Colleagues,
In the spring security documentation I met following notion:
If you want to secure instances which are not created by Spring (using
the new operator, for example) then you need to use AspectJ.
Could anybody please show me workable example of such usage. The best case if this is done with help of static weaving.
Thank you in advance!
There is an Aspectj sample in the Spring Security codebase. It compiles against the spring-security-aspects module and then uses:
<global-method-security secured-annotations="enabled" mode="aspectj" />
to enable secured annotations. The code is very simple - it is really just a set of JUnit tests. If you take a look, you'll see that these include tests for both Spring-bean instances and instances created using the new operator.
If you want to know how spring-security-aspects works, check out the aspect source.
Related
I have upgraded Grails and Spring Security to latest (3.3.0.RC1 and 3.2.0.M1 respectively) by following all of the migration paths but now my annotations no longer work. Control follows through to my not authorised callback (grails.plugin.springsecurity.adh.errorPage).
I have my own list of enum backed Permissions that I use to populate my list of authorities which are being correctly loaded for my user object but they no longer work in my annotations using the hasRole expression as follows;
#Secured(["hasAnyRole('PERM_VIEW_REPORTS'"])
other expressions are working fine such as the following
#Secured("authentication.name == 'sys_admin'")
#Secured("hasRole('PERM_VIEW_REPORTS')")
I don't suppose anyone has had any similar experience with the latest Spring Security release for Grails. Remember the above has worked perfectly until I upgraded but I don't see anything in the migration path that suggests there might be a problem with this system.
Thanking for any suggestions in advance.
This came down to the "ROLE_" prefix being mandatory again in the new Spring Security 3.2.0.M1 release. As can be seen from above, I had being using a "PERM_" prefix up to now to indicate that I'm using a permission based instead of role based paradigm.
I'm hoping to add this to the migration guide for the plugin as it's a major omission AFAIC. I would hope this would become a configuration option for the plugin in a future release.
EDIT:
It turns out Spring Security have introduced new methods hasAuthority() and hasAnyAuthority() which do not use the default role prefix and so can be used in place of hasRole() and hasAnyRole().
I have forked and updated the Spring Security docs for 3.2 and sent a pull request.
Please try with
#Secured ('ROLE_USER')
If you're trying to secured with more than one Role
#Secured(['ROLE_USER','ROLE_ADMIN'])
I am attempting to use the Grails Spring Security Core plugin. I would like to override the login functionality, which is 'login/authenticate'. I searched through the spring-security-core plugin source and wasn't able to find the 'authenticate' method, and its not in the generated LoginController.
https://github.com/grails-plugins/grails-spring-security-core/blob/master/grails-app/controllers/grails/plugin/springsecurity/LoginController.groovy
Any guidance would be most appreciated. Thank you in advance.
Spring security is built around filter chains. The correct way would be to create a new filter. You probably need to download the spring grails security core plugin and look at classes like GrailsUsernamePasswordAuthenticationFilter to get a feel for how to do it. Your way forward might be to copy GrailsUsernamePasswordAuthenticationFilter, install it as your authentication filter, and put logging in there.
I have an existing, eclipse based web servlet application that authenticates using http basic authentication. I am looking to convert this to Spring based security. I understand what has to be done programatically, but am having problems with the details of configuring the project itself in eclipse. I am using the Spring STS toolkit, and I am able to successfully import one of the Spring Security sample apps (openid-xml) and it works fine.
My existing application also works properly when run under STS, but without Spring support
I would like a recommendation for either a tutorial on making this conversion, or some useful advice. For example, is it easier to
a) create a new Spring application and try to migrate my existing code into it, or b) try to convert my code by importing the various spring libraries, etc? c) convert my existing app to use maven instead of eclipse (Spring just doesn't seem to want to work without maven, and i am at a loss here) - naturally, I have no idea how to do this.
Any advice will be most gratefully received, after a day of hit and miss frustration.
I have answered my own question, and will try to provide some details for those who may be having the same problem.
First, there is some relatively useless info available on stackoverflow, but some good stuff as well.
This (https://stackoverflow.com/a/14867188/1374167) is completely wrong. It is certainly possible to secure a servlet with Spring Security. The trick is to realize that you are going to have to use Maven and Gradle to build the libraries for Spring and Spring Security.
Once you have built these jar files, you simply import them into Eclipse (it doesn't really seem to matter which version) and set up your web.xml and security contraints.
I used this project as a starting point. It's not perfect, but it got me on the right track, after I updated the spring and spring security jar files. The full blog post is here
I had a frustrating experience getting to this point but I hope this information will help others. It's quite simple once you understand what to do.
I want a workflow/webflow plugin that needs to be integrated with an existing Struts2 application.
I found Struts-workflow-extension but looking in its source code I realized it is entirely based on the Struts1 and have there is no support for this plugin since 2003.
Basically my requirement is to handle the entire workflow through configurations that could be done at runtime. Spring webflow is also an option but it's much of a learning curve depending on the deadline that I have to meet.
So is there any workflow/webflow extension that can be easily integrated with Struts2?
Any help will be highly appreciated. Thanks
You can try https://github.com/aleksandr-m/struts2-actionflow which seems to be more up to date.
I'm trying to figure out how to define the following StructureMap DSL in my web.config:
For(typeof(ILog<>)).HttpContextScoped().Use(typeof(LogFactoryWrapper<>));
Does the XML approach even support this more unusual type of declaration?
Thanks!
Did you try with:
<DefaultInstance PluginType="path.to.interface.ILog,assembly.withoutdll" PluggedType="path.to.implementation.Log,assembly.withoutdll" Scope="HttpContext" />
Jeremy Dmiller (the father of StructureMap) wrote in his blog:
As for the Xml configuration, it was going to be a near rewrite of the Xml configuration for StructureMap 3.0 and there wasn’t much demand for it. I’m happily open to pull requests if you want it for StructureMap 3.0, but it’s definitely going to be moved to a separate Nuget package because Xml support is not part of PCL.