-
1. Re: Type safe authorization doesn't work
shane.bryzak Jan 26, 2012 9:32 AM (in response to furuta)Can you post the code for your authorizer method?
-
2. Re: Type safe authorization doesn't work
furuta Jan 26, 2012 10:34 AM (in response to furuta)Indeed...
Authorizer method:
public @Secures @SecurityRestriction boolean getPermission() throws Exception { return getPermissions().get("INTERVALO") != null; // getPermissions() is a Map }
@SecurityRestriction
import java.lang.annotation.ElementType; import java.lang.annotation.Retention; import java.lang.annotation.RetentionPolicy; import java.lang.annotation.Target; import org.jboss.seam.security.annotations.SecurityBindingType; @SecurityBindingType @Retention(RetentionPolicy.RUNTIME) @Target({ElementType.TYPE, ElementType.METHOD}) public @interface SecurityRestriction { }
And the bean:
@SessionScoped @Named("xServiceUI") @SecurityRestriction public class XServiceUI extends AbstractClass {} // it's a Abstract class
I'm calling a method in XServiceUI, inherited from AbstractClass
Thanks for your reply, Shane!
-
3. Re: Type safe authorization doesn't work
furuta Jan 26, 2012 10:36 AM (in response to furuta)FYI: The class where the authorized method is declared is a bean annotated with @Named(
x
)
@SessionScoped. -
4. Re: Type safe authorization doesn't work
shane.bryzak Jan 26, 2012 11:11 AM (in response to furuta)Where is the authorizer method declared? Is it possible to past the entire class?
-
5. Re: Type safe authorization doesn't work
shane.bryzak Jan 26, 2012 11:16 AM (in response to furuta)Ah, you must have posted your last message just before I sent my reply. Your code seems ok to me, I see no reason why this shouldn't work. Would you be able to raise an issue in JIRA, and if possible attach a unit test so I can reproduce the exception? That would help greatly in determining what the issue is.
-
6. Re: Type safe authorization doesn't work
furuta Jan 26, 2012 12:45 PM (in response to furuta)I tried to run the example available in seam-security-example-authorization-3.1.0.Beta5.zip file and it worked, but the authorization annotation is declared at method level, instead of class level. I tried to remove all annotations at method level and use only one annotation at class level, and again, failed, but with another exception. Do you know why?
-
7. Re: Type safe authorization doesn't work
furuta Jan 26, 2012 1:10 PM (in response to furuta)BTW, the exception is :
2012-01-26 16:08:39,703 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/security-authorization].[Faces Servlet]] (http-127.0.0.1-8080-4) Servlet.service() for servlet Faces Servlet threw exception: javax.enterprise.event.ObserverException at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) [:1.6.0_26] at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39) [:1.6.0_26] at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27) [:1.6.0_26] at java.lang.reflect.Constructor.newInstance(Constructor.java:513) [:1.6.0_26] at java.lang.Class.newInstance0(Class.java:355) [:1.6.0_26] at java.lang.Class.newInstance(Class.java:308) [:1.6.0_26] at org.jboss.weld.util.reflection.SecureReflections$16.work(SecureReflections.java:395) [:6.1.0.Final] at org.jboss.weld.util.reflection.SecureReflectionAccess.run(SecureReflectionAccess.java:54) [:6.1.0.Final] at org.jboss.weld.util.reflection.SecureReflectionAccess.runAsInstantiation(SecureReflectionAccess.java:216) [:6.1.0.Final] at org.jboss.weld.util.reflection.SecureReflections.newInstance(SecureReflections.java:390) [:6.1.0.Final] at org.jboss.weld.injection.Exceptions.rethrowException(Exceptions.java:40) [:6.1.0.Final] at org.jboss.weld.injection.Exceptions.rethrowException(Exceptions.java:92) [:6.1.0.Final] at org.jboss.weld.injection.MethodInjectionPoint.invokeOnInstanceWithSpecialValue(MethodInjectionPoint.java:214) [:6.1.0.Final] at org.jboss.weld.event.ObserverMethodImpl.sendEvent(ObserverMethodImpl.java:282) [:6.1.0.Final] at org.jboss.weld.event.ObserverMethodImpl.sendEvent(ObserverMethodImpl.java:265) [:6.1.0.Final] at org.jboss.weld.event.ObserverMethodImpl.notify(ObserverMethodImpl.java:234) [:6.1.0.Final] at org.jboss.weld.manager.BeanManagerImpl.notifyObservers(BeanManagerImpl.java:635) [:6.1.0.Final] at org.jboss.weld.manager.BeanManagerImpl.fireEvent(BeanManagerImpl.java:622) [:6.1.0.Final] at org.jboss.weld.manager.BeanManagerImpl.fireEvent(BeanManagerImpl.java:616) [:6.1.0.Final] at org.jboss.solder.servlet.exception.CatchExceptionFilter.doFilter(CatchExceptionFilter.java:74) [:3.1.0.Beta5] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:274) [:6.1.0.Final] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:242) [:6.1.0.Final] at org.jboss.solder.servlet.event.ServletEventBridgeFilter.doFilter(ServletEventBridgeFilter.java:74) [:3.1.0.Beta5] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:274) [:6.1.0.Final] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:242) [:6.1.0.Final] at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275) [:6.1.0.Final] at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161) [:6.1.0.Final] at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:181) [:6.1.0.Final] at org.jboss.modcluster.catalina.CatalinaContext$RequestListenerValve.event(CatalinaContext.java:285) [:1.1.0.Final] at org.jboss.modcluster.catalina.CatalinaContext$RequestListenerValve.invoke(CatalinaContext.java:261) [:1.1.0.Final] at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:88) [:6.1.0.Final] at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:100) [:6.1.0.Final] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:159) [:6.1.0.Final] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [:6.1.0.Final] at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158) [:6.1.0.Final] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [:6.1.0.Final] at org.jboss.web.tomcat.service.request.ActiveRequestResponseCacheValve.invoke(ActiveRequestResponseCacheValve.java:53) [:6.1.0.Final] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:362) [:6.1.0.Final] at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [:6.1.0.Final] at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:654) [:6.1.0.Final] at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:951) [:6.1.0.Final] at java.lang.Thread.run(Thread.java:662) [:1.6.0_26]
-
8. Re: Type safe authorization doesn't work
lightguard Jan 26, 2012 3:00 PM (in response to furuta):( that's not much to go on. Any chance you could debug through and see which observer is being invoked before the exception?
It seems like there was an exception caught by the CatchServletFilter, but it wasn't handled and was instead rethrown, but the ObserverException there in the stack trace doesn't help much.
-
9. Re: Type safe authorization doesn't work
furuta Jan 26, 2012 3:10 PM (in response to furuta)Hi Jason, thanks for the reply.
I'm using a previous Servlet-3.0-version. Do I have to do setup something manually? I read in the documentation that I must declare in web.xml
<listener> <listener-class>org.jboss.seam.faces.beanManager.BeanManagerServletContextListener</listener-class> </listener> <listener> <listener-class>org.jboss.solder.resourceLoader.servlet.ResourceListener</listener-class> </listener>
but that didn't work anyway.
I have a multi-module project, using Maven, do I have do declare the SecurityInterceptor in beans.xml file in each module?
I'm using just the seam-security module.
Thanks!
-
10. Re: Type safe authorization doesn't work
lightguard Jan 26, 2012 3:15 PM (in response to furuta)You have both Servlet 3.0.0.Final and Solder 3.1.0.Final? That will certainly cause problems. Servlet was moved into Solder during 3.1.0. Take out the 3.0.0.Final stuff and see if there's any difference.
-
11. Re: Type safe authorization doesn't work
lightguard Jan 26, 2012 3:16 PM (in response to furuta)Unfortunately, yes, you will probably have to enable the interceptor in each module.
-
12. Re: Type safe authorization doesn't work
furuta Jan 27, 2012 8:14 AM (in response to furuta)I did what you said, but no luck yet....
what could make this call:
Set<Bean<?>> beans = beanManager.getBeans(m.getDeclaringClass());
at the method below, in SecurityExtension class fail (return no beans)?
@SuppressWarnings({"unchecked", "rawtypes"}) private synchronized void lookupTargetBean() { if (targetBean == null) { Method m = implementationMethod.getJavaMember(); Set<Bean<?>> beans = beanManager.getBeans(m.getDeclaringClass()); if (beans.size() == 1) { targetBean = beans.iterator().next(); } else if (beans.isEmpty()) { throw new IllegalStateException("Exception looking up authorizer method bean - " + "no beans found for method [" + m.getDeclaringClass() + "." + m.getName() + "]"); } else if (beans.size() > 1) { throw new IllegalStateException("Exception looking up authorizer method bean - " + "multiple beans found for method [" + m.getDeclaringClass().getName() + "." + m.getName() + "]"); } injectableMethod = new InjectableMethod(implementationMethod, targetBean, beanManager); } }
-
13. Re: Type safe authorization doesn't work
lightguard Jan 27, 2012 12:36 PM (in response to furuta)What's the exception? I don't see anything that would make that fail, unless something is horribly wrong with the setup.
-
14. Re: Type safe authorization doesn't work
furuta Jan 27, 2012 2:10 PM (in response to furuta)I was thinking about what you said, about the setup, I'll check that. The exception thrown is this:
throw new IllegalStateException("Exception looking up authorizer method bean - " + "no beans found for method [" + m.getDeclaringClass() + "." + m.getName() + "]");
Thanks Jason, and have a nice weekend!