Forgot to say that with this approach, the problem also arrises if you
access the actionBean without having permissions!
2011/6/4 Luis Tiago Rico <tiagor...@gmail.com>
> Hi guys,
>
> I'm trying this security interceptor for the first time! It seems a nice
> solution to work with the j2ee container. I got it all configured and it
> worked out of the box! Nice!
> But then the problems had arrised while I was building a menu based on
> user roles! Let me explain:
>
>
> 1. I have secured a link in jsp with the security tag for wich I have
> no roles!
> 2. In my action, I'm using a method to intercept the lifecycle, think
> of a @After(LifecycleStage.BindingAndValidation) method. This method
> will call a EJB to fill some data, before the default handler fowards to
> jsp.
> 3. If in my EJB I have no permission, it will throw a
> EJBAccessException!
> 4. Then the jsp is unable to render due to the tag wont catch that
> exception (I'm supposing, that it will catch only a
> StripesSecurityException, right?!)
>
>
> Securing the action lifecycle interceptor method with the @RolesAllowed
> annotation wont work! It seems to ignore that!
> Another disavantage of my solution that didn't happen with ACL is if I
> use interceptor methods for filling data on my actions, the security
> interceptor will make a request for that page and if so, will even go to
> database and fecth data, just for checking roles! Imagine building a menu,
> it will call every action, every action will fill data! No can do!
>
> Think it might be a problem here! Any ideas?
> My suggestion on this would be to include roles on the tag like
> <security:allowed roles="a,b,c">!
>
> What you guys think of this?
> Thanks in advance
>
> PS: Here some snippets and the stacktrace!
>
> 23: <!-- Task -->
> 24: <stripes:useActionBean var="taskBean" event="main"
> beanclass="my.package.presentation.action.task.ListTaskActionBean"/>
> 25: <security:allowed bean="taskBean" event="main">
> 26: <li id="tabTask"><stripes:link
> beanclass="my.package.presentation.action.task.ListTaskActionBean">
> 27: <fmt:message key="tabs.task.text" />
>
>
>
>
> @DefaultHandler
> @DontValidate
> @RolesAllowed("VIEW_TASK")
> public Resolution main() {
> return new ForwardResolution("/WEB-INF/task/listTask.jsp");
> }
>
> /**
> * Fills all the needed data from the DB.
> *
> * @throws ObjectNotFoundException when object is not found
> * @throws BusinessException when parameter is incorrect
> */
> @After(stages = { LifecycleStage.BindingAndValidation })
> public void fillData() throws BusinessException,
> ObjectNotFoundException {
> task = taskService.getTasks();
> }
>
>
> Stacktrace:
> at
> org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:498)
> [:6.0.0.Final]
> at
> org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:393)
> [:6.0.0.Final]
> at
> org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:326)
> [:6.0.0.Final]
> at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:253)
> [:6.0.0.Final]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
> [:1.0.0.Final]
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:324)
> [:6.0.0.Final]
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:242)
> [:6.0.0.Final]
> at
> org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:734)
> [:6.0.0.Final]
> at
> org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:639)
> [:6.0.0.Final]
> at
> org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:576)
> [:6.0.0.Final]
> at
> org.apache.jasper.runtime.JspRuntimeLibrary.include(JspRuntimeLibrary.java:968)
> [:6.0.0.Final]
> at
> org.apache.jasper.runtime.PageContextImpl.include(PageContextImpl.java:621)
> [:6.0.0.Final]
> at
> com.opensymphony.module.sitemesh.taglib.page.ApplyDecoratorTag.doEndTag(ApplyDecoratorTag.java:258)
> [:]
> at
> org.apache.jsp.WEB_002dINF.home_jsp._jspx_meth_page_005fapplyDecorator_005f0(home_jsp.java:206)
> at org.apache.jsp.WEB_002dINF.home_jsp._jspService(home_jsp.java:98)
> ... 68 more
> Caused by: javax.servlet.ServletException:
> net.sourceforge.stripes.exception.StripesJspException: Unabled to prepare
> ActionBean for JSP Usage
> at
> org.apache.jasper.runtime.PageContextImpl.doHandlePageException(PageContextImpl.java:858)
> [:6.0.0.Final]
> at
> org.apache.jasper.runtime.PageContextImpl.handlePageException(PageContextImpl.java:791)
> [:6.0.0.Final]
> at
> org.apache.jsp.WEB_002dINF.decorators.outerTabs_jsp._jspService(outerTabs_jsp.java:368)
> at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
> [:6.0.0.Final]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
> [:1.0.0.Final]
> at
> org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:369)
> [:6.0.0.Final]
> ... 81 more
> Caused by: javax.ejb.EJBAccessException: Caller unauthorized
> at
> org.jboss.ejb3.security.RoleBasedAuthorizationInterceptorv2.invoke(RoleBasedAuthorizationInterceptorv2.java:199)
> [:1.7.17]
> at
> org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
> [jboss-aop.jar:2.2.1.GA]
> at
> org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:182)
> [:1.7.17]
> at
> org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
> [jboss-aop.jar:2.2.1.GA]
> at
> org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:41)
> [:1.7.17]
> at
> org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
> [jboss-aop.jar:2.2.1.GA]
> at
> org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:67)
> [:1.7.17]
> at
> org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
> [jboss-aop.jar:2.2.1.GA]
> at
> org.jboss.ejb3.core.context.CurrentInvocationContextInterceptor.invoke(CurrentInvocationContextInterceptor.java:47)
> [:1.7.17]
> at
> org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
> [jboss-aop.jar:2.2.1.GA]
> at
> org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invoke(CurrentInvocationInterceptor.java:67)
> [:1.0.1]
> at
> org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
> [jboss-aop.jar:2.2.1.GA]
> at
> org.jboss.ejb3.interceptor.EJB3TCCLInterceptor.invoke(EJB3TCCLInterceptor.java:86)
> [:1.7.17]
> at
> org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
> [jboss-aop.jar:2.2.1.GA]
> at
> org.jboss.ejb3.session.SessionSpecContainer.invoke(SessionSpecContainer.java:323)
> [:1.7.17]
> at
> org.jboss.ejb3.session.SessionSpecContainer.invoke(SessionSpecContainer.java:380)
> [:1.7.17]
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> [:1.6.0_21]
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> [:1.6.0_21]
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> [:1.6.0_21]
> at java.lang.reflect.Method.invoke(Method.java:597) [:1.6.0_21]
> at
> org.jboss.ejb3.proxy.impl.handler.session.SessionLocalProxyInvocationHandler$LocalContainerInvocation.invokeTarget(SessionLocalProxyInvocationHandler.java:184)
> [:1.0.11]
> at
> org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:111)
> [jboss-aop.jar:2.2.1.GA]
> at
> org.jboss.ejb3.async.impl.interceptor.AsynchronousClientInterceptor.invoke(AsynchronousClientInterceptor.java:143)
> [:1.7.17]
> at
> org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
> [jboss-aop.jar:2.2.1.GA]
> at
> org.jboss.ejb3.proxy.impl.handler.session.SessionLocalProxyInvocationHandler$LocalInvokableContextHandler.invoke(SessionLocalProxyInvocationHandler.java:159)
> [:1.0.11]
> at $Proxy206.invoke(Unknown Source) at
> org.jboss.ejb3.proxy.impl.handler.session.SessionProxyInvocationHandlerBase.invoke(SessionProxyInvocationHandlerBase.java:185)
> [:1.0.11]
> at $Proxy262.getTasks(Unknown Source) at
> my.package.presentation.action.task.ListTaskActionBean.fillData(ListTaskActionBean.java:99)
> [:]
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> [:1.6.0_21]
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> [:1.6.0_21]
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> [:1.6.0_21]
> at java.lang.reflect.Method.invoke(Method.java:597) [:1.6.0_21]
> at
> net.sourceforge.stripes.controller.BeforeAfterMethodInterceptor.invoke(BeforeAfterMethodInterceptor.java:154)
> [:1.5.6]
> at
> net.sourceforge.stripes.controller.BeforeAfterMethodInterceptor.intercept(BeforeAfterMethodInterceptor.java:129)
> [:1.5.6]
> at
> net.sourceforge.stripes.controller.ExecutionContext.proceed(ExecutionContext.java:155)
> [:1.5.6]
> at
> net.sourceforge.stripes.controller.ExecutionContext.wrap(ExecutionContext.java:74)
> [:1.5.6]
> at
> net.sourceforge.stripes.controller.DispatcherHelper.doBindingAndValidation(DispatcherHelper.java:214)
> [:1.5.6]
> at
> net.sourceforge.stripes.tag.UseActionBeanTag.doStartTag(UseActionBeanTag.java:140)
> [:1.5.6]
> at
> org.apache.jsp.WEB_002dINF.decorators.tabs_jsp._jspService(outerTabs_jsp.java:197)
> ... 84 more
>
>
>
> --
> Luís Tiago Barreto Rico
>
--
Luís Tiago Barreto Rico
------------------------------------------------------------------------------
Simplify data backup and recovery for your virtual environment with vRanger.
Installation's a snap, and flexible recovery options mean your data is safe,
secure and there when you need it. Discover what all the cheering's about.
Get your free trial download today.
http://p.sf.net/sfu/quest-dev2dev2
_______________________________________________
Stripes-users mailing list
Stripes-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/stripes-users
