Issues Configuring Spring Method Level Security (Annotations)
I this post, I am going to discuss about some issues that I faced while configuring method level security with
Annotation like @PreAuthorize, @PostAuthorize etc.
The scenario is that I am trying to secure the calls to my controller methods through Annotation Based Method level
security of Spring Security module.
One of the parameters of the @PreAuthorize is the method parameter of Spring controller which I am passing with the
help of Expression language and the parameter is being confugured through WebArgumentResolver of Spring as discussed in my previous post.
Section 1:
When the controller is not implementing any interface.
Now in this case I have faced two issues.
a) The value of the parameter which is being configured through WebArgumentResolver, is not reflected in the @PreAuthorize
process after passing it through # operator i.e. Expression Language.
b) The @PreAuthorize is not being invoked in spite of all having configurations in order.
c) AccessDeniedHandler is not getting invoked when @PreAuthorize returns false.
The reason for Problem (a) is when me compile a java file, the corresponding class file do not have parameter name
in it only parameter Type and order is there in class file hence mapping through ASM api(which does the byte code encoding) is not possible and so
no value is being populated.
But when we compile a java file with debug on option i.e. dubug attribute true for ANT and in Maven compile
debug is on by default then the method parameter names get stored in LocalAttributeTable and hence it is getting mapped and appropiated
value is being populated.
Now to resolve problem (b) we need some insight regarding how method level Annotation
in Spring Security works. When the class in which method level security is to be configured does not implement any type then
Spring uses its own AOP along with JDK based dynamic proxy for proxying more details are present in my post Annotation Based Method Level Security Handler Now
as of the configured bean in whose method, Method level Secrity is to be applied
Lastly for Problem (c), since in my application I have modified Spring Security method level security
feature with custom needs, without fully implementing the Spring Security so there is no Authentication Object for my current logged in User
and User Login is not configured with Spring.
So when from Method level security @PreAuthorize is returning false, an AccessDenied Exception is
being thrown, which is being caught by ExceptionTranslationFilter, which does the following:
1) If the user is Authenticated (There is Authentication Token in the SecurityContext) then, the configured
AccessDeniedHandler is called.
2) If the user is not Authenticated (which is my case) then the request is being forwarded to AuthenticationEntryPoint
so the configured Access Denied Handler is not getting invoked.
So, what I did is, I configured a custom filter and caught that Exception out there and from its catch
block I called directly the AccessDeniedHandler.
Section 2:
When the controller is implementing interface.
In this case implemetation of Method Level Security through annotation is being done through AspectJ with the
help of CGLIB proxy not with Spring AOP. In this mode some additional configurations are being required in
element i.e. mode="AspectJ" and proxy-target-class="true", this two attributes. Along with this some additional jars like AspectJweaver.jar
and others are required. During copilation of java classes in this case compilation with aspectJ i.e. compile time weaving is
reqired to be carried out, which is already being metioned in my previous post Aspects of AspectJ
Annotation like @PreAuthorize, @PostAuthorize etc.
The scenario is that I am trying to secure the calls to my controller methods through Annotation Based Method level
security of Spring Security module.
One of the parameters of the @PreAuthorize is the method parameter of Spring controller which I am passing with the
help of Expression language and the parameter is being confugured through WebArgumentResolver of Spring as discussed in my previous post.
@PreAuthorize("hasPriviledge(#dataInj,'TxnClm5013','read')")
@RequestMapping(value="/SecureMethodNew" , method=RequestMethod.GET)
public ModelAndView secureMethodNew(HttpServletRequest request,@DataInject("dataInject") String dataInject123,@DataInjectNew DataInjectObject dataInj) throws Exception
{
I am going to discuss my discussion into two sections:Section 1:
When the controller is not implementing any interface.
Now in this case I have faced two issues.
a) The value of the parameter which is being configured through WebArgumentResolver, is not reflected in the @PreAuthorize
process after passing it through # operator i.e. Expression Language.
b) The @PreAuthorize is not being invoked in spite of all having configurations in order.
c) AccessDeniedHandler is not getting invoked when @PreAuthorize returns false.
The reason for Problem (a) is when me compile a java file, the corresponding class file do not have parameter name
in it only parameter Type and order is there in class file hence mapping through ASM api(which does the byte code encoding) is not possible and so
no value is being populated.
But when we compile a java file with debug on option i.e. dubug attribute true for ANT and in Maven compile
debug is on by default then the method parameter names get stored in LocalAttributeTable and hence it is getting mapped and appropiated
value is being populated.
Now to resolve problem (b) we need some insight regarding how method level Annotation
in Spring Security works. When the class in which method level security is to be configured does not implement any type then
Spring uses its own AOP along with JDK based dynamic proxy for proxying more details are present in my post Annotation Based Method Level Security Handler Now
as of the configured bean in whose method, Method level Secrity is to be applied
Lastly for Problem (c), since in my application I have modified Spring Security method level security
feature with custom needs, without fully implementing the Spring Security so there is no Authentication Object for my current logged in User
and User Login is not configured with Spring.
So when from Method level security @PreAuthorize is returning false, an AccessDenied Exception is
being thrown, which is being caught by ExceptionTranslationFilter, which does the following:
1) If the user is Authenticated (There is Authentication Token in the SecurityContext) then, the configured
AccessDeniedHandler is called.
2) If the user is not Authenticated (which is my case) then the request is being forwarded to AuthenticationEntryPoint
so the configured Access Denied Handler is not getting invoked.
So, what I did is, I configured a custom filter and caught that Exception out there and from its catch
block I called directly the AccessDeniedHandler.
Section 2:
When the controller is implementing interface.
In this case implemetation of Method Level Security through annotation is being done through AspectJ with the
help of CGLIB proxy not with Spring AOP. In this mode some additional configurations are being required in
element i.e. mode="AspectJ" and proxy-target-class="true", this two attributes. Along with this some additional jars like AspectJweaver.jar
and others are required. During copilation of java classes in this case compilation with aspectJ i.e. compile time weaving is
reqired to be carried out, which is already being metioned in my previous post Aspects of AspectJ
Comments
Post a Comment