Spring Security
  1. Spring Security
  2. SEC-1059

Hard dependency on AspectJ runtime when using AOP alliance MethodSecurityInterceptor

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Duplicate
    • Affects Version/s: 2.0.4
    • Fix Version/s: 3.0.0 M1
    • Component/s: Core
    • Labels:
      None

      Description

      It would seem to me that I shouldn't have to AspectJ on the classpath when using AOP alliance. Here's an example. My config:

      <ss:authentication-manager alias="authenticationManager"/>

      <ss:authentication-provider>
      <ss:user-service id="userService">
      <ss:user name="marie" password="marie" authorities="ROLE_ADMIN" />
      <ss:user name="stan" password="stan" authorities="ROLE_ADMIN" />
      <ss:user name="cindy" password="cindy" authorities="ROLE_ADMIN" />
      <ss:user name="anon" password="anon" authorities="ROLE_ANONYMOUS" />
      </ss:user-service>
      </ss:authentication-provider>

      <bean id="accessDecisionManager" class='org.springframework.security.vote.AffirmativeBased'>
      <property name="decisionVoters">
      <list>
      <ref bean="roleVoter" />
      </list>
      </property>
      </bean>

      <bean id="roleVoter" class="org.springframework.security.vote.RoleVoter"/>

      <bean id="echoComponent" class="org.mule.component.simple.EchoComponent"/>

      <bean id="echoComponentSecurity" class="org.springframework.security.intercept.method.aopalliance.MethodSecurityInterceptor">
      <property name="authenticationManager" ref="authenticationManager"/>
      <property name="accessDecisionManager" ref="accessDecisionManager"/>
      <property name="objectDefinitionSource" value="org.mule.api.lifecycle.Callable.onCall=ROLE_ADMIN"/>
      </bean>

      <bean id="autoProxyCreator" class="org.springframework.aop.framework.autoproxy.BeanNameAutoProxyCreator">
      <property name="interceptorNames">
      <list><value>echoComponentSecurity</value></list>
      </property>
      <property name="beanNames">
      <list><value>echoComponent</value></list>
      </property>
      </bean>

      And here's the exception I get when I don't have AspectJ on the classpath:

      Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'echoComponentSecurity' defined in URL file:/C:/workspaces/mule-2.x/modules/spring-security/target/test-classes/auth-component-security.xml: Initialization of bean failed; nested exception is java.lang.NoClassDefFoundError: org/aspectj/lang/Signature
      at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:480)
      at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory$1.run(AbstractAutowireCapableBeanFactory.java:409)
      at java.security.AccessController.doPrivileged(Native Method)
      at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:380)
      at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:264)
      at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222)
      at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:261)
      at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:185)
      at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:164)
      at org.springframework.aop.framework.autoproxy.AbstractAutoProxyCreator.resolveInterceptorNames(AbstractAutoProxyCreator.java:573)
      at org.springframework.aop.framework.autoproxy.AbstractAutoProxyCreator.buildAdvisors(AbstractAutoProxyCreator.java:534)
      at org.springframework.aop.framework.autoproxy.AbstractAutoProxyCreator.createProxy(AbstractAutoProxyCreator.java:477)
      at org.springframework.aop.framework.autoproxy.AbstractAutoProxyCreator.wrapIfNecessary(AbstractAutoProxyCreator.java:365)
      at org.springframework.aop.framework.autoproxy.AbstractAutoProxyCreator.postProcessAfterInitialization(AbstractAutoProxyCreator.java:325)
      at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyBeanPostProcessorsAfterInitialization(AbstractAutowireCapableBeanFactory.java:361)
      at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1344)
      at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:473)
      ... 35 more
      Caused by: java.lang.NoClassDefFoundError: org/aspectj/lang/Signature
      at org.springframework.security.intercept.method.MethodDefinitionSourceEditor.setAsText(MethodDefinitionSourceEditor.java:72)
      at org.springframework.beans.TypeConverterDelegate.doConvertTextValue(TypeConverterDelegate.java:382)
      at org.springframework.beans.TypeConverterDelegate.doConvertValue(TypeConverterDelegate.java:358)
      at org.springframework.beans.TypeConverterDelegate.convertIfNecessary(TypeConverterDelegate.java:173)
      at org.springframework.beans.TypeConverterDelegate.convertIfNecessary(TypeConverterDelegate.java:138)
      at org.springframework.beans.BeanWrapperImpl.convertForProperty(BeanWrapperImpl.java:386)
      at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.convertForProperty(AbstractAutowireCapableBeanFactory.java:1289)
      at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyPropertyValues(AbstractAutowireCapableBeanFactory.java:1250)
      at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1010)
      at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:472)
      ... 51 more

        Issue Links

          Activity

          Hide
          Luke Taylor added a comment -

          The code which obtains the security metadata for a method invocation is designed to handle both MethodInvocation instances and JoinPoints. There are also other classes in the framework which are designed to handle both. Changing this would make the code more contrived and complicated and is something I'd prefer to avoid just to solve an unwanted dependency issue.

          Show
          Luke Taylor added a comment - The code which obtains the security metadata for a method invocation is designed to handle both MethodInvocation instances and JoinPoints. There are also other classes in the framework which are designed to handle both. Changing this would make the code more contrived and complicated and is something I'd prefer to avoid just to solve an unwanted dependency issue.

            People

            • Assignee:
              Luke Taylor
              Reporter:
              Dan Diephouse
            • Votes:
              1 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: