神马文学网WIKI IREMIA: DWRandAcegi
来源:百度文库 编辑:神马文学网 时间:2024/04/30 16:36:02
DWRandAcegi
how-to integrate DWR and ACEGI to protect a bean method call
you have to be familiar with spring and dwr to understand thislittle how-to. We don‘t explain acegi configuration (you can take alook atACEGI, in french, if you are interested by acegi and cas...).
acegi API are those of the 0.9 version (net.sf....). For acegi 1.0, we need to change methods name (sec interceptor...)
problem
we need to protect a bean "exposed" via the DWR framework (for an introduction in french, seeAJAX).
Acegi is a security framework based on spring. Objective of thisexample page is to show how to prevent unauthorized access to a beanmethod from the DWR framework via a web page (javascript call).
exemple:
we have this declaration (dwr.xml) of the remoted bean before acegi protection:
the addLoan method is callable from a web page, via dwr javascript autogenerated utility (in this case loanDWR.js). the backing bean loanDWR is a spring managed bean (appli*.xml):
we now want to prevent unauthorized loanDWR.addLoan javascript call !!
the solution:
prerequisite : we need a working ACEGI configuration !!
create a security interceptor :
we use a AOP Alliance Security Interceptor :
fr.iremia.jlab.web.dwr.LoanDWR.addLoan=edit,admin
the method addLoan of the java class fr.iremia.jlab.web.dwr.LoanDWR is only callable by users with role edit or admin.
for signification of acegi properties authenticationManager and httpRequestAccessDecisionManager, refer tohttp://acegisecurity.org/docbook/acegi.html
.
create a proxy for the bean
add a proxy for the original loanDWR spring bean, using the spring proxyfactorybean :
now, loanDWRSecure is a proxy to the spring bean called loanDWR. every call to addLoan method is intercepted by ACEGI, and only fired if calling user is in role edit or admin... easy ... (thanks spring and acegi!)
modify dwr configuration:
we now need to modify the spring managed bean name in dwr.xml:
no need to modify existing jsp ....
in case of problem:
I‘ve received some questions concerning problem using this solution. Answers are:
in case of :
2006-06-08 14:21:38,437 WARN [uk.ltd.getahead.dwr.impl.ExecuteQuery] -
org.acegisecurity.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
at org.acegisecurity.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:329)
at org.acegisecurity.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:244)
at org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:63)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:170)
don‘t forget to map Acegi Security filter (in web.xml) to /dwr/*
lost other questions :-( ...
how-to integrate DWR and ACEGI to protect a bean method call
you have to be familiar with spring and dwr to understand thislittle how-to. We don‘t explain acegi configuration (you can take alook atACEGI, in french, if you are interested by acegi and cas...).
acegi API are those of the 0.9 version (net.sf....). For acegi 1.0, we need to change methods name (sec interceptor...)
problem
we need to protect a bean "exposed" via the DWR framework (for an introduction in french, seeAJAX).
Acegi is a security framework based on spring. Objective of thisexample page is to show how to prevent unauthorized access to a beanmethod from the DWR framework via a web page (javascript call).
exemple:
we have this declaration (dwr.xml) of the remoted bean before acegi protection:
the addLoan method is callable from a web page, via dwr javascript autogenerated utility (in this case loanDWR.js). the backing bean loanDWR is a spring managed bean (appli*.xml):
we now want to prevent unauthorized loanDWR.addLoan javascript call !!
the solution:
prerequisite : we need a working ACEGI configuration !!
create a security interceptor :
we use a AOP Alliance Security Interceptor :
fr.iremia.jlab.web.dwr.LoanDWR.addLoan=edit,admin
the method addLoan of the java class fr.iremia.jlab.web.dwr.LoanDWR is only callable by users with role edit or admin.
for signification of acegi properties authenticationManager and httpRequestAccessDecisionManager, refer tohttp://acegisecurity.org/docbook/acegi.html
.create a proxy for the bean
add a proxy for the original loanDWR spring bean, using the spring proxyfactorybean :
now, loanDWRSecure is a proxy to the spring bean called loanDWR. every call to addLoan method is intercepted by ACEGI, and only fired if calling user is in role edit or admin... easy ... (thanks spring and acegi!)
modify dwr configuration:
we now need to modify the spring managed bean name in dwr.xml:
no need to modify existing jsp ....
in case of problem:
I‘ve received some questions concerning problem using this solution. Answers are:
in case of :
2006-06-08 14:21:38,437 WARN [uk.ltd.getahead.dwr.impl.ExecuteQuery] -
org.acegisecurity.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
at org.acegisecurity.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:329)
at org.acegisecurity.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:244)
at org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:63)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:170)
don‘t forget to map Acegi Security filter (in web.xml) to /dwr/*
lost other questions :-( ...