cancel
Showing results for 
Search instead for 
Did you mean: 

Security interceptors

tcaiati
Champ in-the-making
Champ in-the-making
Hi,

I'm trying to use security interceptors with our services (like "public-services-security-context.xml" file).

I have :

1- add interceptor in file : "knowings-resource-services-context.xml" :

   <bean id="TaxonService"
      class="org.springframework.aop.framework.ProxyFactoryBean">
      <property name="proxyInterfaces">
         <list>
            <value>
               com.knowings.kmsj.repo.taxonomy.ITaxonService
            </value>
         </list>
      </property>
      <property name="target">
         <ref bean="taxonService" />
      </property>
      <property name="interceptorNames">
         <list>
            <idref local="ITaxonService_transaction" />
            <idref bean="AuditMethodInterceptor" />
            <idref bean="exceptionTranslator"/> 
            <idref bean="ITaxonService_security"/>
         </list>
      </property>
   </bean>

2- add in file "knowings-resource-services-security-context.xml" :

    <bean id="ITaxonService_security" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor" >
        <property name="authenticationManager"><ref bean="authenticationManager"/></property>
        <property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property>
        <property name="afterInvocationManager"><ref bean="afterInvocationManager"/></property>
        <property name="objectDefinitionSource">
            <value>
               com.knowings.kmsj.repo.taxonomy.ITaxonService.getAvailableTaxons=ACL_ALLOW
               com.knowings.kmsj.repo.taxonomy.ITaxonService.getTemporaryTaxons=ACL_ALLOW
           </value>
        </property>
    </bean>
  


Here the problem :

This service calls an other custom service (no problem), and this last service call NodeService (with big N)
And, I have this error :

exception : net.sf.acegisecurity.BadCredentialsException: Bad credentials presented
Bad credentials presented
net.sf.acegisecurity.providers.dao.DaoAuthenticationProvider - authenticate - 290
net.sf.acegisecurity.providers.ProviderManager - doAuthentication - 159
net.sf.acegisecurity.AbstractAuthenticationManager - authenticate - 49
net.sf.acegisecurity.intercept.AbstractSecurityInterceptor - beforeInvocation - 372
net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor - invoke - 77
org.springframework.aop.framework.ReflectiveMethodInvocation - proceed - 176
org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor - invoke - 49
org.springframework.aop.framework.ReflectiveMethodInvocation - proceed - 176
org.alfresco.repo.audit.AuditComponentImpl - audit - 241
org.alfresco.repo.audit.AuditMethodInterceptor - invoke - 69
org.springframework.aop.framework.ReflectiveMethodInvocation - proceed - 176
org.springframework.transaction.interceptor.TransactionInterceptor - invoke - 107
org.springframework.aop.framework.ReflectiveMethodInvocation - proceed - 176
org.springframework.aop.framework.JdkDynamicAopProxy - invoke - 210

Tests :

If I put "nodeService" (little n), it's ok, but it is not the solution for us and software craches later.

If in file "knowings-resource-services-security-context.xml", I put :

    <!– to test it –>
      <bean id="ITaxonService_security" class="org.alfresco.repo.security.permissions.impl.AlwaysProceedMethodInterceptor"

It's Ok with using NodeService and I have the rights.

=> I think I made mistakes in security rules :

com.knowings.kmsj.repo.taxonomy.ITaxonService.getAvailableTaxons=ACL_ALLOW
com.knowings.kmsj.repo.taxonomy.ITaxonService.getTemporaryTaxons=ACL_ALLOW

Have you any idea ?

Regards,
1 REPLY 1

tcaiati
Champ in-the-making
Champ in-the-making
hi,

We have find the solution, thanks Philippe De RIVAROLA Smiley Very Happy

In fact, ITaxonService extends IResourceService
and IResourceService has 2 methods : getResource and getResources, we must declare theses methods in rules :

com.knowings.kmsj.repo.taxonomy.ITaxonService.createAdminTaxon=ACL_NODE.0.sys:base.CreateChildren
com.knowings.kmsj.repo.taxonomy.ITaxonService.createUserTaxon=ACL_NODE.0.sys:base.ReadChildren
com.knowings.kmsj.repo.taxonomy.ITaxonService.validateTaxon=ACL_PARENT.0.sys:base.WriteProperties
com.knowings.kmsj.repo.taxonomy.ITaxonService.deleteTaxon=ACL_NODE.0.sys:base.DeleteNode
com.knowings.kmsj.repo.taxonomy.ITaxonService.getAvailableTaxons=AFTER_ACL_NODE.sys:base.ReadProperties
com.knowings.kmsj.repo.taxonomy.ITaxonService.getTemporaryTaxons=AFTER_ACL_NODE.sys:base.ReadProperties            com.knowings.kmsj.repo.parameter.IResourceService.getResource=ACL_NODE.1.sys:base.ReadProperties,AFTER_ACL_NODE.sys:base.ReadProperties
com.knowings.kmsj.repo.parameter.IResourceService.getResources=ACL_NODE.1.sys:base.ReadProperties,AFTER_ACL_NODE.sys:base.ReadProperties


So, if security conf is not good, services could not work well and logs doesnot help us …

Regards,