I have a Spring-WS service using PayloadRootAnnotationMethodEndpointMapping that has several interceptors:
<bean class="org.springframework.ws.server.endpoint.mapping.PayloadRootAnnotationMethodEndpointMapping">
<property name="interceptors">
<list>
<ref local="loggingInterceptor"/>
<ref local="validatingInterceptor"/>
<ref local="securityInterceptor"/>
</list>
</property>
</bean>
My securityIntercetor is a Wss4jSecurityInterceptor interceptor.
Everything works fine, except that the securityIntercetor is at the #Endpoint level, I want it to be at the #PayloadRoot (operation).
The way I authenticate users is using UsernameToken, then I go against LDAP and get the roles and depending on the role I want to allow/prohibit the user to execute an operation.
I assume there isn't a out of the box solution for this.
So my question is: how in the securityIntercetor can I get what operation is being called so I can check depending on my settings to allow or not the execution of a specific operation.
Or maybe you have other ideas.
Thanks.
There is no standard way of doing this.
What I did is I created another interceptor (and placing him first in the list of interceptor being called), that would save the current operation and then when Spring hits my security interceptor I will get the method from a request scoped bean that was created by my first interceptor.
Related
I am using Spring MVC with Spring 3.1. I have a web application that uses many REST services. One of these REST services takes up to an hour to respond - which I can not change. I have my timeout for the RestTemplate set up like this with the timeout set to 60 minutes:
<bean id="restTemplate" class="org.springframework.web.client.RestTemplate ">
<constructor-arg>
<bean class="org.springframework.http.client.CommonsClientHttpRequestFactory">
<property name="readTimeout" value="3600000" />
<property name="connectTimeout" value="3600000" />
</bean>
</constructor-arg>
</bean>
I would like to be able to set all of my other REST calls to a different set of timeouts. Any ideas on how to do this?
Thanks,
Tim
You can't do this on a method call basis. In other words, all calls on the restTemplate bean will use the same underlying ClientHttpRequestFactory. If you want different requests to use different timeout values, declare multiple RestTemplate beans and inject the appropriate ones in your beans.
I've got a MyAppConversionServiceFactoryBean which I'm registering like:
<bean id="conversionService" class="com.MyProject.MyAppConversionServiceFactoryBean">
<property name="messageSource" ref="messageSource"/>
<property name="converters">
<set>
<bean class="com.MyProject.XRepresentationConverter" />
<bean class="com.MyProject.YRepresentationConverter" />
<bean class="com.MyProject.ZRepresentationConverter" />
</set>
</property>
</bean>
I can continue to list every converter we write into this list, but I'd love to be able to configure it such that this isn't necessary and that converters will automatically register themselves somehow with my factory.
Sidebar 1: If that's not possible with a custom factory, is it possible with the default spring one?
Sidebar 2: If neither the first part nor Sidebar 1 is possible, is it possible to #Autowired the conversionService into the converters (so they can easily call one another)? Attempting to #Autowired ConversionService conversionService has previously given me issues due to not being able to wire the conversionService into an object while it's still busy creating the service.
Note: We're using Spring, but not Spring MVC. I have no control over that, so any solutions on that route will be unfortunately unusable. I can change pretty much anything else about the configuration and Java classes, just not the overarching tools.
#Vikdor's comment on the question pointed me in the right direction.
Spring is apparently capable (and no one I asked in person knew this) of gathering collections of beans through the scanning process with #Autowired annotations. Here's what I needed to achieve the same effect I got from the configuration in the post:
applicationContent.xml must have:
<context:component-scan base-package="com.MyProject"/>
<bean id="conversionService" class="com.MyProject.MyAppConversionServiceFactoryBean" />
MyAppConversionServiceFactoryBean.java:
public class MyAppConversionServiceFactoryBean implements
FactoryBean<ConversionService>, InitializingBean {
#Autowired
private Set<BaseConverter> converters;
}
And then all of my converters now have the #Component annotation.
Relevant Docs on #Autowired do briefly mention that it can be used to collect all beans of a type, but I wouldn't have known that it could be done into any collection type without this thread by Grzegorz Oledzki which addresses the generic form of my question, but takes it down a philosophical route.
Given a method in a Spring controller, I'd like to execute a "before" handler. I tried some AspectJ code to do that but I can't work it out. What I'd like is to obtain the target Method object so that I could process its Annotations. Is it possible? How?
Write a class which implements 'MethodBeforeAdvice' interface and overwrite before() Method in that class, in which you can implement the logic what you want.
And also specify your custom class as the property of org.springframework.aop.support.RegexpMethodPointcutAdvisor in Spring XML file.
ex:
<bean id="methodAuthzAdvice" class="com.src.customClassMethodBeforeAdvice"/>
<bean id="methodAuthzAdvisor" class="org.springframework.aop.support.RegexpMethodPointcutAdvisor">
<ref local="methodAuthzAdvice"/>
<property name="advice">
<ref local="methodAuthzAdvice"/>
</property>
<property name="pattern">
<value>.*</value>
</property>
</bean>
use methodAuthzAdvice id as an interceptor property to your handler class in xml file.
I'm using Spring MVC with <mvc:annotation-driven />
I've implemented my own mapping handler extending DefaultAnnotationHandlerMapping, but I'm not sure how to use it. I've declared it like this:
<bean class="es.kcsolutions.boulevard.DispatcherMappingHandler" />
It works, but, obviously, DefaultAnnotationHandlerMapping works too and always before mine. Is there a way to disable it and use only mine?
Thanks.
My advice would be to remove the <mvc:annotation-driven /> altogether. It doesn't really do anything particularly useful - most of the beans it declares are there already. And in cases where you want to declare your own handler mapping or handler adapter, it just gets in the way.
So take it out, declare your own DefaultAnnotationHandlerMapping bean, and it should work. No need to mess about with ordering in 99.9% of cases.
If you take out any explicit declarations of the DefaultAnnotationHandlerMapping then your custom mapper is supposed to replace it in the dispatcher. (according to javadoc) If you need/want more than one mapping, then you control them by setting their Order property. Lower order numbers execute first.
<bean class="es.kcsolutions.boulevard.DispatcherMappingHandler">
<property name="order" value="0"/>
</bean>
<bean class="org.springframework.web.servlet.mvc.annotation.DefaultAnnotationHandlerMapping">
<property name="order" value="1"/>
</bean>
For an existing working app, I want to provide a secondary AuthenticationProvider, probably with a DaoAuthenticationProvider. Let's say it's for authenticating a "back up" password, or a prior password that was changed due to strict password policies and the user forgot the new password. ;-)
For proof of concept, what would the implementation look like for this secondaryAuthenticationProvider that will always authenticate the user regardless of the incoming credentials? (something that returns an authenticated Authentication object)
Which one of the MANY org.springframework.security.providers & subpackage classes and methods should I look at?
Example config:
<bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
<property name="providers">
<list>
<ref local="daoAuthenticationProvider"/>
<ref local="secondaryAuthenticationProvider"/> <!-- new AuthProv -->
<ref local="rememberMeAuthenticationProvider"/>
</list>
</property>
</bean>
If you have only one alternative password, you can declare a second DaoAuthenticationProvider backed by a special UserDetailsService, which will produce UserDetails with that alternative password.
Otherwise, you can create a custom AuthenticationProvider. Credentials check in DaoAuthenticationProvider occurs in additionalAuthenticationChecks(), so if you want to change that logic you can create a subclass of DaoAuthenticationProvider and override this method with your implementation.
For example, if you want to authenticate the user regardless of its credentials, you can override this method with an empty implementation.
Sounds to me like you should just create your own UserDetailsService that has this behavior - that would be by far the easiest way to do it.