Joost de Vries wrote:
Hi,
I'm using acegi to guard the security of our service layer pretty much exactly like the BankManager sample. The annotations declare the authorisations. /** * @@SecurityConfig("ROLE_SUPERVISOR") * @@SecurityConfig("RUN_AS_SERVER") */ public void deleteSomething(int id);
If somebody forgets to annotate a method, though, it is accessible to all. I want the reverse: access denied unless granted. How can I change that?
Hi Joost
Don't forget you'll need to firstly ensure the MethodSecurityInterceptor is actually called for each invocation. You might need to write an advisor to do that, assuming you're not using AspectJSecurityInterceptor and achieving it that way.
In terms of once MethodSecurityInterceptor (or AspectJSecurityInterceptor) is invoked, they both delegate to AbstractSecurityInterceptor. Your best bet is therefore to write a replacement MethodDefinitionSource, that guarantees to always return a configuration attribute (never null). This is easy to wire in using the IoC container (set your securityInterceptor's objectDefinitionSource property). It can simply proxy the normal MethodDefinitionSource (MethodDefinitionMap or MethodDefinitionsAttributes), and if it returns null, that is replaced with a new SecurityConfig("UNDEFINED_PROGRAMMER_ERROR"). If none of the AccessDecisionVoters support that attribute (which should be the case), AbstractAccessDecisionManager will return false to the access decision and cause a denial of access.
HTH Ben
------------------------------------------------------- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl _______________________________________________ Home: http://acegisecurity.sourceforge.net Acegisecurity-developer mailing list Acegisecurity-developer@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
