[Stripes-users] Problem in StripesStuff, Security Interceptor for custom authorization

Sat, 04 Jun 2011 05:05:23 -0700 

Hi guys,

I'm trying this security interceptor for the first time! It seems a nice
solution to work with the j2ee container. I got it all configured and it
worked out of the box! Nice!
But then the problems had arrised while I was building a menu based on user
roles! Let me explain:


   1. I have secured a link in jsp with the security tag for wich I have no
   roles!
   2. In my action, I'm using a method to intercept the lifecycle, think of
   a @After(LifecycleStage.BindingAndValidation) method. This method will
   call a EJB to fill some data, before the default handler fowards to jsp.
   3. If in my EJB I have no permission, it will throw a
   EJBAccessException!
   4. Then the jsp is unable to render due to the tag wont catch that
   exception (I'm supposing, that it will catch only a
   StripesSecurityException, right?!)


Securing the action lifecycle interceptor method with the @RolesAllowed
annotation wont work! It seems to ignore that!
Another disavantage of my solution that didn't happen with ACL is if I use
interceptor methods for filling data on my actions, the security interceptor
will make a request for that page and if so, will even go to database and
fecth data, just for checking roles! Imagine building a menu, it will call
every action, every action will fill data! No can do!

Think it might be a problem here! Any ideas?
My suggestion on this would be to include roles on the tag like
<security:allowed roles="a,b,c">!

What you guys think of this?
Thanks in advance

PS: Here some snippets and the stacktrace!

23: <!-- Task -->
24: <stripes:useActionBean var="taskBean" event="main"
beanclass="my.package.presentation.action.task.ListTaskActionBean"/>
25:     <security:allowed bean="taskBean" event="main">
26: <li id="tabTask"><stripes:link
beanclass="my.package.presentation.action.task.ListTaskActionBean">
27: <fmt:message key="tabs.task.text" />




    @DefaultHandler
    @DontValidate
    @RolesAllowed("VIEW_TASK")
    public Resolution main() {
        return new ForwardResolution("/WEB-INF/task/listTask.jsp");
    }

    /**
     * Fills all the needed data from the DB.
     *
     * @throws ObjectNotFoundException when object is not found
     * @throws BusinessException when parameter is incorrect
     */
    @After(stages = { LifecycleStage.BindingAndValidation })
    public void fillData() throws BusinessException, ObjectNotFoundException
{
            task = taskService.getTasks();
    }


Stacktrace:
at
org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:498)
[:6.0.0.Final]
at
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:393)
[:6.0.0.Final]
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:326)
[:6.0.0.Final]
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:253)
[:6.0.0.Final]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
[:1.0.0.Final]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:324)
[:6.0.0.Final]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:242)
[:6.0.0.Final]
at
org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:734)
[:6.0.0.Final]
at
org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:639)
[:6.0.0.Final]
at
org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:576)
[:6.0.0.Final]
at
org.apache.jasper.runtime.JspRuntimeLibrary.include(JspRuntimeLibrary.java:968)
[:6.0.0.Final]
at
org.apache.jasper.runtime.PageContextImpl.include(PageContextImpl.java:621)
[:6.0.0.Final]
at
com.opensymphony.module.sitemesh.taglib.page.ApplyDecoratorTag.doEndTag(ApplyDecoratorTag.java:258)
[:]
at
org.apache.jsp.WEB_002dINF.home_jsp._jspx_meth_page_005fapplyDecorator_005f0(home_jsp.java:206)
at org.apache.jsp.WEB_002dINF.home_jsp._jspService(home_jsp.java:98)
... 68 more
Caused by: javax.servlet.ServletException:
net.sourceforge.stripes.exception.StripesJspException: Unabled to prepare
ActionBean for JSP Usage
at
org.apache.jasper.runtime.PageContextImpl.doHandlePageException(PageContextImpl.java:858)
[:6.0.0.Final]
at
org.apache.jasper.runtime.PageContextImpl.handlePageException(PageContextImpl.java:791)
[:6.0.0.Final]
at
org.apache.jsp.WEB_002dINF.decorators.outerTabs_jsp._jspService(outerTabs_jsp.java:368)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
[:6.0.0.Final]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
[:1.0.0.Final]
at
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:369)
[:6.0.0.Final]
... 81 more
Caused by: javax.ejb.EJBAccessException: Caller unauthorized
at
org.jboss.ejb3.security.RoleBasedAuthorizationInterceptorv2.invoke(RoleBasedAuthorizationInterceptorv2.java:199)
[:1.7.17]
at
org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
[jboss-aop.jar:2.2.1.GA]
at
org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:182)
[:1.7.17]
at
org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
[jboss-aop.jar:2.2.1.GA]
at
org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:41)
[:1.7.17]
at
org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
[jboss-aop.jar:2.2.1.GA]
at
org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:67)
[:1.7.17]
at
org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
[jboss-aop.jar:2.2.1.GA]
at
org.jboss.ejb3.core.context.CurrentInvocationContextInterceptor.invoke(CurrentInvocationContextInterceptor.java:47)
[:1.7.17]
at
org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
[jboss-aop.jar:2.2.1.GA]
at
org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invoke(CurrentInvocationInterceptor.java:67)
[:1.0.1]
at
org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
[jboss-aop.jar:2.2.1.GA]
at
org.jboss.ejb3.interceptor.EJB3TCCLInterceptor.invoke(EJB3TCCLInterceptor.java:86)
[:1.7.17]
at
org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
[jboss-aop.jar:2.2.1.GA]
at
org.jboss.ejb3.session.SessionSpecContainer.invoke(SessionSpecContainer.java:323)
[:1.7.17]
at
org.jboss.ejb3.session.SessionSpecContainer.invoke(SessionSpecContainer.java:380)
[:1.7.17]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [:1.6.0_21]
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
[:1.6.0_21]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
[:1.6.0_21]
at java.lang.reflect.Method.invoke(Method.java:597) [:1.6.0_21]
at
org.jboss.ejb3.proxy.impl.handler.session.SessionLocalProxyInvocationHandler$LocalContainerInvocation.invokeTarget(SessionLocalProxyInvocationHandler.java:184)
[:1.0.11]
at
org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:111)
[jboss-aop.jar:2.2.1.GA]
at
org.jboss.ejb3.async.impl.interceptor.AsynchronousClientInterceptor.invoke(AsynchronousClientInterceptor.java:143)
[:1.7.17]
at
org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
[jboss-aop.jar:2.2.1.GA]
at
org.jboss.ejb3.proxy.impl.handler.session.SessionLocalProxyInvocationHandler$LocalInvokableContextHandler.invoke(SessionLocalProxyInvocationHandler.java:159)
[:1.0.11]
at $Proxy206.invoke(Unknown Source) at
org.jboss.ejb3.proxy.impl.handler.session.SessionProxyInvocationHandlerBase.invoke(SessionProxyInvocationHandlerBase.java:185)
[:1.0.11]
at $Proxy262.getTasks(Unknown Source) at
my.package.presentation.action.task.ListTaskActionBean.fillData(ListTaskActionBean.java:99)
[:]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [:1.6.0_21]
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
[:1.6.0_21]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
[:1.6.0_21]
at java.lang.reflect.Method.invoke(Method.java:597) [:1.6.0_21]
at
net.sourceforge.stripes.controller.BeforeAfterMethodInterceptor.invoke(BeforeAfterMethodInterceptor.java:154)
[:1.5.6]
at
net.sourceforge.stripes.controller.BeforeAfterMethodInterceptor.intercept(BeforeAfterMethodInterceptor.java:129)
[:1.5.6]
at
net.sourceforge.stripes.controller.ExecutionContext.proceed(ExecutionContext.java:155)
[:1.5.6]
at
net.sourceforge.stripes.controller.ExecutionContext.wrap(ExecutionContext.java:74)
[:1.5.6]
at
net.sourceforge.stripes.controller.DispatcherHelper.doBindingAndValidation(DispatcherHelper.java:214)
[:1.5.6]
at
net.sourceforge.stripes.tag.UseActionBeanTag.doStartTag(UseActionBeanTag.java:140)
[:1.5.6]
at
org.apache.jsp.WEB_002dINF.decorators.tabs_jsp._jspService(outerTabs_jsp.java:197)
... 84 more



-- 
Luís Tiago Barreto Rico

------------------------------------------------------------------------------
Simplify data backup and recovery for your virtual environment with vRanger.
Installation's a snap, and flexible recovery options mean your data is safe,
secure and there when you need it. Discover what all the cheering's about.
Get your free trial download today. 
http://p.sf.net/sfu/quest-dev2dev2 
_______________________________________________
Stripes-users mailing list
Stripes-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/stripes-users

Reply via email to