Spring Security
  1. Spring Security
  2. SEC-1204

MethodSecurityInterceptor doesn't secure implemented interfaces

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Major Major
    • Resolution: Cannot Reproduce
    • Affects Version/s: 2.0.5
    • Fix Version/s: 3.0.0 RC1
    • Component/s: None
    • Labels:
      None

      Description

      For two examples out there in the community:

      http://www.mulesource.org/jira/browse/MULE-4208
      http://forum.springsource.org/showthread.php?t=74497

      This is a regression from Acegi.

        Activity

        Hide
        Luke Taylor added a comment -

        Have you tried it with class-proxying disabled? It should work with either the interface or the class name.

        For example, with the following configuration

        <bean class='org.springframework.aop.framework.autoproxy.BeanNameAutoProxyCreator'>
        <property name='interceptorNames'>
        <list>
        <value>securityInterceptor</value>
        </list>
        </property>
        <property name='beanNames'>
        <list>
        <value>target</value>
        </list>
        </property>
        </bean>

        <bean id='target' class='org.springframework.security.TargetObject'/>

        <bean id='securityInterceptor' class='org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor' autowire='byType' >
        <property name='securityMetadataSource'>
        <value>
        org.springframework.security.ITargetObject.makeLower*=ROLE_A
        org.springframework.security.TargetObject.makeUpper*=ROLE_A
        org.springframework.security.ITargetObject.computeHashCode*=ROLE_B
        </value>
        </property>
        </bean>

        Then calling both the makeLower and makeUpper methods on the "target" object (with no security context) results in an AuthenticationException, indicating that the interceptor is applied.

        Show
        Luke Taylor added a comment - Have you tried it with class-proxying disabled? It should work with either the interface or the class name. For example, with the following configuration <bean class='org.springframework.aop.framework.autoproxy.BeanNameAutoProxyCreator'> <property name='interceptorNames'> <list> <value>securityInterceptor</value> </list> </property> <property name='beanNames'> <list> <value>target</value> </list> </property> </bean> <bean id='target' class='org.springframework.security.TargetObject'/> <bean id='securityInterceptor' class='org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor' autowire='byType' > <property name='securityMetadataSource'> <value> org.springframework.security.ITargetObject.makeLower*=ROLE_A org.springframework.security.TargetObject.makeUpper*=ROLE_A org.springframework.security.ITargetObject.computeHashCode*=ROLE_B </value> </property> </bean> Then calling both the makeLower and makeUpper methods on the "target" object (with no security context) results in an AuthenticationException, indicating that the interceptor is applied.
        Hide
        Luke Taylor added a comment -

        Any further input? If not I will close the issue.

        Show
        Luke Taylor added a comment - Any further input? If not I will close the issue.
        Hide
        Luke Taylor added a comment -

        No feedback in over a month, so closing the issue. The general statement that interface proxying isn't supported by MethodSecurityInterceptor is clearly inaccurate since we have tests in place which do just this. If more specific issues can be isolated then please raise them individually.

        Show
        Luke Taylor added a comment - No feedback in over a month, so closing the issue. The general statement that interface proxying isn't supported by MethodSecurityInterceptor is clearly inaccurate since we have tests in place which do just this. If more specific issues can be isolated then please raise them individually.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Dan Diephouse
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: