DWRandAcegihow-to integrate DWR and ACEGI to protect a bean method callyou have to be familiar with spring and dwr to understand this little how-to. We don‘t explain acegi configuration (you can take a look at ACEGI, in french, if you are interested by acegi and cas...). acegi API are those of the 0.9 version (net.sf....). For acegi 1.0, we need to change methods name (sec interceptor...) problemwe need to protect a bean "exposed" via the DWR framework (for an introduction in french, see AJAX). Acegi is a security framework based on spring. Objective of this example page is to show how to prevent unauthorized access to a bean method from the DWR framework via a web page (javascript call). exemple:we have this declaration (dwr.xml) of the remoted bean before acegi protection: <create creator="spring" javascript="loanDWR" beanName="loanDWR"> the addLoan method is callable from a web page, via dwr javascript autogenerated utility (in this case loanDWR.js). the backing bean loanDWR is a spring managed bean (appli*.xml): <bean id="loanDWR" class="fr.iremia.jlab.web.dwr.LoanDWR"> we now want to prevent unauthorized loanDWR.addLoan javascript call !! the solution:prerequisite : we need a working ACEGI configuration !! create a security interceptor :we use a AOP Alliance Security Interceptor : <bean id="loanDWRSecurityInterceptor" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor"> the method addLoan of the java class fr.iremia.jlab.web.dwr.LoanDWR is only callable by users with role edit or admin. for signification of acegi properties authenticationManager and httpRequestAccessDecisionManager, refer to http:///docbook/acegi.html. create a proxy for the beanadd a proxy for the original loanDWR spring bean, using the spring proxyfactorybean : <bean id="loanDWRSecure" class="org.springframework.aop.framework.ProxyFactoryBean"> now, loanDWRSecure is a proxy to the spring bean called loanDWR. every call to addLoan method is intercepted by ACEGI, and only fired if calling user is in role edit or admin... easy ... (thanks spring and acegi!) modify dwr configuration:we now need to modify the spring managed bean name in dwr.xml: <create creator="spring" javascript="loanDWR" beanName="loanDWRSecure"> no need to modify existing jsp .... in case of problem:I‘ve received some questions concerning problem using this solution. Answers are:in case of : 2006-06-08 14:21:38,437 WARN [uk.ltd.getahead.dwr.impl.ExecuteQuery] - <Method execution failed: > don‘t forget to map Acegi Security filter (in web.xml) to /dwr/* lost other questions :-( ... |
|