1 2 Previous Next 15 Replies Latest reply on Jan 27, 2012 2:59 PM by Jason Porter

    Type safe authorization doesn't work

    Alexandre Furuta Newbie

      Hi there!
      I'm having some issues with Seam Security. I created a authorization annotation, just like described here: http://docs.jboss.org/seam/3/security/latest/reference/en-US/html/security-authorization.html, but it doesn't work. The exception is:


      Caused by: java.lang.IllegalStateException: Exception looking up authorizer method bean - no beans found for method [class X.Y.Z]
           at
      org.jboss.seam.security.SecurityExtension$Authorizer.lookupTargetBean(SecurityExtension.java:90) [:3.1.0.Final]
           at org.jboss.seam.security.SecurityExtension$Authorizer.authorize(SecurityExtension.java:66) [:3.1.0.Final]
           at org.jboss.seam.security.SecurityInterceptor.aroundInvoke(SecurityInterceptor.java:31) [:3.1.0.Final]
           at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [:1.6.0_26]
           at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [:1.6.0_26]
           at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [:1.6.0_26]
           at java.lang.reflect.Method.invoke(Method.java:597) [:1.6.0_26]
           at org.jboss.interceptor.proxy.InterceptorInvocation$InterceptorMethodInvocation.invoke(InterceptorInvocation.java:72) [:2.0.0.CR1]
           at org.jboss.interceptor.proxy.SimpleInterceptionChain.invokeNextInterceptor(SimpleInterceptionChain.java:82) [:2.0.0.CR1]
           at org.jboss.interceptor.proxy.InterceptorMethodHandler.executeInterception(InterceptorMethodHandler.java:133) [:2.0.0.CR1]
           at org.jboss.interceptor.proxy.InterceptorMethodHandler.invoke(InterceptorMethodHandler.java:112) [:2.0.0.CR1]
           at org.jboss.weld.bean.proxy.CombinedInterceptorAndDecoratorStackMethodHandler.invoke(CombinedInterceptorAndDecoratorStackMethodHandler.java:65) [:6.1.0.Final]
           at com.matera.ibl.web.-454910254$Proxy$_$$_WeldSubclass.prepareSearch(-454910254$Proxy$_$$_WeldSubclass.java) [:]
           at ...


      Does anyone know what I did wrong?

        • 1. Re: Type safe authorization doesn't work
          Shane Bryzak Master

          Can you post the code for your authorizer method?

          • 2. Re: Type safe authorization doesn't work
            Alexandre Furuta Newbie

            Indeed...


            Authorizer method:




            public @Secures @SecurityRestriction boolean getPermission() throws Exception {
                return getPermissions().get("INTERVALO") != null; // getPermissions() is a Map
            }
            




            @SecurityRestriction



            import java.lang.annotation.ElementType;
            import java.lang.annotation.Retention;
            import java.lang.annotation.RetentionPolicy;
            import java.lang.annotation.Target;
            
            import org.jboss.seam.security.annotations.SecurityBindingType;
            
            @SecurityBindingType
            @Retention(RetentionPolicy.RUNTIME)
            @Target({ElementType.TYPE, ElementType.METHOD})
            public @interface SecurityRestriction { }






            And the bean:


            @SessionScoped
            @Named("xServiceUI")
            @SecurityRestriction
            public class XServiceUI extends AbstractClass {} // it's a Abstract class



            I'm calling a method in XServiceUI, inherited from AbstractClass


            Thanks for your reply, Shane!

            • 3. Re: Type safe authorization doesn't work
              Alexandre Furuta Newbie

              FYI: The class where the authorized method is declared is a bean annotated with @Named(x)
              @SessionScoped.

              • 4. Re: Type safe authorization doesn't work
                Shane Bryzak Master

                Where is the authorizer method declared?  Is it possible to past the entire class?

                • 5. Re: Type safe authorization doesn't work
                  Shane Bryzak Master

                  Ah, you must have posted your last message just before I sent my reply.  Your code seems ok to me, I see no reason why this shouldn't work.  Would you be able to raise an issue in JIRA, and if possible attach a unit test so I can reproduce the exception?  That would help greatly in determining what the issue is.

                  • 6. Re: Type safe authorization doesn't work
                    Alexandre Furuta Newbie

                    I tried to run the example available in seam-security-example-authorization-3.1.0.Beta5.zip file and it worked, but the authorization annotation is declared at method level, instead of class level. I tried to remove all annotations at method level and use only one annotation at class level, and again, failed, but with another exception. Do you know why?

                    • 7. Re: Type safe authorization doesn't work
                      Alexandre Furuta Newbie

                      BTW, the exception is :




                      2012-01-26 16:08:39,703 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/security-authorization].[Faces Servlet]] (http-127.0.0.1-8080-4) Servlet.service() for servlet Faces Servlet threw exception: javax.enterprise.event.ObserverException
                           at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) [:1.6.0_26]
                           at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39) [:1.6.0_26]
                           at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27) [:1.6.0_26]
                           at java.lang.reflect.Constructor.newInstance(Constructor.java:513) [:1.6.0_26]
                           at java.lang.Class.newInstance0(Class.java:355) [:1.6.0_26]
                           at java.lang.Class.newInstance(Class.java:308) [:1.6.0_26]
                           at org.jboss.weld.util.reflection.SecureReflections$16.work(SecureReflections.java:395) [:6.1.0.Final]
                           at org.jboss.weld.util.reflection.SecureReflectionAccess.run(SecureReflectionAccess.java:54) [:6.1.0.Final]
                           at org.jboss.weld.util.reflection.SecureReflectionAccess.runAsInstantiation(SecureReflectionAccess.java:216) [:6.1.0.Final]
                           at org.jboss.weld.util.reflection.SecureReflections.newInstance(SecureReflections.java:390) [:6.1.0.Final]
                           at org.jboss.weld.injection.Exceptions.rethrowException(Exceptions.java:40) [:6.1.0.Final]
                           at org.jboss.weld.injection.Exceptions.rethrowException(Exceptions.java:92) [:6.1.0.Final]
                           at org.jboss.weld.injection.MethodInjectionPoint.invokeOnInstanceWithSpecialValue(MethodInjectionPoint.java:214) [:6.1.0.Final]
                           at org.jboss.weld.event.ObserverMethodImpl.sendEvent(ObserverMethodImpl.java:282) [:6.1.0.Final]
                           at org.jboss.weld.event.ObserverMethodImpl.sendEvent(ObserverMethodImpl.java:265) [:6.1.0.Final]
                           at org.jboss.weld.event.ObserverMethodImpl.notify(ObserverMethodImpl.java:234) [:6.1.0.Final]
                           at org.jboss.weld.manager.BeanManagerImpl.notifyObservers(BeanManagerImpl.java:635) [:6.1.0.Final]
                           at org.jboss.weld.manager.BeanManagerImpl.fireEvent(BeanManagerImpl.java:622) [:6.1.0.Final]
                           at org.jboss.weld.manager.BeanManagerImpl.fireEvent(BeanManagerImpl.java:616) [:6.1.0.Final]
                           at org.jboss.solder.servlet.exception.CatchExceptionFilter.doFilter(CatchExceptionFilter.java:74) [:3.1.0.Beta5]
                           at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:274) [:6.1.0.Final]
                           at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:242) [:6.1.0.Final]
                           at org.jboss.solder.servlet.event.ServletEventBridgeFilter.doFilter(ServletEventBridgeFilter.java:74) [:3.1.0.Beta5]
                           at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:274) [:6.1.0.Final]
                           at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:242) [:6.1.0.Final]
                           at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275) [:6.1.0.Final]
                           at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161) [:6.1.0.Final]
                           at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:181) [:6.1.0.Final]
                           at org.jboss.modcluster.catalina.CatalinaContext$RequestListenerValve.event(CatalinaContext.java:285) [:1.1.0.Final]
                           at org.jboss.modcluster.catalina.CatalinaContext$RequestListenerValve.invoke(CatalinaContext.java:261) [:1.1.0.Final]
                           at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:88) [:6.1.0.Final]
                           at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:100) [:6.1.0.Final]
                           at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:159) [:6.1.0.Final]
                           at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [:6.1.0.Final]
                           at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158) [:6.1.0.Final]
                           at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [:6.1.0.Final]
                           at org.jboss.web.tomcat.service.request.ActiveRequestResponseCacheValve.invoke(ActiveRequestResponseCacheValve.java:53) [:6.1.0.Final]
                           at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:362) [:6.1.0.Final]
                           at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [:6.1.0.Final]
                           at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:654) [:6.1.0.Final]
                           at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:951) [:6.1.0.Final]
                           at java.lang.Thread.run(Thread.java:662) [:1.6.0_26]



                      • 8. Re: Type safe authorization doesn't work
                        Jason Porter Master

                        :( that's not much to go on. Any chance you could debug through and see which observer is being invoked before the exception?


                        It seems like there was an exception caught by the CatchServletFilter, but it wasn't handled and was instead rethrown, but the ObserverException there in the stack trace doesn't help much.

                        • 9. Re: Type safe authorization doesn't work
                          Alexandre Furuta Newbie

                          Hi Jason, thanks for the reply.


                          I'm using a previous Servlet-3.0-version. Do I have to do setup something manually? I read in the documentation that I must declare in web.xml



                          <listener>
                             <listener-class>org.jboss.seam.faces.beanManager.BeanManagerServletContextListener</listener-class>
                          </listener>
                          
                          <listener>
                             <listener-class>org.jboss.solder.resourceLoader.servlet.ResourceListener</listener-class>
                          </listener>



                          but that didn't work anyway.


                          I have a multi-module project, using Maven, do I have do declare the SecurityInterceptor in beans.xml file in each module?


                          I'm using just the seam-security module.


                          Thanks!

                          • 10. Re: Type safe authorization doesn't work
                            Jason Porter Master

                            You have both Servlet 3.0.0.Final and Solder 3.1.0.Final? That will certainly cause problems. Servlet was moved into Solder during 3.1.0. Take out the 3.0.0.Final stuff and see if there's any difference.

                            • 11. Re: Type safe authorization doesn't work
                              Jason Porter Master

                              Unfortunately, yes, you will probably have to enable the interceptor in each module.

                              • 12. Re: Type safe authorization doesn't work
                                Alexandre Furuta Newbie

                                I did what you said, but no luck yet....


                                what could make this call:




                                Set<Bean<?>> beans = beanManager.getBeans(m.getDeclaringClass());



                                at the method below, in SecurityExtension class fail  (return no beans)?



                                        @SuppressWarnings({"unchecked", "rawtypes"})
                                        private synchronized void lookupTargetBean() {
                                            if (targetBean == null) {
                                                Method m = implementationMethod.getJavaMember();
                                
                                                Set<Bean<?>> beans = beanManager.getBeans(m.getDeclaringClass());
                                                if (beans.size() == 1) {
                                                    targetBean = beans.iterator().next();
                                                } else if (beans.isEmpty()) {
                                                    throw new IllegalStateException("Exception looking up authorizer method bean - " +
                                                            "no beans found for method [" + m.getDeclaringClass() + "." +
                                                            m.getName() + "]");
                                                } else if (beans.size() > 1) {
                                                    throw new IllegalStateException("Exception looking up authorizer method bean - " +
                                                            "multiple beans found for method [" + m.getDeclaringClass().getName() + "." +
                                                            m.getName() + "]");
                                                }
                                
                                                injectableMethod = new InjectableMethod(implementationMethod, targetBean, beanManager);
                                            }
                                        }
                                




                                • 13. Re: Type safe authorization doesn't work
                                  Jason Porter Master

                                  What's the exception? I don't see anything that would make that fail, unless something is horribly wrong with the setup.

                                  • 14. Re: Type safe authorization doesn't work
                                    Alexandre Furuta Newbie

                                    I was thinking about what you said, about the setup, I'll check that. The exception thrown is this:



                                                        throw new IllegalStateException("Exception looking up authorizer method bean - " +
                                                                "no beans found for method [" + m.getDeclaringClass() + "." +
                                                                m.getName() + "]");




                                    Thanks Jason, and have a nice weekend!


                                    1 2 Previous Next