Hi Dave
I'm having some progress with my spring security system testing.
I've discovered one bug, which was indirectly reported as part [1], specifically when multiple proxies are sitting before a target
object, NPE will be thrown at the init time. So the fix will go shortly.
Other than that, I've had no problems with a method-based authorization. If @Secured annotations sit on interface methods, then
things are working ok, with no problems with overloaded methods.
I had to spend some time to figure out how to enforce a CGLIB-proxyfication in cases when a secured object does not implement
interfaces. I've found <aop:config proxy-target-class="true"/> has no effect if one uses spring:security:intercept-methods but once
I found it I can see the overloading working just fine in this case too.
If you don't add the <aop:scoped-proxy> and <aop:aspectj-autoproxy> tags,
you'll encounter an error: "object is not an instance of declaring
class."
Using either this pair of tags or <aop:config proxy-target-class="true"/> has the same effect for me, as far as matching methods is
concerned and I have no problems with the overloading.
Can you please, when you get a chance, create a sample spring security project whcih would show the overloading problems and attach
it to a JIRA ? It might be that some subtle difference causes the issues. That said, I reckon if you do push the definitions down to
the interface, then you should se no problems at all. Still, I'd like to get to the bottom of this specific issue you're seeing...
Cheers, Sergey
[1] http://issues.apache.org/jira/browse/CXF-1762
Sergey Beryozkin-3 wrote:
If you don't add the <aop:scoped-proxy> and <aop:aspectj-autoproxy> tags,
you'll encounter an error: "object is not an instance of declaring
class."
The only problem I'm noticing right now is that method overloading
doesn't
work when using Spring's AOP stuff. That's not a big deal, though, and
right now I'm just ecstatic that spring-security is working.
Is it on a JAXRS or JAXWS invocation path ? Can you post a sample java
code please for "myServiceBean" ?
It's on a JAXRS invocation path.
------- MyService.java -------
@Path( "/myService/" )
@ProduceMime( "application/xml" )
@WebService( name = "MyService" )
public class MyService {
public MyService() {
}
@GET
@Path( "/tryThis/{id}/{name} )
@ProduceMime( "application/xml" )
@Secured( "ROLE_ADMINISTRATOR" )
public List<OurObject> tryThis( @PathParam( "id" ) String id,
@PathParam( "name" ) String name ) {
// do stuff.
}
@GET
@Path( "/tryThis/{id} )
@ProduceMime( "application/xml" )
@Secured( "ROLE_ADMINISTRATOR" )
public List<OurObject> tryThis( @PathParam( "id" ) String id ) {
return tryThis( id, "Fake Name" );
}
}
Is 'provisioningBean' different to myServiceBean ?
No, sorry, provisioningBean should be myServiceBean.
I'm hoping to replace my my existing HTTP authentication with WS-Security...
I'll let you know how that goes. :)
Thank you,
- Dave
--
View this message in context:
http://www.nabble.com/Spring-Security-annotations-in-CXF--tp20823712p20846009.html
Sent from the cxf-user mailing list archive at Nabble.com.
