WIKI IREMIA: DWRandAcegi

DWRandAcegi

how-to integrate DWR and ACEGI to protect a bean method call

you have to be familiar with spring and dwr to understand this little how-to. We don‘t explain acegi configuration (you can take a look at ACEGI, in french, if you are interested by acegi and cas...).

acegi API are those of the 0.9 version (net.sf....). For acegi 1.0, we need to change methods name (sec interceptor...)

problem

we need to protect a bean "exposed" via the DWR framework (for an introduction in french, see AJAX).

Acegi is a security framework based on spring. Objective of this example page is to show how to prevent unauthorized access to a bean method from the DWR framework via a web page (javascript call).

exemple:

we have this declaration (dwr.xml) of the remoted bean before acegi protection:

<create creator="spring" javascript="loanDWR" beanName="loanDWR">
        <include method="addLoan"/>
 </create>

the addLoan method is callable from a web page, via dwr javascript autogenerated utility (in this case loanDWR.js). the backing bean loanDWR is a spring managed bean (appli*.xml):

<bean id="loanDWR" class="fr.iremia.jlab.web.dwr.LoanDWR">
                <property name="personDAO"><ref bean="personDAO"/></property>
                <property name="loanDAO"><ref bean="loanDAO"/></property>
</bean>

we now want to prevent unauthorized loanDWR.addLoan javascript call !!

the solution:

prerequisite : we need a working ACEGI configuration !!

create a security interceptor :

we use a AOP Alliance Security Interceptor :

<bean id="loanDWRSecurityInterceptor" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
        <property name="authenticationManager" ref="authenticationManager"/>
        <property name="accessDecisionManager" ref="httpRequestAccessDecisionManager"/>
        <property name="objectDefinitionSource">
            <value>
                fr.iremia.jlab.web.dwr.LoanDWR.addLoan=edit,admin
            </value>
        </property>
    </bean>  

the method addLoan of the java class fr.iremia.jlab.web.dwr.LoanDWR is only callable by users with role edit or admin.

for signification of acegi properties authenticationManager and httpRequestAccessDecisionManager, refer to http:///docbook/acegi.html.

create a proxy for the bean

add a proxy for the original loanDWR spring bean, using the spring proxyfactorybean :

<bean id="loanDWRSecure" class="org.springframework.aop.framework.ProxyFactoryBean">
        <property name="target" ref="loanDWR"/>
        <property name="interceptorNames">
            <idref local="loanDWRSecurityInterceptor" />
        </property>
    </bean>

now, loanDWRSecure is a proxy to the spring bean called loanDWR. every call to addLoan method is intercepted by ACEGI, and only fired if calling user is in role edit or admin... easy ... (thanks spring and acegi!)

modify dwr configuration:

we now need to modify the spring managed bean name in dwr.xml:

<create creator="spring" javascript="loanDWR" beanName="loanDWRSecure">
        <include method="addLoan"/>
    </create>

no need to modify existing jsp ....

in case of problem:

I‘ve received some questions concerning problem using this solution. Answers are:

in case of :

2006-06-08 14:21:38,437 WARN [uk.ltd.getahead.dwr.impl.ExecuteQuery] - <Method execution failed: >
org.acegisecurity.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
   at org.acegisecurity.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:329)
   at org.acegisecurity.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:244)
   at org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:63)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:170)

don‘t forget to map Acegi Security filter (in web.xml) to /dwr/*

lost other questions :-( ...