All geek questions in one place

Spring AOP and apache shiro configuration. Not verified numbers

I struggled with a configuration that requires knowledge in AOP.

I have to admit that AOP is the part that I am trying to get for a while. It seems that my synonized annotations are not scanned and therefore are ignored.

I tried using shiro 1.1.0+ maven3 + spring 3.0.5.RELEASE, hibernate 3.6.1.Final with ZK 5.0.6. I got my hibernaterealm while working, talking to the database, I got authentication, I successfully (I suppose) get roles and permission is loaded.

therefore, to check the authorization side, I have somewhere in my code:

Subject currentUser = SecurityUtils.getSubject(); if (!currentUser.isPermitted("businessaccount:list")) { throw new AuthorizationException("User not authorized"); }

and it works great.
Therefore, I know that my permissions have been downloaded. It will be convenient for me to use annotations to the fact that I put it in the implementation class, because I did not plan to use the interface in the first place with my controller classes that extend the ZK GenericForwardController.

I saw this error , and I decided to try using the same interface with the @RequiresPersmissions methods on the methods.

apparently it still does not work, as it gives access to an unauthorized item. There are no errors in my log. Maybe I'm doing something wrong, this is a piece of code:

 @Component("layouteventhandler") public class LayoutEventHandlerImpl extends GenericForwardComposer implements LayoutEventHandler { Logger logger = Logger.getLogger(LayoutEventHandlerImpl.class); Menuitem logout; //... @Override public void onClick$pAccounts() { try { execution.sendRedirect("/accounts/personal/list"); } catch (Exception ex) { logger.info("Error redirecting to personal accounts", ex); } } @Override public void onClick$bAccounts() { try { execution.sendRedirect("/accounts/business/list"); } catch (Exception ex) { logger.info("Error redirecting to business accounts", ex); } } //..... }

its interface:

 public interface LayoutEventHandler { @RequiresPermissions(value="personalaccount:list") public void onClick$pAccounts(); @RequiresPermissions(value="businessaccount:list") public void onClick$bAccounts(); //..... }

here is my simple applicationcontext

 <bean id="hibernateRealm" class="com.personal.project.admin.webapp.security.DatabaseRealm" /> <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> <property name="realm" ref="hibernateRealm" /> </bean> <bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" /> <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator" depends-on="lifecycleBeanPostProcessor"> <!-- <property name="proxyTargetClass" value="true" />--> </bean> <bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor"> <property name="securityManager" ref="securityManager"/> </bean> <!-- Secure Spring remoting: Ensure any Spring Remoting method invocations can be associated with a Subject for security checks. --> <bean id="secureRemoteInvocationExecutor" class="org.apache.shiro.spring.remoting.SecureRemoteInvocationExecutor"> <property name="securityManager" ref="securityManager"/> </bean> <!-- ... -->

Is that what I have to do? thanks for reading and help

+2
source share
3 answers

I donโ€™t know Shiro, but I assume that you added annotations to your bean classes that implement interfaces, and then you proxy them for security, transactions, and / or something else. When this happens, the returned object is a dynamic JDK proxy, which is not an instance of your particular bean class, but only the interface that it implements. Therefore, any scan of annotations that depends on annotations in a particular class will not find them.

+2
source

To expand the answer to Ryan Stewartโ€™s question, you need to add

 @Scope(proxyMode = ScopedProxyMode.TARGET_CLASS)

for the implementation class (not the interface) and move the Shiro annotations to it.

0
source

I had a similar problem when I ran two spring contexts. There is a root root context that defines the database, service, security, and non-SpringMVC web beans and a child web context for the spring MVC REST api, which contains the controllers that I want the proxy to. The configuration for each context was a scan class for scanning individual packets.

In this case, make sure that the required DefaultAdvisorAutoProxyCreator and AuthorizationAttributeSourceAdvisor beans attributes are defined in the child web context (that is, where the Break Controllers are a class route scan), as defining them in the parent context does not work (the default documentation of the AdvisorAutoProxyCreate is completely clear about this in retrospect! )

Posting this message if someone else is facing the same problem.

0
source

Source: https://habr.com/ru/post/899153/

More articles:


All Articles