|
#1
Feb 8th, 2010, 07:12 AM
|
|||
|
|||
Spring-Flex 1.0.2 + Security 3 Problem
Hi, today I tried to use the new release of spring flex with spring security 3.
Once configured I got a exception: Error creating bean with name '_messageBrokerDefaultHandlerMapping': Initialization of bean failed; nested exception is org.springframework.beans.factory.BeanCreationExce ption: Error creating bean with name '_messageBroker': Cannot resolve reference to bean '_messageBrokerEndpointProcessor' while setting bean property 'configProcessors' with key [3]; nested exception is org.springframework.beans.factory.BeanCreationExce ption: Error creating bean with name '_messageBrokerEndpointProcessor': Cannot resolve reference to bean 'org.springframework.flex.core.EndpointServiceMess agePointcutAdvisor#1' while setting constructor argument with key [1]; nested exception is org.springframework.beans.factory.BeanCreationExce ption: Error creating bean with name 'org.springframework.flex.core.EndpointServiceMess agePointcutAdvisor#1': Cannot resolve reference to bean 'org.springframework.flex.core.MessageInterception Advice#0' while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationExce ption: Error creating bean with name 'org.springframework.flex.core.MessageInterception Advice#0': Cannot resolve reference to bean 'org.springframework.flex.security3.EndpointInterc eptor#0' while setting bean property 'messageInterceptors' with key [1]; nested exception is org.springframework.beans.factory.BeanCreationExce ption: Error creating bean with name 'org.springframework.flex.security3.EndpointInterc eptor#0': Invocation of init method failed; nested exception is org.springframework.beans.factory.NoSuchBeanDefini tionException: No unique bean of type [org.springframework.security.access.AccessDecision Manager] is defined: expected single bean but found 2: org.springframework.security.access.vote.Affirmati veBased#0,org.springframework.security.access.vote .AffirmativeBased#1 My security config: HTML Code:
<sec:http entry-point-ref="authenticationEntryPoint" > <sec:anonymous enabled="false"/> </sec:http> <bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint"/> <sec:authentication-manager> <sec:authentication-provider user-service-ref='AuthenticationJDBC'> <sec:password-encoder hash="sha" /> </sec:authentication-provider> </sec:authentication-manager> <bean id="AuthenticationJDBC" class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl"> <property name="dataSource" ref="dataSource" /> </bean> <sec:global-method-security secured-annotations="enabled" jsr250-annotations="enabled"/> HTML Code:
<flex:message-broker> <flex:exception-translator ref="mySecurityExceptionTranslator" /> <flex:secured> <flex:secured-channel channel="my-amf" access="ROLE_USER" /> <flex:secured-channel channel="my-secure-amf" access="ROLE_USER" /> </flex:secured> </flex:message-broker> To solve I have to set manually: ... <flex:secured access-decision-manager="org.springframework.security.access.vote. AffirmativeBased#1"> ... Is the creation of two AccessDecisionManager the right behavior? Spring-flex can't discover the right AccessDecisionManager through authentication-manager? There is anotther way to workaround this problem? Sorry for my bad english. -- Victor 
|
|
#2
Feb 8th, 2010, 03:31 PM
|
|||
|
|||
Hmmm...unfortunately it seems that Spring Security is creating two distinct AccessDecisionManager instances...one for the http security and one for the global method security. (I am able to reproduce it in a test, but only by adding global-method-security to my test context that previously only had http).
I will check with the Spring Security devs to see if this is expected behavior. Another workaround, in the meantime, would be to define your own AccessDecisionManager (just mimicking the default one) as described here: http://static.springsource.org/sprin...access-manager
__________________
Jeremy Grelle Senior Software Engineer, Web Products Team SpringSource
|
|
#3
Feb 8th, 2010, 07:40 PM
|
|||
|
|||
|
Ok, I got the explanation from the Security devs. The provisioning of multiple AccessDecisionManagers in v3 is definitely intentional, as it's possible for the "http" version and the "global-method-security" version to need slightly different configuration. That said, they explained that it would also be perfectly fine for Flex to use its own distinct AccessDecisionManager for the needs of the <flex:secured-channel> tag. So what I think we'll do in the future is just create on internally if a reference is not specified in <flex:secured>. In the meantime, I think the best option is to use a config such as the following to create an AccessDecisionManager specifically for the needs of Flex:
Code:
<flex:message-broker>
<flex:secured access-decision-manager="flexAccessDecisionManager">
<flex:secured-channel access="ROLE_USER" channel="my-amf"/>
</flex:secured>
</flex:message-broker>
<bean id="flexAccessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
<property name="decisionVoters">
<list>
<bean class="org.springframework.security.access.vote.RoleVoter"/>
<bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>
</list>
</property>
</bean>
__________________
Jeremy Grelle Senior Software Engineer, Web Products Team SpringSource
|
|
#5
Feb 9th, 2010, 02:51 PM
|
|||
|
|||
|
This has now been fixed in the latest nightly build. If you would like to test it, you can either grab it here:
http://s3.amazonaws.com/dist.springf....0.3.CI-29.zip or if you are using Maven, you can follow the updated instructions for grabbing nightly snapshots here: http://forum.springsource.org/showthread.php?t=77454
__________________
Jeremy Grelle Senior Software Engineer, Web Products Team SpringSource
|
 |
| Tags |
| problem, spring flex blazeds, spring security 3 |
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
