@Secured not working
105 views
Skip to first unread message
Amit Khanna
Mar 11, 2011, 9:55:03 AM3/11/11
to gwt-sl
Hi
I have added the spring security and gwt-sl in my GWT app. I'm
successful in implementing URL level security but not able to apply
method level security. Can you please help me understand what is wrong
in the following code:
----------------------------------------------
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:applicationContext.xml</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-
class>org.springframework.web.filter.DelegatingFilterProxy</filter-
class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-
class>org.springframework.web.context.ContextLoaderListener</listener-
class>
</listener>
<listener>
<listener-
class>org.springframework.security.web.session.HttpSessionEventPublisher</
listener-class>
</listener>
<!-- Servlets -->
<servlet>
<servlet-name>handler</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</
servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>handler</servlet-name>
<url-pattern>/greetings/rpc/*</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>Greetings.html</welcome-file>
</welcome-file-list>
</web-app>
-------------------------------------------------------
handler-servlet.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="urlMapping"
class="org.gwtwidgets.server.spring.GWTHandler">
<property name="mappings">
<map>
<entry key="/greet" value-ref="greetService" />
</map>
</property>
</bean>
<bean id="greetService" class="pkg.java.GreetServiceImpl"/>
</beans>
------------------------------------------------
applicationContext.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:context="http://www.springframework.org/schema/
context"
xmlns:aop="http://www.springframework.org/schema/aop"
xsi:schemaLocation="http://www.springframework.org/schema/
beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<global-method-security pre-post-annotations="disabled" secured-
annotations="enabled" jsr250-annotations="enabled"/>
<http auto-config="true">
<intercept-url pattern="/**/*.html" access="ROLE_USER"/>
<form-login login-page="/login.jsp"/>
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider>
<user-service>
<user name="admin" password="secret"
authorities="ROLE_ADMIN, ROLE_USER"/>
<user name="user" password="user" authorities="ROLE_USER"/>
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
---------------------------------------------
I have secured the greetServer method using @Secured("ROLE_ADMIN") but
still i'm able to access the method when i login with "user".
Please help me figure out the issues in the above code
Thanks
Amit Khanna
I have added the spring security and gwt-sl in my GWT app. I'm
successful in implementing URL level security but not able to apply
method level security. Can you please help me understand what is wrong
in the following code:
----------------------------------------------
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:applicationContext.xml</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-
class>org.springframework.web.filter.DelegatingFilterProxy</filter-
class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-
class>org.springframework.web.context.ContextLoaderListener</listener-
class>
</listener>
<listener>
<listener-
class>org.springframework.security.web.session.HttpSessionEventPublisher</
listener-class>
</listener>
<!-- Servlets -->
<servlet>
<servlet-name>handler</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</
servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>handler</servlet-name>
<url-pattern>/greetings/rpc/*</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>Greetings.html</welcome-file>
</welcome-file-list>
</web-app>
-------------------------------------------------------
handler-servlet.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="urlMapping"
class="org.gwtwidgets.server.spring.GWTHandler">
<property name="mappings">
<map>
<entry key="/greet" value-ref="greetService" />
</map>
</property>
</bean>
<bean id="greetService" class="pkg.java.GreetServiceImpl"/>
</beans>
------------------------------------------------
applicationContext.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:context="http://www.springframework.org/schema/
context"
xmlns:aop="http://www.springframework.org/schema/aop"
xsi:schemaLocation="http://www.springframework.org/schema/
beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<global-method-security pre-post-annotations="disabled" secured-
annotations="enabled" jsr250-annotations="enabled"/>
<http auto-config="true">
<intercept-url pattern="/**/*.html" access="ROLE_USER"/>
<form-login login-page="/login.jsp"/>
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider>
<user-service>
<user name="admin" password="secret"
authorities="ROLE_ADMIN, ROLE_USER"/>
<user name="user" password="user" authorities="ROLE_USER"/>
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
---------------------------------------------
I have secured the greetServer method using @Secured("ROLE_ADMIN") but
still i'm able to access the method when i login with "user".
Please help me figure out the issues in the above code
Thanks
Amit Khanna
yes2000
Mar 15, 2011, 4:12:44 AM3/15/11
to gwt-sl
Beacuse the object has @Secured method proxy by aop,
when spring security detect that user is anonymous(not yet login),
ExceptionTranslationFilter direct redirect response to login entry.
otherwise ExceptionTranslationFilter will delegating to
AccessDeniedHandler,
If you had define error-page of access-denied-handler,then response
redirect to then eror page.
or throw a HTTP 403 message,
There is no change to catch by GWTRPCServiceExporter,
You may refer http://code.google.com/p/gwtsecurity/ to see the
solution.
when spring security detect that user is anonymous(not yet login),
ExceptionTranslationFilter direct redirect response to login entry.
otherwise ExceptionTranslationFilter will delegating to
AccessDeniedHandler,
If you had define error-page of access-denied-handler,then response
redirect to then eror page.
or throw a HTTP 403 message,
There is no change to catch by GWTRPCServiceExporter,
You may refer http://code.google.com/p/gwtsecurity/ to see the
solution.
Reply all
Reply to author
Forward
0 new messages