[jira] Updated: (CAMEL-2796) camel-spring-security: provide reference to the policy when authorization fails

Willem Jiang (JIRA) Mon, 07 Jun 2010 17:54:20 -0700

     [ 
https://issues.apache.org/activemq/browse/CAMEL-2796?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Willem Jiang updated CAMEL-2796:
--------------------------------

    Description: 
While it is possible to set up different policies to enforce authorization 
rules on Camel routes with the new camel-spring-security plugin, there is 
currently no way to tell which policy was being enforced when a 
org.springframework.security.SpringSecurityException is thrown.  It would be 
very helpful to have a reference to the policy ID in the 
CamelAuthorizationException or in the headers so we can use it in the 
onException handlers.

For example, let's say you have two policies:
{code}
  <authorizationPolicy id="user" access="ROLE_USER" 
authenticationManager="authenticationManager" 
accessDecisionManager="accessDecisionManager"
    xmlns="http://camel.apache.org/schema/spring-security"; />

  <authorizationPolicy id="admin" access="ROLE_ADMIN" 
authenticationManager="authenticationManager" 
accessDecisionManager="accessDecisionManager"
    xmlns="http://camel.apache.org/schema/spring-security"; />
{code}
You also have two routes which use these policies:
{code}
    <camelContext id="myCamelContext" 
xmlns="http://camel.apache.org/schema/spring";>
          <onException useOriginalMessage="true">
            
<exception>org.springframework.security.BadCredentialsException</exception>
            <handled><constant>true</constant></handled>
            <to uri="log:auth_error" />
        </onException>
        <route>
            <from uri="direct:adminStart"/>
            <policy ref="admin">
                <to uri="mock:end"/>
            </policy>
        </route>
        <route>
            <from uri="direct:userStart"/>
            <policy ref="admin">
                <to uri="mock:end"/>
            </policy>
        </route>
    </camelContext>
{code}
Both of these routes will fail with an AccessDeniedException if the user 
doesn't have the proper role, but it would be desirable to handle exceptions 
for the ROLE_ADMIN failure differently than the ROLE_USER failure, maybe by 
using a <choice> element in the <onException> element.

I know we have the CamelFailureEndpoint header, but this isn't very useful when 
more than one route uses the same authorization policy.

  was:
While it is possible to set up different policies to enforce authorization 
rules on Camel routes with the new camel-spring-security plugin, there is 
currently no way to tell which policy was being enforced when a 
org.springframework.security.SpringSecurityException is thrown.  It would be 
very helpful to have a reference to the policy ID in the 
CamelAuthorizationException or in the headers so we can use it in the 
onException handlers.

For example, let's say you have two policies:

  <authorizationPolicy id="user" access="ROLE_USER" 
authenticationManager="authenticationManager" 
accessDecisionManager="accessDecisionManager"
    xmlns="http://camel.apache.org/schema/spring-security"; />

  <authorizationPolicy id="admin" access="ROLE_ADMIN" 
authenticationManager="authenticationManager" 
accessDecisionManager="accessDecisionManager"
    xmlns="http://camel.apache.org/schema/spring-security"; />

You also have two routes which use these policies:

    <camelContext id="myCamelContext" 
xmlns="http://camel.apache.org/schema/spring";>
          <onException useOriginalMessage="true">
            
<exception>org.springframework.security.BadCredentialsException</exception>
            <handled><constant>true</constant></handled>
            <to uri="log:auth_error" />
        </onException>
        <route>
            <from uri="direct:adminStart"/>
            <policy ref="admin">
                <to uri="mock:end"/>
            </policy>
        </route>
        <route>
            <from uri="direct:userStart"/>
            <policy ref="admin">
                <to uri="mock:end"/>
            </policy>
        </route>
    </camelContext>

Both of these routes will fail with an AccessDeniedException if the user 
doesn't have the proper role, but it would be desirable to handle exceptions 
for the ROLE_ADMIN failure differently than the ROLE_USER failure, maybe by 
using a <choice> element in the <onException> element.

I know we have the CamelFailureEndpoint header, but this isn't very useful when 
more than one route uses the same authorization policy.


> camel-spring-security: provide reference to the policy when authorization 
> fails
> -------------------------------------------------------------------------------
>
>                 Key: CAMEL-2796
>                 URL: https://issues.apache.org/activemq/browse/CAMEL-2796
>             Project: Apache Camel
>          Issue Type: Improvement
>    Affects Versions: 2.3.0
>            Reporter: Paul Mietz Egli
>            Assignee: Willem Jiang
>
> While it is possible to set up different policies to enforce authorization 
> rules on Camel routes with the new camel-spring-security plugin, there is 
> currently no way to tell which policy was being enforced when a 
> org.springframework.security.SpringSecurityException is thrown.  It would be 
> very helpful to have a reference to the policy ID in the 
> CamelAuthorizationException or in the headers so we can use it in the 
> onException handlers.
> For example, let's say you have two policies:
> {code}
>   <authorizationPolicy id="user" access="ROLE_USER" 
> authenticationManager="authenticationManager" 
> accessDecisionManager="accessDecisionManager"
>     xmlns="http://camel.apache.org/schema/spring-security"; />
>   <authorizationPolicy id="admin" access="ROLE_ADMIN" 
> authenticationManager="authenticationManager" 
> accessDecisionManager="accessDecisionManager"
>     xmlns="http://camel.apache.org/schema/spring-security"; />
> {code}
> You also have two routes which use these policies:
> {code}
>     <camelContext id="myCamelContext" 
> xmlns="http://camel.apache.org/schema/spring";>
>           <onException useOriginalMessage="true">
>             
> <exception>org.springframework.security.BadCredentialsException</exception>
>             <handled><constant>true</constant></handled>
>             <to uri="log:auth_error" />
>         </onException>
>         <route>
>             <from uri="direct:adminStart"/>
>             <policy ref="admin">
>                 <to uri="mock:end"/>
>             </policy>
>         </route>
>         <route>
>             <from uri="direct:userStart"/>
>             <policy ref="admin">
>                 <to uri="mock:end"/>
>             </policy>
>         </route>
>     </camelContext>
> {code}
> Both of these routes will fail with an AccessDeniedException if the user 
> doesn't have the proper role, but it would be desirable to handle exceptions 
> for the ROLE_ADMIN failure differently than the ROLE_USER failure, maybe by 
> using a <choice> element in the <onException> element.
> I know we have the CamelFailureEndpoint header, but this isn't very useful 
> when more than one route uses the same authorization policy.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Updated: (CAMEL-2796) camel-spring-security: provide reference to the policy when authorization fails

Reply via email to