I think I have discovered the problem - the security.xml file has some
security advice filters that are restricting access to certain methods in
the UserManager. (getUsers() and removeUser()).
tonyl wrote:
>
> Here's a more full stack trace - still getting the problem - but only with
> Users, not Groups.
>
> Caused by: javax.faces.el.EvaluationException: Bean:
> com.openlogic.blueglue.webapp.action.UserList, property: users
> at
> org.apache.myfaces.el.PropertyResolverImpl.getProperty(PropertyResolverImpl.java:442)
> at
> org.apache.myfaces.el.PropertyResolverImpl.getValue(PropertyResolverImpl.java:82)
> at
> com.sun.facelets.el.LegacyELContext$LegacyELResolver.getValue(LegacyELContext.java:141)
> at com.sun.el.parser.AstValue.getValue(AstValue.java:117)
> at
> com.sun.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:192)
> at
> com.sun.facelets.el.TagValueExpression.getValue(TagValueExpression.java:71)
> at
> com.sun.facelets.el.LegacyValueBinding.getValue(LegacyValueBinding.java:56)
> ... 97 more
> Caused by: java.lang.reflect.InvocationTargetException
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at
> org.apache.myfaces.el.PropertyResolverImpl.getProperty(PropertyResolverImpl.java:438)
> ... 103 more
> Caused by: org.acegisecurity.AccessDeniedException: Access is denied
> at
> org.acegisecurity.vote.AffirmativeBased.decide(AffirmativeBased.java:68)
> at
> org.acegisecurity.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:276)
> at
> org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:63)
> at
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:185)
> at
> org.springframework.orm.hibernate3.HibernateInterceptor.invoke(HibernateInterceptor.java:104)
> at
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:185)
> at
> org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:107)
> at
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:185)
> at
> org.springframework.aop.framework.Cglib2AopProxy$DynamicAdvisedInterceptor.intercept(Cglib2AopProxy.java:652)
> at
> com.openlogic.blueglue.server.service.impl.UserManagerImpl$$EnhancerByCGLIB$$123aa7cc.getUsers(<generated>)
> at
> com.openlogic.blueglue.webapp.action.UserList.getUsers(UserList.java:79)
>
>
> tonyl wrote:
>>
>> I already made User.getAuthorities() call User.getAllAuthorities() and
>> that's what allowed me to log in and have the mainMenu.xhtml display the
>> links to the admin secured areas. It's just that when I then click to
>> view the Users List - I get the access denied error.
>>
>> I'll try it.
>>
>>
>> mraible wrote:
>>>
>>> What if you change User.getAllAuthorities to be User.getAuthorities -
>>> does that work?
>>>
>>> Matt
>>>
>>> On 2/26/07, tonyl <[EMAIL PROTECTED]> wrote:
>>>>
>>>> I get the following error:
>>>>
>>>> Caused by: org.acegisecurity.AccessDeniedException: Access is denied
>>>> at
>>>> org.acegisecurity.vote.AffirmativeBased.decide(AffirmativeBased.java:68)
>>>> at
>>>> org.acegisecurity.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:276)
>>>> at
>>>> org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:63)
>>>> at
>>>> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:185)
>>>> at
>>>> org.springframework.orm.hibernate3.HibernateInterceptor.invoke(HibernateInterceptor.java:104)
>>>> at
>>>> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:185)
>>>> at
>>>> org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:107)
>>>> at
>>>> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:185)
>>>> at
>>>> org.springframework.aop.framework.Cglib2AopProxy$DynamicAdvisedInterceptor.intercept(Cglib2AopProxy.java:652)
>>>> at
>>>> com.openlogic.blueglue.server.service.impl.UserManagerImpl$$EnhancerByCGLIB$$dd3afb5a.getUsers(<generated>)
>>>> at
>>>> com.openlogic.blueglue.webapp.action.UserList.getUsers(UserList.java:80)
>>>>
>>>> So, the transaction advice is getting called before the getUsers() call
>>>> but
>>>> I don't think it's calling UserSecurityAdvice since I put some printlns
>>>> in
>>>> the before method and nothing is coming out in the console or the log.
>>>>
>>>> Unfortunately, my laptop won't let me run tests - I have some
>>>> configuration
>>>> problem with my database, but the application runs totally fine.
>>>>
>>>>
>>>>
>>>> mraible wrote:
>>>> >
>>>> > On 2/26/07, tonyl <[EMAIL PROTECTED]> wrote:
>>>> >>
>>>> >> The following code got me a whole lot farther than I expected. I'm
>>>> >> getting an
>>>> >> Access Denied Error however. The code that checks for that is in
>>>> >> UserSecurityAdvice - correct?
>>>> >
>>>> > It depends on when you get the access denied error. You might try
>>>> > running and manipulating UserSecurityAdviceTest.
>>>> >
>>>> > Matt
>>>> >
>>>> >>
>>>> >>
>>>> >> public GrantedAuthority[] getAuthorities()
>>>> >> {
>>>> >> /*
>>>> >> List<GrantedAuthority> authorities = new
>>>> >> LinkedList<GrantedAuthority>();
>>>> >> authorities.addAll( roles );
>>>> >> for ( Iterator iter = roles.iterator(); iter.hasNext(); )
>>>> >> {
>>>> >> RoleDB role = (RoleDB) iter.next();
>>>> >> authorities.addAll( role.getPermissions() );
>>>> >> }
>>>> >> return authorities.toArray(new GrantedAuthority[0]);
>>>> >> */
>>>> >> return getAllAuthorities();
>>>> >> }
>>>> >>
>>>> >> public GrantedAuthority[] getAllAuthorities()
>>>> >> {
>>>> >> List<GrantedAuthority> authorities = new
>>>> >> LinkedList<GrantedAuthority>();
>>>> >> authorities.addAll( roles );
>>>> >> for ( Iterator iter = roles.iterator(); iter.hasNext(); )
>>>> >> {
>>>> >> RoleDB role = (RoleDB) iter.next();
>>>> >> authorities.addAll( role.getPermissions() );
>>>> >> }
>>>> >>
>>>> >> for ( Iterator giter = groups.iterator(); giter.hasNext();
>>>> )
>>>> >> {
>>>> >> GroupDB group = (GroupDB) giter.next();
>>>> >> Set roles = group.getRoles();
>>>> >> for ( Iterator riter = roles.iterator();
>>>> riter.hasNext(); )
>>>> >> {
>>>> >> RoleDB role = (RoleDB) riter.next();
>>>> >> authorities.addAll( role.getPermissions() );
>>>> >> }
>>>> >> }
>>>> >>
>>>> >> return authorities.toArray(new GrantedAuthority[0]);
>>>> >> }
>>>> >>
>>>> >>
>>>> >>
>>>> >> tonyl wrote:
>>>> >> >
>>>> >> > Matt,
>>>> >> >
>>>> >> > I checked out the JIRA issue, and it redirects to
>>>> >> >
>>>> >> > http://opensource.atlassian.com/projects/spring/browse/SEC-272
>>>> >> >
>>>> >> > which is still open. I'll check the sample apps, too.
>>>> >> >
>>>> >> >
>>>> >> >
>>>> >> > mraible wrote:
>>>> >> >>
>>>> >> >> Apparently, Acegi security supports groups now, but I couldn't
>>>> find
>>>> >> >> any documentation on it. You might want to check one of their
>>>> sample
>>>> >> >> apps.
>>>> >> >>
>>>> >> >> http://opensource.atlassian.com/projects/spring/browse/SEC-325
>>>> >> >>
>>>> >> >> Matt
>>>> >> >>
>>>> >> >> On 2/26/07, tonyl <[EMAIL PROTECTED]> wrote:
>>>> >> >>>
>>>> >> >>> So, we are adding groups of users to the base application
>>>> generated
>>>> >> by
>>>> >> >>> AppFuse, and we have set up the groups to accept Roles, just
>>>> like
>>>> >> Users.
>>>> >> >>> The
>>>> >> >>> issue that I am having is how to have the session recognize the
>>>> >> >>> amalgamation
>>>> >> >>> of roles from both the User and the Groups that the User belongs
>>>> to.
>>>> >> >>>
>>>> >> >>> For example, create a user that has the default User role. Then
>>>> >> create a
>>>> >> >>> group that contains the user. The group has the role of Admin.
>>>> When I
>>>> >> >>> log in
>>>> >> >>> as the user, I want the session to recognize that the user now
>>>> has
>>>> >> Admin
>>>> >> >>> privileges because of the group.
>>>> >> >>>
>>>> >> >>> I've tried various things in the UserSecurityAdvice class, but
>>>> >> nothing
>>>> >> >>> seems
>>>> >> >>> to work. I have implemented a getAllAuthorities method that does
>>>> the
>>>> >> >>> amalgamation but I can't figure out where to pass it into the
>>>> context
>>>> >> to
>>>> >> >>> get
>>>> >> >>> it to recognize that all the permissions.
>>>> >> >>>
>>>> >> >>> Thanks,
>>>> >> >>>
>>>> >> >>> Tony
>>>> >> >>>
>>>> >> >>>
>>>> >> >>> --
>>>> >> >>> View this message in context:
>>>> >> >>>
>>>> >>
>>>> http://www.nabble.com/Implementing-Groups-with-Roles-tf3296597s2369.html#a9170681
>>>> >> >>> Sent from the AppFuse - User mailing list archive at Nabble.com.
>>>> >> >>>
>>>> >> >>>
>>>> ---------------------------------------------------------------------
>>>> >> >>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>>>> >> >>> For additional commands, e-mail: [EMAIL PROTECTED]
>>>> >> >>>
>>>> >> >>>
>>>> >> >>
>>>> >> >>
>>>> >> >> --
>>>> >> >> http://raibledesigns.com
>>>> >> >>
>>>> >> >>
>>>> ---------------------------------------------------------------------
>>>> >> >> To unsubscribe, e-mail: [EMAIL PROTECTED]
>>>> >> >> For additional commands, e-mail: [EMAIL PROTECTED]
>>>> >> >>
>>>> >> >>
>>>> >> >>
>>>> >> >
>>>> >> >
>>>> >>
>>>> >> --
>>>> >> View this message in context:
>>>> >>
>>>> http://www.nabble.com/Implementing-Groups-with-Roles-tf3296597s2369.html#a9171560
>>>> >> Sent from the AppFuse - User mailing list archive at Nabble.com.
>>>> >>
>>>> >>
>>>> ---------------------------------------------------------------------
>>>> >> To unsubscribe, e-mail: [EMAIL PROTECTED]
>>>> >> For additional commands, e-mail: [EMAIL PROTECTED]
>>>> >>
>>>> >>
>>>> >
>>>> >
>>>> > --
>>>> > http://raibledesigns.com
>>>> >
>>>> > ---------------------------------------------------------------------
>>>> > To unsubscribe, e-mail: [EMAIL PROTECTED]
>>>> > For additional commands, e-mail: [EMAIL PROTECTED]
>>>> >
>>>> >
>>>> >
>>>>
>>>> --
>>>> View this message in context:
>>>> http://www.nabble.com/Implementing-Groups-with-Roles-tf3296597s2369.html#a9172123
>>>> Sent from the AppFuse - User mailing list archive at Nabble.com.
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>>>> For additional commands, e-mail: [EMAIL PROTECTED]
>>>>
>>>>
>>>
>>>
>>> --
>>> http://raibledesigns.com
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>>> For additional commands, e-mail: [EMAIL PROTECTED]
>>>
>>>
>>>
>>
>>
>
>
--
View this message in context:
http://www.nabble.com/Implementing-Groups-with-Roles-tf3296597s2369.html#a9234833
Sent from the AppFuse - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
