	</security:http>

	<security:authentication-manager alias="authenticationManager">
		<security:authentication-provider
			ref="casAuthenticationProvider" />
	</security:authentication-manager>

	<!-- setup method level security using annotations -->
	<security:global-method-security
		jsr250-annotations="disabled" secured-annotations="enabled"
		pre-post-annotations="enabled">
		<security:expression-handler ref="expressionHandler" />
	</security:global-method-security>

	<bean id="expressionHandler"
		class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
		<property name="permissionEvaluator" ref="permissionEvaluator" />
	</bean>

	<bean id="permissionEvaluator"
		class="org.springframework.security.acls.AclPermissionEvaluator">
		<constructor-arg ref="aclService" />
	</bean>

	<bean id="aclService"
		class="my.custom.AclService">
		<constructor-arg>
			<bean class="org.springframework.security.acls.domain.ConsoleAuditLogger" />
		</constructor-arg>
		<constructor-arg>
			<bean
				class="org.springframework.security.acls.domain.AclAuthorizationStrategyImpl">
				<constructor-arg>
					<list>
						<bean
							class="org.springframework.security.core.authority.GrantedAuthorityImpl">
							<constructor-arg value="ROLE_ADMINISTRATOR" />
						</bean>
						<bean
							class="org.springframework.security.core.authority.GrantedAuthorityImpl">
							<constructor-arg value="ROLE_ADMINISTRATOR" />
						</bean>
						<bean
							class="org.springframework.security.core.authority.GrantedAuthorityImpl">
							<constructor-arg value="ROLE_ADMINISTRATOR" />
						</bean>
					</list>
				</constructor-arg>
			</bean>
		</constructor-arg>
	</bean>

	<bean
		class="org.springframework.orm.jpa.support.PersistenceAnnotationBeanPostProcessor" />

	<tx:annotation-driven transaction-manager="transactionManager" />

	<bean id="systemEMF"
		class="org.springframework.orm.jpa.LocalEntityManagerFactoryBean">
		<property name="persistenceUnitName" value="_persistenceunit_" />
	</bean>

	<bean id="transactionManager" class="org.springframework.orm.jpa.JpaTransactionManager">
		<property name="entityManagerFactory" ref="systemEMF" />
	</bean>
</beans>
    The bean for my AclService gets created, however nothing after that is executed in it (I have logging on every method). I'm not even sure the expressionHandler bean is being used. Do I need to move something up into the security:http section?

    Here's the section of the debug log where it gets executed:
    Code:
    2010-07-23 17:39:17,885 [org.springframework.security.access.prepost.PrePostAnnotationSecurityMetadataSource] DEBUG: @org.springframework.security.access.prepost.PostAuthorize(value=hasPermission(filterObject,'read')) found on specific method: public ReturnType my.rpc.RPCClass.getObject(java.lang.Long)
2010-07-23 17:39:17,885 [org.springframework.security.access.method.DelegatingMethodSecurityMetadataSource] DEBUG: Adding security method [CacheKey[my.rpc.RPCClass; public abstract ReturnType my.rpc.RPCClass.getObject(java.lang.Long)]] with attributes [[authorize: 'permitAll', filter: 'null', filterTarget: 'null'], [authorize: 'hasPermission(filterObject,'read')', filter: 'null']]
2010-07-23 17:39:17,885 [org.springframework.transaction.annotation.AnnotationTransactionAttributeSource] DEBUG: Adding transactional method 'getObject' with attribute: PROPAGATION_REQUIRED,ISOLATION_DEFAULT; '',-java.lang.Throwable
2010-07-23 17:39:17,886 [org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor] DEBUG: Secure object: ReflectiveMethodInvocation: public abstract ReturnType my.rpc.RPCClass.getObject(java.lang.Long); target is of class [my.rpc.RPCClass]; Attributes: [[authorize: 'permitAll', filter: 'null', filterTarget: 'null'], [authorize: 'hasPermission(filterObject,'read')', filter: 'null']]
2010-07-23 17:39:17,886 [org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor] DEBUG: Previously Authenticated: org.springframework.security.cas.authentication.CasAuthenticationToken@eeb49577: Principal: org.springframework.security.core.userdetails.User@8d32400: Username: kevin.jordan; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 192.168.0.16; SessionId: HZFBB0B9768A164833B6C659177874FC9C; Granted Authorities: ROLE_USER Assertion: org.jasig.cas.client.validation.AssertionImpl@5b8f67a6 Credentials (Service/Proxy Ticket): ST-27-lUehDttiUOLU041sBEio-cas
2010-07-23 17:39:17,890 [org.springframework.security.access.vote.AffirmativeBased] DEBUG: Voter: org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter@52691fcf, returned: 1
2010-07-23 17:39:17,890 [org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor] DEBUG: Authorization successful
2010-07-23 17:39:17,890 [org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor] DEBUG: RunAsManager did not change Authentication object
2010-07-23 17:39:17,890 [org.springframework.beans.factory.support.DefaultListableBeanFactory] DEBUG: Returning cached instance of singleton bean 'transactionManager'
2010-07-23 17:39:17,890 [org.springframework.orm.jpa.JpaTransactionManager] DEBUG: Creating new transaction with name [my.rpc.RPCClass.getObject]: PROPAGATION_REQUIRED,ISOLATION_DEFAULT; '',-java.lang.Throwable
2010-07-23 17:39:17,891 [org.springframework.orm.jpa.JpaTransactionManager] DEBUG: Opened new EntityManager [org.hibernate.ejb.EntityManagerImpl@62701e2a] for JPA transaction
2010-07-23 17:39:18,333 [org.springframework.orm.jpa.JpaTransactionManager] DEBUG: Initiating transaction commit
2010-07-23 17:39:18,339 [org.springframework.orm.jpa.JpaTransactionManager] DEBUG: Committing JPA transaction on EntityManager [org.hibernate.ejb.EntityManagerImpl@62701e2a]
2010-07-23 17:39:18,342 [org.springframework.orm.jpa.JpaTransactionManager] DEBUG: Closing JPA EntityManager [org.hibernate.ejb.EntityManagerImpl@62701e2a] after transaction
2010-07-23 17:39:18,342 [org.springframework.orm.jpa.EntityManagerFactoryUtils] DEBUG: Closing JPA EntityManager
2010-07-23 17:39:18,343 [org.springframework.security.access.expression.method.ExpressionBasedPostInvocationAdvice] DEBUG: PostAuthorize expression rejected access
    If anyone needs information from when it starts up or anything let me know. Thanks for your help!
  2. Jul 25th, 2010, 01:50 PM #2
    kevin.jordan
    kevin.jordan is offline Junior Member
    Join Date
    Nov 2007
    Posts
    22

    Default

    Figured out my problem. Wasn't anything with my configuration. I was using filterObject with @PostAuthorize instead of returnObject. Not sure why that wouldn't throw an error of some kind unless you can use filterObject somehow with @PostAuthorize, but I after further reading that's just for @Pre/PostFilter?
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules