I'm
attemping to intercept a method call using the
net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor
bean. Unfortunately the method does not seem to get
intercepted. My user has a role of ROLE_ANONYMOUS and gets
authenticated successfully via InMemoryDaoImpl authenticationManager.
However, when the method listed in the
objectDefinitionSource property is called, it is allowing
the user to execute the method even though I have specified the role of
CARE_REP. I'm using the standard RoleVoter, but I've set the
rolePrefix property to an empty string as indicated in the code snippet.
I'm using Acegi Security 0.8.2.
applicationContext.xml snippet:
<bean
id="accessDecisionManager"
class="net.sf.acegisecurity.vote.UnanimousBased">
<property name="decisionVoters">
<list>
<ref bean="roleVoter" />
</list>
</property>
</bean>
class="net.sf.acegisecurity.vote.UnanimousBased">
<property name="decisionVoters">
<list>
<ref bean="roleVoter" />
</list>
</property>
</bean>
<bean id="roleVoter"
class="net.sf.acegisecurity.vote.RoleVoter">
<property name="rolePrefix">
<value></value>
</property>
</bean>
<property name="rolePrefix">
<value></value>
</property>
</bean>
<bean
id="autoProxyCreator"
class="org.springframework.aop.framework.ProxyFactoryBean">
<property name="proxyInterfaces">
<value>
com.test.CustomerInformation
</value>
</property>
<property name="interceptorNames">
<list>
<idref bean="securityInterceptor" />
</list>
</property>
</bean>
class="org.springframework.aop.framework.ProxyFactoryBean">
<property name="proxyInterfaces">
<value>
com.test.CustomerInformation
</value>
</property>
<property name="interceptorNames">
<list>
<idref bean="securityInterceptor" />
</list>
</property>
</bean>
<bean
id="securityInterceptor"
class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
<property name="validateConfigAttributes">
<value>true</value>
</property>
<property name="authenticationManager">
<ref bean="authenticationManager" />
</property>
<property name="accessDecisionManager">
<ref bean="accessDecisionManager" />
</property>
<property name="objectDefinitionSource">
<value>
com.test.CustomerInfo.getCustomerInfo=CARE_REP
</value>
</property>
</bean>
class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
<property name="validateConfigAttributes">
<value>true</value>
</property>
<property name="authenticationManager">
<ref bean="authenticationManager" />
</property>
<property name="accessDecisionManager">
<ref bean="accessDecisionManager" />
</property>
<property name="objectDefinitionSource">
<value>
com.test.CustomerInfo.getCustomerInfo=CARE_REP
</value>
</property>
</bean>
Here is a log
snippet showing Spring loading the
MethodSecurityInterceptor:
org.springframework.aop.framework.ProxyFactoryBean: Adding advisor
or TargetSource
[EMAIL PROTECTED]
with name [securityInterceptor]
DEBUG: 12:43:55: org.springframework.aop.framework.ProxyFactoryBean: Adding advisor with name [securityInterceptor]
DEBUG: 12:43:55: org.springframework.aop.framework.ProxyFactoryBean: Adding advisor with name [securityInterceptor]
I appreciate any
direction the forum can offer.
Thanks.
John
