Spring Security no VRaptor

Assuntos Gerais
#1

Usando Spring Security com o VRaptor, não está funcionando o recurso de proteger métodos de bens registradas no contexto.
O filtro para as URLs funciona beleza. <http auto-config="true" access-denied-page="/accessDenied.jsp"> <intercept-url pattern="/login.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY" /> <intercept-url pattern="/img/**" access="IS_AUTHENTICATED_ANONYMOUSLY" /> <intercept-url pattern="/" access="IS_AUTHENTICATED_REMEMBERED" /> <intercept-url pattern="/um" access="IS_AUTHENTICATED_REMEMBERED" /> <intercept-url pattern="/tres" access="ROLE_TELLER"/> <intercept-url pattern="/dois" access="ROLE_USER"/> ...já os filtros de métodos…<global-method-security secured-annotations="enabled"> <!-- AspectJ pointcut expression that locates our "post" method and applies security that way <protect-pointcut expression="execution(* bigbank.*Service.post*(..))" access="ROLE_TELLER"/> --> <protect-pointcut expression="execution(* br.com.padual.springsec.dados.Dados.setValorUm(..))" access="ROLE_USER"/> <protect-pointcut expression="execution(* br.com.padual.springsec.dados.Dados.setValorDois(..))" access="ROLE_TELLER"/> <protect-pointcut expression="execution(* br.com.padual.springsec.dados.Dados.setValorTres(..))" access="ROLE_SUPERVISOR"/> </global-method-security>
nada!

no caso acima, o método br.com.padual.springsec.dados.Dados.setValorDois não poderia ser invocado sem que o usuário autenticado tinha autoridade “ROLE_TELLER”. mas está deixando passar.

alguém tem uma luz :idea: ?

e tem outro lance: tentei usar anotação para proteger o método e passou a dar exceptions. SEVERE: Servlet.service() for servlet default threw exception org.springframework.beans.factory.NoSuchBeanDefinitionException: No unique bean of type [br.com.padual.springsec.dados.Dados] is defined: Unsatisfied dependency of type [class br.com.padual.springsec.dados.Dados]: expected at least 1 matching bean at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:613) at org.springframework.beans.factory.support.ConstructorResolver.resolveAutowiredArgument(ConstructorResolver.java:622) at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:138) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:925) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:823) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:440) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory$1.run(AbstractAutowireCapableBeanFactory.java:409) at java.security.AccessController.doPrivileged(Native Method) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:380) at org.springframework.beans.factory.support.AbstractBeanFactory$2.getObject(AbstractBeanFactory.java:302) at org.springframework.web.context.request.AbstractRequestAttributesScope.get(AbstractRequestAttributesScope.java:43) at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:298) at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:185) at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:164) at org.springframework.beans.factory.support.DefaultListableBeanFactory.getBeansOfType(DefaultListableBeanFactory.java:308) at org.springframework.beans.factory.support.DefaultListableBeanFactory.getBeansOfType(DefaultListableBeanFactory.java:297) at org.springframework.context.support.AbstractApplicationContext.getBeansOfType(AbstractApplicationContext.java:942) at org.springframework.beans.factory.BeanFactoryUtils.beansOfTypeIncludingAncestors(BeanFactoryUtils.java:224) at br.com.caelum.vraptor.ioc.spring.VRaptorApplicationContext.getBean(VRaptorApplicationContext.java:209) at br.com.caelum.vraptor.ioc.spring.SpringBasedContainer.instanceFor(SpringBasedContainer.java:61) at br.com.caelum.vraptor.interceptor.InstantiateInterceptor.intercept(InstantiateInterceptor.java:41) at br.com.caelum.vraptor.core.InstantiatedInterceptorHandler.execute(InstantiatedInterceptorHandler.java:41) at br.com.caelum.vraptor.core.DefaultInterceptorStack.next(DefaultInterceptorStack.java:59) at br.com.caelum.vraptor.core.ToInstantiateInterceptorHandler.execute(ToInstantiateInterceptorHandler.java:48) at br.com.caelum.vraptor.core.DefaultInterceptorStack.next(DefaultInterceptorStack.java:59) at br.com.caelum.vraptor.interceptor.InterceptorListPriorToExecutionExtractor.intercept(InterceptorListPriorToExecutionExtractor.java:46) at br.com.caelum.vraptor.core.ToInstantiateInterceptorHandler.execute(ToInstantiateInterceptorHandler.java:46) at br.com.caelum.vraptor.core.DefaultInterceptorStack.next(DefaultInterceptorStack.java:59) at br.com.caelum.vraptor.interceptor.FlashInterceptor.intercept(FlashInterceptor.java:80) at br.com.caelum.vraptor.core.ToInstantiateInterceptorHandler.execute(ToInstantiateInterceptorHandler.java:46) at br.com.caelum.vraptor.core.DefaultInterceptorStack.next(DefaultInterceptorStack.java:59) at br.com.caelum.vraptor.interceptor.ResourceLookupInterceptor.intercept(ResourceLookupInterceptor.java:67) at br.com.caelum.vraptor.core.ToInstantiateInterceptorHandler.execute(ToInstantiateInterceptorHandler.java:46) at br.com.caelum.vraptor.core.DefaultInterceptorStack.next(DefaultInterceptorStack.java:59) at br.com.caelum.vraptor.core.DefaultRequestExecution.execute(DefaultRequestExecution.java:62) at br.com.caelum.vraptor.VRaptor$1.insideRequest(VRaptor.java:91) at br.com.caelum.vraptor.ioc.spring.SpringProvider.provideForRequest(SpringProvider.java:55) at br.com.caelum.vraptor.VRaptor.doFilter(VRaptor.java:88) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378) at org.springframework.security.intercept.web.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:109) at org.springframework.security.intercept.web.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83) at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390) at org.springframework.security.ui.SessionFixationProtectionFilter.doFilterHttp(SessionFixationProtectionFilter.java:67) at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53) at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390) at org.springframework.security.ui.ExceptionTranslationFilter.doFilterHttp(ExceptionTranslationFilter.java:101) at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53) at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390) at org.springframework.security.providers.anonymous.AnonymousProcessingFilter.doFilterHttp(AnonymousProcessingFilter.java:105) at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53) at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390) at org.springframework.security.ui.rememberme.RememberMeProcessingFilter.doFilterHttp(RememberMeProcessingFilter.java:116) at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53) at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390) at org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter.doFilterHttp(SecurityContextHolderAwareRequestFilter.java:91) at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53) at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390) at org.springframework.security.ui.basicauth.BasicProcessingFilter.doFilterHttp(BasicProcessingFilter.java:174) at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53) at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390) at org.springframework.security.ui.AbstractProcessingFilter.doFilterHttp(AbstractProcessingFilter.java:278) at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53) at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390) at org.springframework.security.ui.logout.LogoutFilter.doFilterHttp(LogoutFilter.java:89) at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53) at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390) at org.springframework.security.context.HttpSessionContextIntegrationFilter.doFilterHttp(HttpSessionContextIntegrationFilter.java:235) at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53) at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390) at org.springframework.security.util.FilterChainProxy.doFilter(FilterChainProxy.java:175) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:236) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) at java.lang.Thread.run(Thread.java:619) tem-se a impressão que VRaptor não instancia a bean se estiver com métodos anotados como @Secured( {“ROLE_TELLER”} ), por exemplo.

Estou anexando o projeto. Quem puder dar uma ajuda…

#2

vc anotou a classe Dados com @Component (do VRaptor)? vc precisa fazer isso, ou colocar uma das anotações Stereotype do Spring…

#3

anotei sim, Lucas… veja

[code]package br.com.padual.springsec.dados;

import java.io.Serializable;

//import org.springframework.security.annotation.Secured;

import br.com.caelum.vraptor.ioc.Component;
import br.com.caelum.vraptor.ioc.SessionScoped;

@Component
@SessionScoped
public class Dados implements Serializable {

private static final long serialVersionUID = 5770462069376403817L;
private String valorUm;
private String valorDois;
private String valorTres;

public Dados() {

…[/code]

#4

o erro acontece toda vez ou só qdo o usuario não tem permissão?

#5

são duas maneiras de proteger o método: no xml por aspecj ou diretamente na classe por annotations.

fiz pelo xml: nem dá erro, nem bloqueia o método. nota: ativando o log, ele traça toda permissão avalidada/dada. mas apenas das páginas. em relação aos métodos, ele nem faz menção.

por anotação: dá erro de qualquer jeito. tendo ou não permissão. basta acessar uma url com controller que utilize a bean com a anotação @Secured.

#6

tenta colocar o component-scan no applicationContext.xml e usar as anotações do spring nessa classe… @Component ou @Service do spring (ou alguma outra que faça mais sentido)

#7

anotando como @Component do spring (import org.springframework.stereotype.Component), dá erro quando (acredito eu) o vraptor tenta injetar o bean no controller.

[list]org.springframework.beans.factory.BeanCreationException: Error creating bean with name ‘paginaController’ defined in file […]: Instantiation of bean failed; [/list]
[list]nested exception is org.springframework.beans.BeanInstantiationException: Could not instantiate bean class […PaginaController]: Illegal arguments for constructor;[/list]
[list]nested exception is java.lang.IllegalArgumentException: argument type mismatch[/list]

#8

Qdo vc usa o @Component do spring vc tem que usar a injeção de dependências do jeito dele… provavelmente vc vai precisar colocar @Autowired no construtor da classe…

#9

Vou ter que suspender meu estudo nesta integração "Spring Security X VRaptor " por enquanto. Ando atarefado.

Lucas, obrigado pela ajuda. Foi bastante proveitosa.

Dentro de 2 semanas devo retomar o estudo de uma maneira prática de proteger apps vraptor.

Estou pensando em algo como uma annotation tipo @Secured( {“ROLE_GERENTE”, “ROLE_ADM”} ) para proteger os métodos do controller. Ficando a cargo do AuthenticationInterceptor validar as permissões.

Acho que não vai dar certo insistir no SpringSecurity. Pois pretendia tb proteger métodos do controller vraptor, e não apenas de beans spring.

Valeu!

abraço

#10