Is there some sort of setup required in webapp to get annotations to work

classic Classic list List threaded Threaded
17 messages Options
Reply | Threaded
Open this post in threaded view
|

Is there some sort of setup required in webapp to get annotations to work

Animesh Jain
Hi

As I understood from the documentation, a checked exception will be thrown if for eg. a user does not have the role specified by @RequiresRoles. But nothing's happening, the method gets executed regardless. In my particular case I want the method to fire only when a user of a particular role is logged in, but that method is executing even if I try after logout. What am I missing :|

Animesh
Reply | Threaded
Open this post in threaded view
|

Re: Is there some sort of setup required in webapp to get annotations to work

Animesh Jain
I guess I'm missing setting it up with some AOP framework is it?

On Wed, Sep 17, 2008 at 11:25 PM, Animesh Jain <[hidden email]> wrote:
Hi

As I understood from the documentation, a checked exception will be thrown if for eg. a user does not have the role specified by @RequiresRoles. But nothing's happening, the method gets executed regardless. In my particular case I want the method to fire only when a user of a particular role is logged in, but that method is executing even if I try after logout. What am I missing :|

Animesh

Reply | Threaded
Open this post in threaded view
|

Re: Is there some sort of setup required in webapp to get annotations to work

Jeremy Haile
Animesh,

Have you added these bean definitions to Spring?

     <bean id="lifecycleBeanPostProcessor"
     class="org.jsecurity.spring.LifecycleBeanPostProcessor"/>
     <bean
     class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
             depends-on="lifecycleBeanPostProcessor"/>
    <bean
    class="org.jsecurity.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
           <property name="securityManager" ref="securityManager"/>
     </bean>

These are declared in webroot/WEB-INF/applicationContext.xml in the
spring sample application along with some additional documentation.

The first bean helps initialize and destroy JSecurity related beans.
The DefaultAdvisorAutoProxyCreator is required to enable Spring's
auto-proxying of beans based on annotations.  The last bean adds support
for auto-proxying method calls to beans that use JSecurity annotations.

I hope this helps - let me know if you have more questions!

Jeremy

On Thu, 18 Sep 2008 18:30:40 +0530, "Animesh Jain"
<[hidden email]> said:

> I guess I'm missing setting it up with some AOP framework is it?
>
> On Wed, Sep 17, 2008 at 11:25 PM, Animesh Jain <[hidden email]>
> wrote:
>
> > Hi
> >
> > As I understood from the documentation, a checked exception will be thrown
> > if for eg. a user does not have the role specified by @RequiresRoles. But
> > nothing's happening, the method gets executed regardless. In my particular
> > case I want the method to fire only when a user of a particular role is
> > logged in, but that method is executing even if I try after logout. What am
> > I missing :|
> >
> > Animesh
> >
Reply | Threaded
Open this post in threaded view
|

Re: Is there some sort of setup required in webapp to get annotations to work

Animesh Jain
Aah! This helps a lot. So I hope I can use this without using Spring for the Jsecurity Realm injection - for that I'm using Guice. Anyway.. I'll try this asap and update on the results. I think Jsecurity definitely needs some more documentation in a few areas. I'll try and write down a few tutorials when I find time.

Animesh

On Thu, Sep 18, 2008 at 6:45 PM, Jeremy Haile <[hidden email]> wrote:
Animesh,

Have you added these bean definitions to Spring?

    <bean id="lifecycleBeanPostProcessor"
    class="org.jsecurity.spring.LifecycleBeanPostProcessor"/>
    <bean
    class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
            depends-on="lifecycleBeanPostProcessor"/>
   <bean
   class="org.jsecurity.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
          <property name="securityManager" ref="securityManager"/>
    </bean>

These are declared in webroot/WEB-INF/applicationContext.xml in the
spring sample application along with some additional documentation.

The first bean helps initialize and destroy JSecurity related beans.
The DefaultAdvisorAutoProxyCreator is required to enable Spring's
auto-proxying of beans based on annotations.  The last bean adds support
for auto-proxying method calls to beans that use JSecurity annotations.

I hope this helps - let me know if you have more questions!

Jeremy

On Thu, 18 Sep 2008 18:30:40 +0530, "Animesh Jain"
<[hidden email]> said:
> I guess I'm missing setting it up with some AOP framework is it?
>
> On Wed, Sep 17, 2008 at 11:25 PM, Animesh Jain <[hidden email]>
> wrote:
>
> > Hi
> >
> > As I understood from the documentation, a checked exception will be thrown
> > if for eg. a user does not have the role specified by @RequiresRoles. But
> > nothing's happening, the method gets executed regardless. In my particular
> > case I want the method to fire only when a user of a particular role is
> > logged in, but that method is executing even if I try after logout. What am
> > I missing :|
> >
> > Animesh
> >

Reply | Threaded
Open this post in threaded view
|

Re: Is there some sort of setup required in webapp to get annotations to work

Animesh Jain
Well, can't really do the AOP part in Spring and the rest in Guice, its just making things unnecessarily intertwined. So I think I'll read up on what capabilities Guice has for AOP and try and write a Guice implementation for the RequiresRoles and RequiresPermissions tags. Any pointers will be appreciated on what I should try to do (on a higher level), because I've never tried my hand at AOP before this. Guice does have method interceptors I believe and that should be enough here, isn't it?

Animesh

On Thu, Sep 18, 2008 at 6:54 PM, Animesh Jain <[hidden email]> wrote:
Aah! This helps a lot. So I hope I can use this without using Spring for the Jsecurity Realm injection - for that I'm using Guice. Anyway.. I'll try this asap and update on the results. I think Jsecurity definitely needs some more documentation in a few areas. I'll try and write down a few tutorials when I find time.

Animesh


On Thu, Sep 18, 2008 at 6:45 PM, Jeremy Haile <[hidden email]> wrote:
Animesh,

Have you added these bean definitions to Spring?

    <bean id="lifecycleBeanPostProcessor"
    class="org.jsecurity.spring.LifecycleBeanPostProcessor"/>
    <bean
    class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
            depends-on="lifecycleBeanPostProcessor"/>
   <bean
   class="org.jsecurity.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
          <property name="securityManager" ref="securityManager"/>
    </bean>

These are declared in webroot/WEB-INF/applicationContext.xml in the
spring sample application along with some additional documentation.

The first bean helps initialize and destroy JSecurity related beans.
The DefaultAdvisorAutoProxyCreator is required to enable Spring's
auto-proxying of beans based on annotations.  The last bean adds support
for auto-proxying method calls to beans that use JSecurity annotations.

I hope this helps - let me know if you have more questions!

Jeremy

On Thu, 18 Sep 2008 18:30:40 +0530, "Animesh Jain"
<[hidden email]> said:
> I guess I'm missing setting it up with some AOP framework is it?
>
> On Wed, Sep 17, 2008 at 11:25 PM, Animesh Jain <[hidden email]>
> wrote:
>
> > Hi
> >
> > As I understood from the documentation, a checked exception will be thrown
> > if for eg. a user does not have the role specified by @RequiresRoles. But
> > nothing's happening, the method gets executed regardless. In my particular
> > case I want the method to fire only when a user of a particular role is
> > logged in, but that method is executing even if I try after logout. What am
> > I missing :|
> >
> > Animesh
> >


Reply | Threaded
Open this post in threaded view
|

Re: Is there some sort of setup required in webapp to get annotations to work

Les Hazlewood-2
Hi Animesh,

Yep, you're on the right track.  Basically in Spring environments,
JSecurity uses the Spring built-in and annotation processing support.
If you look in the Spring sample application's applicationContext.xml
file, you'll see two bean definitions:

<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
depends-on="lifecycleBeanPostProcessor"/>
<bean class="org.jsecurity.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
    <property name="securityManager" ref="securityManager"/>
</bean>

That's all it takes in Spring to support annotations because Spring
does all the heavy lifting.  If you look at the source for
AuthorizationAttributeSourceAdvisor, you might get ideas on how to do
this same thing in a Guice-specific way.

Btw, please keep track of your Guice integration efforts
(GuiceIniWebConfiguration + annotations, etc).  We'd love it if you
could contribute that back to the project!

Please keep us posted!

Regards,

Les

On Thu, Sep 18, 2008 at 1:20 PM, Animesh Jain <[hidden email]> wrote:

> Well, can't really do the AOP part in Spring and the rest in Guice, its just
> making things unnecessarily intertwined. So I think I'll read up on what
> capabilities Guice has for AOP and try and write a Guice implementation for
> the RequiresRoles and RequiresPermissions tags. Any pointers will be
> appreciated on what I should try to do (on a higher level), because I've
> never tried my hand at AOP before this. Guice does have method interceptors
> I believe and that should be enough here, isn't it?
>
> Animesh
>
> On Thu, Sep 18, 2008 at 6:54 PM, Animesh Jain <[hidden email]> wrote:
>>
>> Aah! This helps a lot. So I hope I can use this without using Spring for
>> the Jsecurity Realm injection - for that I'm using Guice. Anyway.. I'll try
>> this asap and update on the results. I think Jsecurity definitely needs some
>> more documentation in a few areas. I'll try and write down a few tutorials
>> when I find time.
>>
>> Animesh
>>
>> On Thu, Sep 18, 2008 at 6:45 PM, Jeremy Haile <[hidden email]> wrote:
>>>
>>> Animesh,
>>>
>>> Have you added these bean definitions to Spring?
>>>
>>>     <bean id="lifecycleBeanPostProcessor"
>>>     class="org.jsecurity.spring.LifecycleBeanPostProcessor"/>
>>>     <bean
>>>
>>> class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
>>>             depends-on="lifecycleBeanPostProcessor"/>
>>>    <bean
>>>
>>>  class="org.jsecurity.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
>>>           <property name="securityManager" ref="securityManager"/>
>>>     </bean>
>>>
>>> These are declared in webroot/WEB-INF/applicationContext.xml in the
>>> spring sample application along with some additional documentation.
>>>
>>> The first bean helps initialize and destroy JSecurity related beans.
>>> The DefaultAdvisorAutoProxyCreator is required to enable Spring's
>>> auto-proxying of beans based on annotations.  The last bean adds support
>>> for auto-proxying method calls to beans that use JSecurity annotations.
>>>
>>> I hope this helps - let me know if you have more questions!
>>>
>>> Jeremy
>>>
>>> On Thu, 18 Sep 2008 18:30:40 +0530, "Animesh Jain"
>>> <[hidden email]> said:
>>> > I guess I'm missing setting it up with some AOP framework is it?
>>> >
>>> > On Wed, Sep 17, 2008 at 11:25 PM, Animesh Jain <[hidden email]>
>>> > wrote:
>>> >
>>> > > Hi
>>> > >
>>> > > As I understood from the documentation, a checked exception will be
>>> > > thrown
>>> > > if for eg. a user does not have the role specified by @RequiresRoles.
>>> > > But
>>> > > nothing's happening, the method gets executed regardless. In my
>>> > > particular
>>> > > case I want the method to fire only when a user of a particular role
>>> > > is
>>> > > logged in, but that method is executing even if I try after logout.
>>> > > What am
>>> > > I missing :|
>>> > >
>>> > > Animesh
>>> > >
>>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Is there some sort of setup required in webapp to get annotations to work

Animesh Jain
Sure thing Les, will definitely contribute back all the integration I'm able to do. Its just that I'm new to Guice and AOP in general, so it might take me a while to get things working well. I'll keep you guys posted on this thread.

Animesh

On Fri, Sep 19, 2008 at 12:52 AM, Les Hazlewood <[hidden email]> wrote:
Hi Animesh,

Yep, you're on the right track.  Basically in Spring environments,
JSecurity uses the Spring built-in and annotation processing support.
If you look in the Spring sample application's applicationContext.xml
file, you'll see two bean definitions:

<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
depends-on="lifecycleBeanPostProcessor"/>
<bean class="org.jsecurity.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
   <property name="securityManager" ref="securityManager"/>
</bean>

That's all it takes in Spring to support annotations because Spring
does all the heavy lifting.  If you look at the source for
AuthorizationAttributeSourceAdvisor, you might get ideas on how to do
this same thing in a Guice-specific way.

Btw, please keep track of your Guice integration efforts
(GuiceIniWebConfiguration + annotations, etc).  We'd love it if you
could contribute that back to the project!

Please keep us posted!

Regards,

Les

On Thu, Sep 18, 2008 at 1:20 PM, Animesh Jain <[hidden email]> wrote:
> Well, can't really do the AOP part in Spring and the rest in Guice, its just
> making things unnecessarily intertwined. So I think I'll read up on what
> capabilities Guice has for AOP and try and write a Guice implementation for
> the RequiresRoles and RequiresPermissions tags. Any pointers will be
> appreciated on what I should try to do (on a higher level), because I've
> never tried my hand at AOP before this. Guice does have method interceptors
> I believe and that should be enough here, isn't it?
>
> Animesh
>
> On Thu, Sep 18, 2008 at 6:54 PM, Animesh Jain <[hidden email]> wrote:
>>
>> Aah! This helps a lot. So I hope I can use this without using Spring for
>> the Jsecurity Realm injection - for that I'm using Guice. Anyway.. I'll try
>> this asap and update on the results. I think Jsecurity definitely needs some
>> more documentation in a few areas. I'll try and write down a few tutorials
>> when I find time.
>>
>> Animesh
>>
>> On Thu, Sep 18, 2008 at 6:45 PM, Jeremy Haile <[hidden email]> wrote:
>>>
>>> Animesh,
>>>
>>> Have you added these bean definitions to Spring?
>>>
>>>     <bean id="lifecycleBeanPostProcessor"
>>>     class="org.jsecurity.spring.LifecycleBeanPostProcessor"/>
>>>     <bean
>>>
>>> class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
>>>             depends-on="lifecycleBeanPostProcessor"/>
>>>    <bean
>>>
>>>  class="org.jsecurity.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
>>>           <property name="securityManager" ref="securityManager"/>
>>>     </bean>
>>>
>>> These are declared in webroot/WEB-INF/applicationContext.xml in the
>>> spring sample application along with some additional documentation.
>>>
>>> The first bean helps initialize and destroy JSecurity related beans.
>>> The DefaultAdvisorAutoProxyCreator is required to enable Spring's
>>> auto-proxying of beans based on annotations.  The last bean adds support
>>> for auto-proxying method calls to beans that use JSecurity annotations.
>>>
>>> I hope this helps - let me know if you have more questions!
>>>
>>> Jeremy
>>>
>>> On Thu, 18 Sep 2008 18:30:40 +0530, "Animesh Jain"
>>> <[hidden email]> said:
>>> > I guess I'm missing setting it up with some AOP framework is it?
>>> >
>>> > On Wed, Sep 17, 2008 at 11:25 PM, Animesh Jain <[hidden email]>
>>> > wrote:
>>> >
>>> > > Hi
>>> > >
>>> > > As I understood from the documentation, a checked exception will be
>>> > > thrown
>>> > > if for eg. a user does not have the role specified by @RequiresRoles.
>>> > > But
>>> > > nothing's happening, the method gets executed regardless. In my
>>> > > particular
>>> > > case I want the method to fire only when a user of a particular role
>>> > > is
>>> > > logged in, but that method is executing even if I try after logout.
>>> > > What am
>>> > > I missing :|
>>> > >
>>> > > Animesh
>>> > >
>>
>
>

Reply | Threaded
Open this post in threaded view
|

Re: Is there some sort of setup required in webapp to get annotations to work

Jeremy Haile
In reply to this post by Animesh Jain
Animesh,

I only have light experience with Guice, but I know it supports AOP Alliance method interceptors, just like Spring uses - and just like JSecurity provides.  

I think you'd simply need to bind those method interceptors as appropriate.  I haven't tried it yet, but I imagine something like the following code would work.  Could you please try it out and let me know if it works?

binder.bindInterceptor( any(), annotatedWith(RequiresRoles.class), new RoleAnnotationMethodInterceptor()); 
binder.bindInterceptor( any(), annotatedWith(RequiresPermissions.class), new PermissionAnnotationMethodInterceptor()); 

Jeremy



On Sep 18, 2008, at 1:20 PM, Animesh Jain wrote:

Well, can't really do the AOP part in Spring and the rest in Guice, its just making things unnecessarily intertwined. So I think I'll read up on what capabilities Guice has for AOP and try and write a Guice implementation for the RequiresRoles and RequiresPermissions tags. Any pointers will be appreciated on what I should try to do (on a higher level), because I've never tried my hand at AOP before this. Guice does have method interceptors I believe and that should be enough here, isn't it?

Animesh

On Thu, Sep 18, 2008 at 6:54 PM, Animesh Jain <[hidden email]> wrote:
Aah! This helps a lot. So I hope I can use this without using Spring for the Jsecurity Realm injection - for that I'm using Guice. Anyway.. I'll try this asap and update on the results. I think Jsecurity definitely needs some more documentation in a few areas. I'll try and write down a few tutorials when I find time.

Animesh


On Thu, Sep 18, 2008 at 6:45 PM, Jeremy Haile <[hidden email]> wrote:
Animesh,

Have you added these bean definitions to Spring?

    <bean id="lifecycleBeanPostProcessor"
    class="org.jsecurity.spring.LifecycleBeanPostProcessor"/>
    <bean
    class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
            depends-on="lifecycleBeanPostProcessor"/>
   <bean
   class="org.jsecurity.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
          <property name="securityManager" ref="securityManager"/>
    </bean>

These are declared in webroot/WEB-INF/applicationContext.xml in the
spring sample application along with some additional documentation.

The first bean helps initialize and destroy JSecurity related beans.
The DefaultAdvisorAutoProxyCreator is required to enable Spring's
auto-proxying of beans based on annotations.  The last bean adds support
for auto-proxying method calls to beans that use JSecurity annotations.

I hope this helps - let me know if you have more questions!

Jeremy

On Thu, 18 Sep 2008 18:30:40 +0530, "Animesh Jain"
<[hidden email]> said:
> I guess I'm missing setting it up with some AOP framework is it?
>
> On Wed, Sep 17, 2008 at 11:25 PM, Animesh Jain <[hidden email]>
> wrote:
>
> > Hi
> >
> > As I understood from the documentation, a checked exception will be thrown
> > if for eg. a user does not have the role specified by @RequiresRoles. But
> > nothing's happening, the method gets executed regardless. In my particular
> > case I want the method to fire only when a user of a particular role is
> > logged in, but that method is executing even if I try after logout. What am
> > I missing :|
> >
> > Animesh
> >



Reply | Threaded
Open this post in threaded view
|

Re: Is there some sort of setup required in webapp to get annotations to work

Animesh Jain
Yes Jeremy, you're right. It works with a slight modification (but.. not fully, which I'll explain below) -

bindInterceptor(Matchers.any(), Matchers.annotatedWith(RequiresRoles.class), new AopAllianceAnnotationsAuthorizingMethodInterceptor());

Basically Guice supports the AOP Alliance api, so RoleAnnotationMethodInterceptor and PermissionAnnotationMethodInterceptor cannot be bound directly as they are not implementing the alliance api's method interceptor. But I think Les has written AopAllianceAnnotationsAuthorizingMethodInterceptor for this very purpose.

Now lets come to the problem..  when I login with a user who has a role (lets say "person") and call a method with the annotation RequiresRole("person"), then the AopAllianceAnnotationsAuthorizingMethodInterceptor is getting called and the call is infact going all the way upto RoleAnnotationMethodInterceptor as expected. But if the role is something else then it is supposed to throw a runtime error, which is not happening, the control is not even coming to AopAllianceAnnotationsAuthorizingMethodInterceptor. This is very strange. I'm just using Idea's debugger to see where the calls are going.

So basically when all's well i.e. the subject role matches the annotation role, then aop seems to be working. But if the roles are different then aop doesn't seem to be working at all. No errors. Not even getting called.

Any clue on what could be happening?

Kind regards
Animesh


On Fri, Sep 19, 2008 at 8:14 PM, Jeremy Haile <[hidden email]> wrote:
Animesh,

I only have light experience with Guice, but I know it supports AOP Alliance method interceptors, just like Spring uses - and just like JSecurity provides.  

I think you'd simply need to bind those method interceptors as appropriate.  I haven't tried it yet, but I imagine something like the following code would work.  Could you please try it out and let me know if it works?

binder.bindInterceptor( any(), annotatedWith(RequiresRoles.class), new RoleAnnotationMethodInterceptor()); 
binder.bindInterceptor( any(), annotatedWith(RequiresPermissions.class), new PermissionAnnotationMethodInterceptor()); 

Jeremy



On Sep 18, 2008, at 1:20 PM, Animesh Jain wrote:

Well, can't really do the AOP part in Spring and the rest in Guice, its just making things unnecessarily intertwined. So I think I'll read up on what capabilities Guice has for AOP and try and write a Guice implementation for the RequiresRoles and RequiresPermissions tags. Any pointers will be appreciated on what I should try to do (on a higher level), because I've never tried my hand at AOP before this. Guice does have method interceptors I believe and that should be enough here, isn't it?

Animesh

On Thu, Sep 18, 2008 at 6:54 PM, Animesh Jain <[hidden email]> wrote:
Aah! This helps a lot. So I hope I can use this without using Spring for the Jsecurity Realm injection - for that I'm using Guice. Anyway.. I'll try this asap and update on the results. I think Jsecurity definitely needs some more documentation in a few areas. I'll try and write down a few tutorials when I find time.

Animesh


On Thu, Sep 18, 2008 at 6:45 PM, Jeremy Haile <[hidden email]> wrote:
Animesh,

Have you added these bean definitions to Spring?

    <bean id="lifecycleBeanPostProcessor"
    class="org.jsecurity.spring.LifecycleBeanPostProcessor"/>
    <bean
    class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
            depends-on="lifecycleBeanPostProcessor"/>
   <bean
   class="org.jsecurity.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
          <property name="securityManager" ref="securityManager"/>
    </bean>

These are declared in webroot/WEB-INF/applicationContext.xml in the
spring sample application along with some additional documentation.

The first bean helps initialize and destroy JSecurity related beans.
The DefaultAdvisorAutoProxyCreator is required to enable Spring's
auto-proxying of beans based on annotations.  The last bean adds support
for auto-proxying method calls to beans that use JSecurity annotations.

I hope this helps - let me know if you have more questions!

Jeremy

On Thu, 18 Sep 2008 18:30:40 +0530, "Animesh Jain"
<[hidden email]> said:
> I guess I'm missing setting it up with some AOP framework is it?
>
> On Wed, Sep 17, 2008 at 11:25 PM, Animesh Jain <[hidden email]>
> wrote:
>
> > Hi
> >
> > As I understood from the documentation, a checked exception will be thrown
> > if for eg. a user does not have the role specified by @RequiresRoles. But
> > nothing's happening, the method gets executed regardless. In my particular
> > case I want the method to fire only when a user of a particular role is
> > logged in, but that method is executing even if I try after logout. What am
> > I missing :|
> >
> > Animesh
> >




Reply | Threaded
Open this post in threaded view
|

Re: Is there some sort of setup required in webapp to get annotations to work

Animesh Jain
Although it appears that the role check is working. Because the annotated method is not executing when the roles do not match. But no error is being thrown and the debugger is not reaching the AopAllianceAnnotationsAuthorizingMethodInterceptor class. I've even put a System.out there and it only prints when the roles match, so its not a debugger problem.

I'm lost.

Animesh

On Mon, Sep 22, 2008 at 5:36 PM, Animesh Jain <[hidden email]> wrote:
Yes Jeremy, you're right. It works with a slight modification (but.. not fully, which I'll explain below) -

bindInterceptor(Matchers.any(), Matchers.annotatedWith(RequiresRoles.class), new AopAllianceAnnotationsAuthorizingMethodInterceptor());

Basically Guice supports the AOP Alliance api, so RoleAnnotationMethodInterceptor and PermissionAnnotationMethodInterceptor cannot be bound directly as they are not implementing the alliance api's method interceptor. But I think Les has written AopAllianceAnnotationsAuthorizingMethodInterceptor for this very purpose.

Now lets come to the problem..  when I login with a user who has a role (lets say "person") and call a method with the annotation RequiresRole("person"), then the AopAllianceAnnotationsAuthorizingMethodInterceptor is getting called and the call is infact going all the way upto RoleAnnotationMethodInterceptor as expected. But if the role is something else then it is supposed to throw a runtime error, which is not happening, the control is not even coming to AopAllianceAnnotationsAuthorizingMethodInterceptor. This is very strange. I'm just using Idea's debugger to see where the calls are going.

So basically when all's well i.e. the subject role matches the annotation role, then aop seems to be working. But if the roles are different then aop doesn't seem to be working at all. No errors. Not even getting called.

Any clue on what could be happening?

Kind regards
Animesh



On Fri, Sep 19, 2008 at 8:14 PM, Jeremy Haile <[hidden email]> wrote:
Animesh,

I only have light experience with Guice, but I know it supports AOP Alliance method interceptors, just like Spring uses - and just like JSecurity provides.  

I think you'd simply need to bind those method interceptors as appropriate.  I haven't tried it yet, but I imagine something like the following code would work.  Could you please try it out and let me know if it works?

binder.bindInterceptor( any(), annotatedWith(RequiresRoles.class), new RoleAnnotationMethodInterceptor()); 
binder.bindInterceptor( any(), annotatedWith(RequiresPermissions.class), new PermissionAnnotationMethodInterceptor()); 

Jeremy



On Sep 18, 2008, at 1:20 PM, Animesh Jain wrote:

Well, can't really do the AOP part in Spring and the rest in Guice, its just making things unnecessarily intertwined. So I think I'll read up on what capabilities Guice has for AOP and try and write a Guice implementation for the RequiresRoles and RequiresPermissions tags. Any pointers will be appreciated on what I should try to do (on a higher level), because I've never tried my hand at AOP before this. Guice does have method interceptors I believe and that should be enough here, isn't it?

Animesh

On Thu, Sep 18, 2008 at 6:54 PM, Animesh Jain <[hidden email]> wrote:
Aah! This helps a lot. So I hope I can use this without using Spring for the Jsecurity Realm injection - for that I'm using Guice. Anyway.. I'll try this asap and update on the results. I think Jsecurity definitely needs some more documentation in a few areas. I'll try and write down a few tutorials when I find time.

Animesh


On Thu, Sep 18, 2008 at 6:45 PM, Jeremy Haile <[hidden email]> wrote:
Animesh,

Have you added these bean definitions to Spring?

    <bean id="lifecycleBeanPostProcessor"
    class="org.jsecurity.spring.LifecycleBeanPostProcessor"/>
    <bean
    class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
            depends-on="lifecycleBeanPostProcessor"/>
   <bean
   class="org.jsecurity.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
          <property name="securityManager" ref="securityManager"/>
    </bean>

These are declared in webroot/WEB-INF/applicationContext.xml in the
spring sample application along with some additional documentation.

The first bean helps initialize and destroy JSecurity related beans.
The DefaultAdvisorAutoProxyCreator is required to enable Spring's
auto-proxying of beans based on annotations.  The last bean adds support
for auto-proxying method calls to beans that use JSecurity annotations.

I hope this helps - let me know if you have more questions!

Jeremy

On Thu, 18 Sep 2008 18:30:40 +0530, "Animesh Jain"
<[hidden email]> said:
> I guess I'm missing setting it up with some AOP framework is it?
>
> On Wed, Sep 17, 2008 at 11:25 PM, Animesh Jain <[hidden email]>
> wrote:
>
> > Hi
> >
> > As I understood from the documentation, a checked exception will be thrown
> > if for eg. a user does not have the role specified by @RequiresRoles. But
> > nothing's happening, the method gets executed regardless. In my particular
> > case I want the method to fire only when a user of a particular role is
> > logged in, but that method is executing even if I try after logout. What am
> > I missing :|
> >
> > Animesh
> >





Reply | Threaded
Open this post in threaded view
|

Re: Is there some sort of setup required in webapp to get annotations to work

Animesh Jain
Umm.. i made a very stupid mistake which I just found. All's working well now. Sorry for bothering :P

So Les it seems its pretty easy to integrate annotation with Guice, just one lie config needed.

Cheers
Animesh

On Mon, Sep 22, 2008 at 6:01 PM, Animesh Jain <[hidden email]> wrote:
Although it appears that the role check is working. Because the annotated method is not executing when the roles do not match. But no error is being thrown and the debugger is not reaching the AopAllianceAnnotationsAuthorizingMethodInterceptor class. I've even put a System.out there and it only prints when the roles match, so its not a debugger problem.

I'm lost.

Animesh


On Mon, Sep 22, 2008 at 5:36 PM, Animesh Jain <[hidden email]> wrote:
Yes Jeremy, you're right. It works with a slight modification (but.. not fully, which I'll explain below) -

bindInterceptor(Matchers.any(), Matchers.annotatedWith(RequiresRoles.class), new AopAllianceAnnotationsAuthorizingMethodInterceptor());

Basically Guice supports the AOP Alliance api, so RoleAnnotationMethodInterceptor and PermissionAnnotationMethodInterceptor cannot be bound directly as they are not implementing the alliance api's method interceptor. But I think Les has written AopAllianceAnnotationsAuthorizingMethodInterceptor for this very purpose.

Now lets come to the problem..  when I login with a user who has a role (lets say "person") and call a method with the annotation RequiresRole("person"), then the AopAllianceAnnotationsAuthorizingMethodInterceptor is getting called and the call is infact going all the way upto RoleAnnotationMethodInterceptor as expected. But if the role is something else then it is supposed to throw a runtime error, which is not happening, the control is not even coming to AopAllianceAnnotationsAuthorizingMethodInterceptor. This is very strange. I'm just using Idea's debugger to see where the calls are going.

So basically when all's well i.e. the subject role matches the annotation role, then aop seems to be working. But if the roles are different then aop doesn't seem to be working at all. No errors. Not even getting called.

Any clue on what could be happening?

Kind regards
Animesh



On Fri, Sep 19, 2008 at 8:14 PM, Jeremy Haile <[hidden email]> wrote:
Animesh,

I only have light experience with Guice, but I know it supports AOP Alliance method interceptors, just like Spring uses - and just like JSecurity provides.  

I think you'd simply need to bind those method interceptors as appropriate.  I haven't tried it yet, but I imagine something like the following code would work.  Could you please try it out and let me know if it works?

binder.bindInterceptor( any(), annotatedWith(RequiresRoles.class), new RoleAnnotationMethodInterceptor()); 
binder.bindInterceptor( any(), annotatedWith(RequiresPermissions.class), new PermissionAnnotationMethodInterceptor()); 

Jeremy



On Sep 18, 2008, at 1:20 PM, Animesh Jain wrote:

Well, can't really do the AOP part in Spring and the rest in Guice, its just making things unnecessarily intertwined. So I think I'll read up on what capabilities Guice has for AOP and try and write a Guice implementation for the RequiresRoles and RequiresPermissions tags. Any pointers will be appreciated on what I should try to do (on a higher level), because I've never tried my hand at AOP before this. Guice does have method interceptors I believe and that should be enough here, isn't it?

Animesh

On Thu, Sep 18, 2008 at 6:54 PM, Animesh Jain <[hidden email]> wrote:
Aah! This helps a lot. So I hope I can use this without using Spring for the Jsecurity Realm injection - for that I'm using Guice. Anyway.. I'll try this asap and update on the results. I think Jsecurity definitely needs some more documentation in a few areas. I'll try and write down a few tutorials when I find time.

Animesh


On Thu, Sep 18, 2008 at 6:45 PM, Jeremy Haile <[hidden email]> wrote:
Animesh,

Have you added these bean definitions to Spring?

    <bean id="lifecycleBeanPostProcessor"
    class="org.jsecurity.spring.LifecycleBeanPostProcessor"/>
    <bean
    class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
            depends-on="lifecycleBeanPostProcessor"/>
   <bean
   class="org.jsecurity.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
          <property name="securityManager" ref="securityManager"/>
    </bean>

These are declared in webroot/WEB-INF/applicationContext.xml in the
spring sample application along with some additional documentation.

The first bean helps initialize and destroy JSecurity related beans.
The DefaultAdvisorAutoProxyCreator is required to enable Spring's
auto-proxying of beans based on annotations.  The last bean adds support
for auto-proxying method calls to beans that use JSecurity annotations.

I hope this helps - let me know if you have more questions!

Jeremy

On Thu, 18 Sep 2008 18:30:40 +0530, "Animesh Jain"
<[hidden email]> said:
> I guess I'm missing setting it up with some AOP framework is it?
>
> On Wed, Sep 17, 2008 at 11:25 PM, Animesh Jain <[hidden email]>
> wrote:
>
> > Hi
> >
> > As I understood from the documentation, a checked exception will be thrown
> > if for eg. a user does not have the role specified by @RequiresRoles. But
> > nothing's happening, the method gets executed regardless. In my particular
> > case I want the method to fire only when a user of a particular role is
> > logged in, but that method is executing even if I try after logout. What am
> > I missing :|
> >
> > Animesh
> >






Reply | Threaded
Open this post in threaded view
|

Re: Is there some sort of setup required in webapp to get annotations to work

Les Hazlewood
Administrator
Cool!

Could you give us a summary of everything that is required to get up
and running in Guice?  I can add this to a tutorial.  If you needed to
write any code also, that'd be great to have. :)

Thanks!

Les

On Mon, Sep 22, 2008 at 8:41 AM, Animesh Jain <[hidden email]> wrote:

> Umm.. i made a very stupid mistake which I just found. All's working well
> now. Sorry for bothering :P
>
> So Les it seems its pretty easy to integrate annotation with Guice, just one
> lie config needed.
>
> Cheers
> Animesh
>
> On Mon, Sep 22, 2008 at 6:01 PM, Animesh Jain <[hidden email]> wrote:
>>
>> Although it appears that the role check is working. Because the annotated
>> method is not executing when the roles do not match. But no error is being
>> thrown and the debugger is not reaching the
>> AopAllianceAnnotationsAuthorizingMethodInterceptor class. I've even put a
>> System.out there and it only prints when the roles match, so its not a
>> debugger problem.
>>
>> I'm lost.
>>
>> Animesh
>>
>> On Mon, Sep 22, 2008 at 5:36 PM, Animesh Jain <[hidden email]>
>> wrote:
>>>
>>> Yes Jeremy, you're right. It works with a slight modification (but.. not
>>> fully, which I'll explain below) -
>>>
>>> bindInterceptor(Matchers.any(),
>>> Matchers.annotatedWith(RequiresRoles.class), new
>>> AopAllianceAnnotationsAuthorizingMethodInterceptor());
>>>
>>> Basically Guice supports the AOP Alliance api, so
>>> RoleAnnotationMethodInterceptor and PermissionAnnotationMethodInterceptor
>>> cannot be bound directly as they are not implementing the alliance api's
>>> method interceptor. But I think Les has written
>>> AopAllianceAnnotationsAuthorizingMethodInterceptor for this very purpose.
>>>
>>> Now lets come to the problem..  when I login with a user who has a role
>>> (lets say "person") and call a method with the annotation
>>> RequiresRole("person"), then the
>>> AopAllianceAnnotationsAuthorizingMethodInterceptor is getting called and the
>>> call is infact going all the way upto RoleAnnotationMethodInterceptor as
>>> expected. But if the role is something else then it is supposed to throw a
>>> runtime error, which is not happening, the control is not even coming to
>>> AopAllianceAnnotationsAuthorizingMethodInterceptor. This is very strange.
>>> I'm just using Idea's debugger to see where the calls are going.
>>>
>>> So basically when all's well i.e. the subject role matches the annotation
>>> role, then aop seems to be working. But if the roles are different then aop
>>> doesn't seem to be working at all. No errors. Not even getting called.
>>>
>>> Any clue on what could be happening?
>>>
>>> Kind regards
>>> Animesh
>>>
>>>
>>> On Fri, Sep 19, 2008 at 8:14 PM, Jeremy Haile <[hidden email]> wrote:
>>>>
>>>> Animesh,
>>>> I only have light experience with Guice, but I know it supports AOP
>>>> Alliance method interceptors, just like Spring uses - and just like
>>>> JSecurity provides.
>>>> I think you'd simply need to bind those method interceptors as
>>>> appropriate.  I haven't tried it yet, but I imagine something like the
>>>> following code would work.  Could you please try it out and let me know if
>>>> it works?
>>>> binder.bindInterceptor( any(), annotatedWith(RequiresRoles.class), new
>>>> RoleAnnotationMethodInterceptor());
>>>> binder.bindInterceptor( any(),
>>>> annotatedWith(RequiresPermissions.class), new
>>>> PermissionAnnotationMethodInterceptor());
>>>> Jeremy
>>>>
>>>>
>>>> On Sep 18, 2008, at 1:20 PM, Animesh Jain wrote:
>>>>
>>>> Well, can't really do the AOP part in Spring and the rest in Guice, its
>>>> just making things unnecessarily intertwined. So I think I'll read up on
>>>> what capabilities Guice has for AOP and try and write a Guice implementation
>>>> for the RequiresRoles and RequiresPermissions tags. Any pointers will be
>>>> appreciated on what I should try to do (on a higher level), because I've
>>>> never tried my hand at AOP before this. Guice does have method interceptors
>>>> I believe and that should be enough here, isn't it?
>>>>
>>>> Animesh
>>>>
>>>> On Thu, Sep 18, 2008 at 6:54 PM, Animesh Jain <[hidden email]>
>>>> wrote:
>>>>>
>>>>> Aah! This helps a lot. So I hope I can use this without using Spring
>>>>> for the Jsecurity Realm injection - for that I'm using Guice. Anyway.. I'll
>>>>> try this asap and update on the results. I think Jsecurity definitely needs
>>>>> some more documentation in a few areas. I'll try and write down a few
>>>>> tutorials when I find time.
>>>>>
>>>>> Animesh
>>>>>
>>>>> On Thu, Sep 18, 2008 at 6:45 PM, Jeremy Haile <[hidden email]>
>>>>> wrote:
>>>>>>
>>>>>> Animesh,
>>>>>>
>>>>>> Have you added these bean definitions to Spring?
>>>>>>
>>>>>>     <bean id="lifecycleBeanPostProcessor"
>>>>>>     class="org.jsecurity.spring.LifecycleBeanPostProcessor"/>
>>>>>>     <bean
>>>>>>
>>>>>> class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
>>>>>>             depends-on="lifecycleBeanPostProcessor"/>
>>>>>>    <bean
>>>>>>
>>>>>>  class="org.jsecurity.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
>>>>>>           <property name="securityManager" ref="securityManager"/>
>>>>>>     </bean>
>>>>>>
>>>>>> These are declared in webroot/WEB-INF/applicationContext.xml in the
>>>>>> spring sample application along with some additional documentation.
>>>>>>
>>>>>> The first bean helps initialize and destroy JSecurity related beans.
>>>>>> The DefaultAdvisorAutoProxyCreator is required to enable Spring's
>>>>>> auto-proxying of beans based on annotations.  The last bean adds
>>>>>> support
>>>>>> for auto-proxying method calls to beans that use JSecurity
>>>>>> annotations.
>>>>>>
>>>>>> I hope this helps - let me know if you have more questions!
>>>>>>
>>>>>> Jeremy
>>>>>>
>>>>>> On Thu, 18 Sep 2008 18:30:40 +0530, "Animesh Jain"
>>>>>> <[hidden email]> said:
>>>>>> > I guess I'm missing setting it up with some AOP framework is it?
>>>>>> >
>>>>>> > On Wed, Sep 17, 2008 at 11:25 PM, Animesh Jain
>>>>>> > <[hidden email]>
>>>>>> > wrote:
>>>>>> >
>>>>>> > > Hi
>>>>>> > >
>>>>>> > > As I understood from the documentation, a checked exception will
>>>>>> > > be thrown
>>>>>> > > if for eg. a user does not have the role specified by
>>>>>> > > @RequiresRoles. But
>>>>>> > > nothing's happening, the method gets executed regardless. In my
>>>>>> > > particular
>>>>>> > > case I want the method to fire only when a user of a particular
>>>>>> > > role is
>>>>>> > > logged in, but that method is executing even if I try after
>>>>>> > > logout. What am
>>>>>> > > I missing :|
>>>>>> > >
>>>>>> > > Animesh
>>>>>> > >
>>>>>
>>>>
>>>>
>>>
>>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Is there some sort of setup required in webapp to get annotations to work

Animesh Jain
Yeah I'll get everything together along with a short document/tutorial. Give me a few days for that.

Animesh

On Mon, Sep 22, 2008 at 6:18 PM, Les Hazlewood <[hidden email]> wrote:
Cool!

Could you give us a summary of everything that is required to get up
and running in Guice?  I can add this to a tutorial.  If you needed to
write any code also, that'd be great to have. :)

Thanks!

Les

On Mon, Sep 22, 2008 at 8:41 AM, Animesh Jain <[hidden email]> wrote:
> Umm.. i made a very stupid mistake which I just found. All's working well
> now. Sorry for bothering :P
>
> So Les it seems its pretty easy to integrate annotation with Guice, just one
> lie config needed.
>
> Cheers
> Animesh
>
> On Mon, Sep 22, 2008 at 6:01 PM, Animesh Jain <[hidden email]> wrote:
>>
>> Although it appears that the role check is working. Because the annotated
>> method is not executing when the roles do not match. But no error is being
>> thrown and the debugger is not reaching the
>> AopAllianceAnnotationsAuthorizingMethodInterceptor class. I've even put a
>> System.out there and it only prints when the roles match, so its not a
>> debugger problem.
>>
>> I'm lost.
>>
>> Animesh
>>
>> On Mon, Sep 22, 2008 at 5:36 PM, Animesh Jain <[hidden email]>
>> wrote:
>>>
>>> Yes Jeremy, you're right. It works with a slight modification (but.. not
>>> fully, which I'll explain below) -
>>>
>>> bindInterceptor(Matchers.any(),
>>> Matchers.annotatedWith(RequiresRoles.class), new
>>> AopAllianceAnnotationsAuthorizingMethodInterceptor());
>>>
>>> Basically Guice supports the AOP Alliance api, so
>>> RoleAnnotationMethodInterceptor and PermissionAnnotationMethodInterceptor
>>> cannot be bound directly as they are not implementing the alliance api's
>>> method interceptor. But I think Les has written
>>> AopAllianceAnnotationsAuthorizingMethodInterceptor for this very purpose.
>>>
>>> Now lets come to the problem..  when I login with a user who has a role
>>> (lets say "person") and call a method with the annotation
>>> RequiresRole("person"), then the
>>> AopAllianceAnnotationsAuthorizingMethodInterceptor is getting called and the
>>> call is infact going all the way upto RoleAnnotationMethodInterceptor as
>>> expected. But if the role is something else then it is supposed to throw a
>>> runtime error, which is not happening, the control is not even coming to
>>> AopAllianceAnnotationsAuthorizingMethodInterceptor. This is very strange.
>>> I'm just using Idea's debugger to see where the calls are going.
>>>
>>> So basically when all's well i.e. the subject role matches the annotation
>>> role, then aop seems to be working. But if the roles are different then aop
>>> doesn't seem to be working at all. No errors. Not even getting called.
>>>
>>> Any clue on what could be happening?
>>>
>>> Kind regards
>>> Animesh
>>>
>>>
>>> On Fri, Sep 19, 2008 at 8:14 PM, Jeremy Haile <[hidden email]> wrote:
>>>>
>>>> Animesh,
>>>> I only have light experience with Guice, but I know it supports AOP
>>>> Alliance method interceptors, just like Spring uses - and just like
>>>> JSecurity provides.
>>>> I think you'd simply need to bind those method interceptors as
>>>> appropriate.  I haven't tried it yet, but I imagine something like the
>>>> following code would work.  Could you please try it out and let me know if
>>>> it works?
>>>> binder.bindInterceptor( any(), annotatedWith(RequiresRoles.class), new
>>>> RoleAnnotationMethodInterceptor());
>>>> binder.bindInterceptor( any(),
>>>> annotatedWith(RequiresPermissions.class), new
>>>> PermissionAnnotationMethodInterceptor());
>>>> Jeremy
>>>>
>>>>
>>>> On Sep 18, 2008, at 1:20 PM, Animesh Jain wrote:
>>>>
>>>> Well, can't really do the AOP part in Spring and the rest in Guice, its
>>>> just making things unnecessarily intertwined. So I think I'll read up on
>>>> what capabilities Guice has for AOP and try and write a Guice implementation
>>>> for the RequiresRoles and RequiresPermissions tags. Any pointers will be
>>>> appreciated on what I should try to do (on a higher level), because I've
>>>> never tried my hand at AOP before this. Guice does have method interceptors
>>>> I believe and that should be enough here, isn't it?
>>>>
>>>> Animesh
>>>>
>>>> On Thu, Sep 18, 2008 at 6:54 PM, Animesh Jain <[hidden email]>
>>>> wrote:
>>>>>
>>>>> Aah! This helps a lot. So I hope I can use this without using Spring
>>>>> for the Jsecurity Realm injection - for that I'm using Guice. Anyway.. I'll
>>>>> try this asap and update on the results. I think Jsecurity definitely needs
>>>>> some more documentation in a few areas. I'll try and write down a few
>>>>> tutorials when I find time.
>>>>>
>>>>> Animesh
>>>>>
>>>>> On Thu, Sep 18, 2008 at 6:45 PM, Jeremy Haile <[hidden email]>
>>>>> wrote:
>>>>>>
>>>>>> Animesh,
>>>>>>
>>>>>> Have you added these bean definitions to Spring?
>>>>>>
>>>>>>     <bean id="lifecycleBeanPostProcessor"
>>>>>>     class="org.jsecurity.spring.LifecycleBeanPostProcessor"/>
>>>>>>     <bean
>>>>>>
>>>>>> class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
>>>>>>             depends-on="lifecycleBeanPostProcessor"/>
>>>>>>    <bean
>>>>>>
>>>>>>  class="org.jsecurity.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
>>>>>>           <property name="securityManager" ref="securityManager"/>
>>>>>>     </bean>
>>>>>>
>>>>>> These are declared in webroot/WEB-INF/applicationContext.xml in the
>>>>>> spring sample application along with some additional documentation.
>>>>>>
>>>>>> The first bean helps initialize and destroy JSecurity related beans.
>>>>>> The DefaultAdvisorAutoProxyCreator is required to enable Spring's
>>>>>> auto-proxying of beans based on annotations.  The last bean adds
>>>>>> support
>>>>>> for auto-proxying method calls to beans that use JSecurity
>>>>>> annotations.
>>>>>>
>>>>>> I hope this helps - let me know if you have more questions!
>>>>>>
>>>>>> Jeremy
>>>>>>
>>>>>> On Thu, 18 Sep 2008 18:30:40 +0530, "Animesh Jain"
>>>>>> <[hidden email]> said:
>>>>>> > I guess I'm missing setting it up with some AOP framework is it?
>>>>>> >
>>>>>> > On Wed, Sep 17, 2008 at 11:25 PM, Animesh Jain
>>>>>> > <[hidden email]>
>>>>>> > wrote:
>>>>>> >
>>>>>> > > Hi
>>>>>> > >
>>>>>> > > As I understood from the documentation, a checked exception will
>>>>>> > > be thrown
>>>>>> > > if for eg. a user does not have the role specified by
>>>>>> > > @RequiresRoles. But
>>>>>> > > nothing's happening, the method gets executed regardless. In my
>>>>>> > > particular
>>>>>> > > case I want the method to fire only when a user of a particular
>>>>>> > > role is
>>>>>> > > logged in, but that method is executing even if I try after
>>>>>> > > logout. What am
>>>>>> > > I missing :|
>>>>>> > >
>>>>>> > > Animesh
>>>>>> > >
>>>>>
>>>>
>>>>
>>>
>>
>
>

Reply | Threaded
Open this post in threaded view
|

Re: Is there some sort of setup required in webapp to get annotations to work

Jeremy Haile
In reply to this post by Les Hazlewood
Les,

I'm curious - why don't our method interceptors implement the AOP  
alliance interfaces?  This is a pretty standard thing, used by Spring,  
Guice, etc. Either way, seems like the AOP Alliance class is misplaced  
in the Spring module - since AOP Alliance is not Spring-specific.  I  
think this should all be moved into core.

Jeremy


On Sep 22, 2008, at 8:48 AM, Les Hazlewood wrote:

> Cool!
>
> Could you give us a summary of everything that is required to get up
> and running in Guice?  I can add this to a tutorial.  If you needed to
> write any code also, that'd be great to have. :)
>
> Thanks!
>
> Les
>
> On Mon, Sep 22, 2008 at 8:41 AM, Animesh Jain <[hidden email]>  
> wrote:
>> Umm.. i made a very stupid mistake which I just found. All's  
>> working well
>> now. Sorry for bothering :P
>>
>> So Les it seems its pretty easy to integrate annotation with Guice,  
>> just one
>> lie config needed.
>>
>> Cheers
>> Animesh
>>
>> On Mon, Sep 22, 2008 at 6:01 PM, Animesh Jain  
>> <[hidden email]> wrote:
>>>
>>> Although it appears that the role check is working. Because the  
>>> annotated
>>> method is not executing when the roles do not match. But no error  
>>> is being
>>> thrown and the debugger is not reaching the
>>> AopAllianceAnnotationsAuthorizingMethodInterceptor class. I've  
>>> even put a
>>> System.out there and it only prints when the roles match, so its  
>>> not a
>>> debugger problem.
>>>
>>> I'm lost.
>>>
>>> Animesh
>>>
>>> On Mon, Sep 22, 2008 at 5:36 PM, Animesh Jain <[hidden email]>
>>> wrote:
>>>>
>>>> Yes Jeremy, you're right. It works with a slight modification  
>>>> (but.. not
>>>> fully, which I'll explain below) -
>>>>
>>>> bindInterceptor(Matchers.any(),
>>>> Matchers.annotatedWith(RequiresRoles.class), new
>>>> AopAllianceAnnotationsAuthorizingMethodInterceptor());
>>>>
>>>> Basically Guice supports the AOP Alliance api, so
>>>> RoleAnnotationMethodInterceptor and  
>>>> PermissionAnnotationMethodInterceptor
>>>> cannot be bound directly as they are not implementing the  
>>>> alliance api's
>>>> method interceptor. But I think Les has written
>>>> AopAllianceAnnotationsAuthorizingMethodInterceptor for this very  
>>>> purpose.
>>>>
>>>> Now lets come to the problem..  when I login with a user who has  
>>>> a role
>>>> (lets say "person") and call a method with the annotation
>>>> RequiresRole("person"), then the
>>>> AopAllianceAnnotationsAuthorizingMethodInterceptor is getting  
>>>> called and the
>>>> call is infact going all the way upto  
>>>> RoleAnnotationMethodInterceptor as
>>>> expected. But if the role is something else then it is supposed  
>>>> to throw a
>>>> runtime error, which is not happening, the control is not even  
>>>> coming to
>>>> AopAllianceAnnotationsAuthorizingMethodInterceptor. This is very  
>>>> strange.
>>>> I'm just using Idea's debugger to see where the calls are going.
>>>>
>>>> So basically when all's well i.e. the subject role matches the  
>>>> annotation
>>>> role, then aop seems to be working. But if the roles are  
>>>> different then aop
>>>> doesn't seem to be working at all. No errors. Not even getting  
>>>> called.
>>>>
>>>> Any clue on what could be happening?
>>>>
>>>> Kind regards
>>>> Animesh
>>>>
>>>>
>>>> On Fri, Sep 19, 2008 at 8:14 PM, Jeremy Haile  
>>>> <[hidden email]> wrote:
>>>>>
>>>>> Animesh,
>>>>> I only have light experience with Guice, but I know it supports  
>>>>> AOP
>>>>> Alliance method interceptors, just like Spring uses - and just  
>>>>> like
>>>>> JSecurity provides.
>>>>> I think you'd simply need to bind those method interceptors as
>>>>> appropriate.  I haven't tried it yet, but I imagine something  
>>>>> like the
>>>>> following code would work.  Could you please try it out and let  
>>>>> me know if
>>>>> it works?
>>>>> binder.bindInterceptor( any(),  
>>>>> annotatedWith(RequiresRoles.class), new
>>>>> RoleAnnotationMethodInterceptor());
>>>>> binder.bindInterceptor( any(),
>>>>> annotatedWith(RequiresPermissions.class), new
>>>>> PermissionAnnotationMethodInterceptor());
>>>>> Jeremy
>>>>>
>>>>>
>>>>> On Sep 18, 2008, at 1:20 PM, Animesh Jain wrote:
>>>>>
>>>>> Well, can't really do the AOP part in Spring and the rest in  
>>>>> Guice, its
>>>>> just making things unnecessarily intertwined. So I think I'll  
>>>>> read up on
>>>>> what capabilities Guice has for AOP and try and write a Guice  
>>>>> implementation
>>>>> for the RequiresRoles and RequiresPermissions tags. Any pointers  
>>>>> will be
>>>>> appreciated on what I should try to do (on a higher level),  
>>>>> because I've
>>>>> never tried my hand at AOP before this. Guice does have method  
>>>>> interceptors
>>>>> I believe and that should be enough here, isn't it?
>>>>>
>>>>> Animesh
>>>>>
>>>>> On Thu, Sep 18, 2008 at 6:54 PM, Animesh Jain <[hidden email]
>>>>> >
>>>>> wrote:
>>>>>>
>>>>>> Aah! This helps a lot. So I hope I can use this without using  
>>>>>> Spring
>>>>>> for the Jsecurity Realm injection - for that I'm using Guice.  
>>>>>> Anyway.. I'll
>>>>>> try this asap and update on the results. I think Jsecurity  
>>>>>> definitely needs
>>>>>> some more documentation in a few areas. I'll try and write down  
>>>>>> a few
>>>>>> tutorials when I find time.
>>>>>>
>>>>>> Animesh
>>>>>>
>>>>>> On Thu, Sep 18, 2008 at 6:45 PM, Jeremy Haile  
>>>>>> <[hidden email]>
>>>>>> wrote:
>>>>>>>
>>>>>>> Animesh,
>>>>>>>
>>>>>>> Have you added these bean definitions to Spring?
>>>>>>>
>>>>>>>    <bean id="lifecycleBeanPostProcessor"
>>>>>>>    class="org.jsecurity.spring.LifecycleBeanPostProcessor"/>
>>>>>>>    <bean
>>>>>>>
>>>>>>> class
>>>>>>> =
>>>>>>> "org
>>>>>>> .springframework
>>>>>>> .aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
>>>>>>>            depends-on="lifecycleBeanPostProcessor"/>
>>>>>>>   <bean
>>>>>>>
>>>>>>> class
>>>>>>> =
>>>>>>> "org
>>>>>>> .jsecurity
>>>>>>> .spring
>>>>>>> .security.interceptor.AuthorizationAttributeSourceAdvisor">
>>>>>>>          <property name="securityManager"  
>>>>>>> ref="securityManager"/>
>>>>>>>    </bean>
>>>>>>>
>>>>>>> These are declared in webroot/WEB-INF/applicationContext.xml  
>>>>>>> in the
>>>>>>> spring sample application along with some additional  
>>>>>>> documentation.
>>>>>>>
>>>>>>> The first bean helps initialize and destroy JSecurity related  
>>>>>>> beans.
>>>>>>> The DefaultAdvisorAutoProxyCreator is required to enable  
>>>>>>> Spring's
>>>>>>> auto-proxying of beans based on annotations.  The last bean adds
>>>>>>> support
>>>>>>> for auto-proxying method calls to beans that use JSecurity
>>>>>>> annotations.
>>>>>>>
>>>>>>> I hope this helps - let me know if you have more questions!
>>>>>>>
>>>>>>> Jeremy
>>>>>>>
>>>>>>> On Thu, 18 Sep 2008 18:30:40 +0530, "Animesh Jain"
>>>>>>> <[hidden email]> said:
>>>>>>>> I guess I'm missing setting it up with some AOP framework is  
>>>>>>>> it?
>>>>>>>>
>>>>>>>> On Wed, Sep 17, 2008 at 11:25 PM, Animesh Jain
>>>>>>>> <[hidden email]>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> Hi
>>>>>>>>>
>>>>>>>>> As I understood from the documentation, a checked exception  
>>>>>>>>> will
>>>>>>>>> be thrown
>>>>>>>>> if for eg. a user does not have the role specified by
>>>>>>>>> @RequiresRoles. But
>>>>>>>>> nothing's happening, the method gets executed regardless. In  
>>>>>>>>> my
>>>>>>>>> particular
>>>>>>>>> case I want the method to fire only when a user of a  
>>>>>>>>> particular
>>>>>>>>> role is
>>>>>>>>> logged in, but that method is executing even if I try after
>>>>>>>>> logout. What am
>>>>>>>>> I missing :|
>>>>>>>>>
>>>>>>>>> Animesh
>>>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>>

Reply | Threaded
Open this post in threaded view
|

Re: Is there some sort of setup required in webapp to get annotations to work

Les Hazlewood
Administrator
In reply to this post by Animesh Jain
Sounds great - thanks again :)

On Mon, Sep 22, 2008 at 8:51 AM, Animesh Jain <[hidden email]> wrote:

> Yeah I'll get everything together along with a short document/tutorial. Give
> me a few days for that.
>
> Animesh
>
> On Mon, Sep 22, 2008 at 6:18 PM, Les Hazlewood <[hidden email]> wrote:
>>
>> Cool!
>>
>> Could you give us a summary of everything that is required to get up
>> and running in Guice?  I can add this to a tutorial.  If you needed to
>> write any code also, that'd be great to have. :)
>>
>> Thanks!
>>
>> Les
>>
>> On Mon, Sep 22, 2008 at 8:41 AM, Animesh Jain <[hidden email]>
>> wrote:
>> > Umm.. i made a very stupid mistake which I just found. All's working
>> > well
>> > now. Sorry for bothering :P
>> >
>> > So Les it seems its pretty easy to integrate annotation with Guice, just
>> > one
>> > lie config needed.
>> >
>> > Cheers
>> > Animesh
>> >
>> > On Mon, Sep 22, 2008 at 6:01 PM, Animesh Jain <[hidden email]>
>> > wrote:
>> >>
>> >> Although it appears that the role check is working. Because the
>> >> annotated
>> >> method is not executing when the roles do not match. But no error is
>> >> being
>> >> thrown and the debugger is not reaching the
>> >> AopAllianceAnnotationsAuthorizingMethodInterceptor class. I've even put
>> >> a
>> >> System.out there and it only prints when the roles match, so its not a
>> >> debugger problem.
>> >>
>> >> I'm lost.
>> >>
>> >> Animesh
>> >>
>> >> On Mon, Sep 22, 2008 at 5:36 PM, Animesh Jain <[hidden email]>
>> >> wrote:
>> >>>
>> >>> Yes Jeremy, you're right. It works with a slight modification (but..
>> >>> not
>> >>> fully, which I'll explain below) -
>> >>>
>> >>> bindInterceptor(Matchers.any(),
>> >>> Matchers.annotatedWith(RequiresRoles.class), new
>> >>> AopAllianceAnnotationsAuthorizingMethodInterceptor());
>> >>>
>> >>> Basically Guice supports the AOP Alliance api, so
>> >>> RoleAnnotationMethodInterceptor and
>> >>> PermissionAnnotationMethodInterceptor
>> >>> cannot be bound directly as they are not implementing the alliance
>> >>> api's
>> >>> method interceptor. But I think Les has written
>> >>> AopAllianceAnnotationsAuthorizingMethodInterceptor for this very
>> >>> purpose.
>> >>>
>> >>> Now lets come to the problem..  when I login with a user who has a
>> >>> role
>> >>> (lets say "person") and call a method with the annotation
>> >>> RequiresRole("person"), then the
>> >>> AopAllianceAnnotationsAuthorizingMethodInterceptor is getting called
>> >>> and the
>> >>> call is infact going all the way upto RoleAnnotationMethodInterceptor
>> >>> as
>> >>> expected. But if the role is something else then it is supposed to
>> >>> throw a
>> >>> runtime error, which is not happening, the control is not even coming
>> >>> to
>> >>> AopAllianceAnnotationsAuthorizingMethodInterceptor. This is very
>> >>> strange.
>> >>> I'm just using Idea's debugger to see where the calls are going.
>> >>>
>> >>> So basically when all's well i.e. the subject role matches the
>> >>> annotation
>> >>> role, then aop seems to be working. But if the roles are different
>> >>> then aop
>> >>> doesn't seem to be working at all. No errors. Not even getting called.
>> >>>
>> >>> Any clue on what could be happening?
>> >>>
>> >>> Kind regards
>> >>> Animesh
>> >>>
>> >>>
>> >>> On Fri, Sep 19, 2008 at 8:14 PM, Jeremy Haile <[hidden email]>
>> >>> wrote:
>> >>>>
>> >>>> Animesh,
>> >>>> I only have light experience with Guice, but I know it supports AOP
>> >>>> Alliance method interceptors, just like Spring uses - and just like
>> >>>> JSecurity provides.
>> >>>> I think you'd simply need to bind those method interceptors as
>> >>>> appropriate.  I haven't tried it yet, but I imagine something like
>> >>>> the
>> >>>> following code would work.  Could you please try it out and let me
>> >>>> know if
>> >>>> it works?
>> >>>> binder.bindInterceptor( any(), annotatedWith(RequiresRoles.class),
>> >>>> new
>> >>>> RoleAnnotationMethodInterceptor());
>> >>>> binder.bindInterceptor( any(),
>> >>>> annotatedWith(RequiresPermissions.class), new
>> >>>> PermissionAnnotationMethodInterceptor());
>> >>>> Jeremy
>> >>>>
>> >>>>
>> >>>> On Sep 18, 2008, at 1:20 PM, Animesh Jain wrote:
>> >>>>
>> >>>> Well, can't really do the AOP part in Spring and the rest in Guice,
>> >>>> its
>> >>>> just making things unnecessarily intertwined. So I think I'll read up
>> >>>> on
>> >>>> what capabilities Guice has for AOP and try and write a Guice
>> >>>> implementation
>> >>>> for the RequiresRoles and RequiresPermissions tags. Any pointers will
>> >>>> be
>> >>>> appreciated on what I should try to do (on a higher level), because
>> >>>> I've
>> >>>> never tried my hand at AOP before this. Guice does have method
>> >>>> interceptors
>> >>>> I believe and that should be enough here, isn't it?
>> >>>>
>> >>>> Animesh
>> >>>>
>> >>>> On Thu, Sep 18, 2008 at 6:54 PM, Animesh Jain <[hidden email]>
>> >>>> wrote:
>> >>>>>
>> >>>>> Aah! This helps a lot. So I hope I can use this without using Spring
>> >>>>> for the Jsecurity Realm injection - for that I'm using Guice.
>> >>>>> Anyway.. I'll
>> >>>>> try this asap and update on the results. I think Jsecurity
>> >>>>> definitely needs
>> >>>>> some more documentation in a few areas. I'll try and write down a
>> >>>>> few
>> >>>>> tutorials when I find time.
>> >>>>>
>> >>>>> Animesh
>> >>>>>
>> >>>>> On Thu, Sep 18, 2008 at 6:45 PM, Jeremy Haile <[hidden email]>
>> >>>>> wrote:
>> >>>>>>
>> >>>>>> Animesh,
>> >>>>>>
>> >>>>>> Have you added these bean definitions to Spring?
>> >>>>>>
>> >>>>>>     <bean id="lifecycleBeanPostProcessor"
>> >>>>>>     class="org.jsecurity.spring.LifecycleBeanPostProcessor"/>
>> >>>>>>     <bean
>> >>>>>>
>> >>>>>>
>> >>>>>> class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
>> >>>>>>             depends-on="lifecycleBeanPostProcessor"/>
>> >>>>>>    <bean
>> >>>>>>
>> >>>>>>
>> >>>>>>  class="org.jsecurity.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
>> >>>>>>           <property name="securityManager" ref="securityManager"/>
>> >>>>>>     </bean>
>> >>>>>>
>> >>>>>> These are declared in webroot/WEB-INF/applicationContext.xml in the
>> >>>>>> spring sample application along with some additional documentation.
>> >>>>>>
>> >>>>>> The first bean helps initialize and destroy JSecurity related
>> >>>>>> beans.
>> >>>>>> The DefaultAdvisorAutoProxyCreator is required to enable Spring's
>> >>>>>> auto-proxying of beans based on annotations.  The last bean adds
>> >>>>>> support
>> >>>>>> for auto-proxying method calls to beans that use JSecurity
>> >>>>>> annotations.
>> >>>>>>
>> >>>>>> I hope this helps - let me know if you have more questions!
>> >>>>>>
>> >>>>>> Jeremy
>> >>>>>>
>> >>>>>> On Thu, 18 Sep 2008 18:30:40 +0530, "Animesh Jain"
>> >>>>>> <[hidden email]> said:
>> >>>>>> > I guess I'm missing setting it up with some AOP framework is it?
>> >>>>>> >
>> >>>>>> > On Wed, Sep 17, 2008 at 11:25 PM, Animesh Jain
>> >>>>>> > <[hidden email]>
>> >>>>>> > wrote:
>> >>>>>> >
>> >>>>>> > > Hi
>> >>>>>> > >
>> >>>>>> > > As I understood from the documentation, a checked exception
>> >>>>>> > > will
>> >>>>>> > > be thrown
>> >>>>>> > > if for eg. a user does not have the role specified by
>> >>>>>> > > @RequiresRoles. But
>> >>>>>> > > nothing's happening, the method gets executed regardless. In my
>> >>>>>> > > particular
>> >>>>>> > > case I want the method to fire only when a user of a particular
>> >>>>>> > > role is
>> >>>>>> > > logged in, but that method is executing even if I try after
>> >>>>>> > > logout. What am
>> >>>>>> > > I missing :|
>> >>>>>> > >
>> >>>>>> > > Animesh
>> >>>>>> > >
>> >>>>>
>> >>>>
>> >>>>
>> >>>
>> >>
>> >
>> >
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Is there some sort of setup required in webapp to get annotations to work

Animesh Jain
Yeah.. I'm curious about that too. And I'm coming back with a new problem on the mailing list in a few hours :D

On Mon, Sep 22, 2008 at 6:22 PM, Les Hazlewood <[hidden email]> wrote:
Sounds great - thanks again :)

On Mon, Sep 22, 2008 at 8:51 AM, Animesh Jain <[hidden email]> wrote:
> Yeah I'll get everything together along with a short document/tutorial. Give
> me a few days for that.
>
> Animesh
>
> On Mon, Sep 22, 2008 at 6:18 PM, Les Hazlewood <[hidden email]> wrote:
>>
>> Cool!
>>
>> Could you give us a summary of everything that is required to get up
>> and running in Guice?  I can add this to a tutorial.  If you needed to
>> write any code also, that'd be great to have. :)
>>
>> Thanks!
>>
>> Les
>>
>> On Mon, Sep 22, 2008 at 8:41 AM, Animesh Jain <[hidden email]>
>> wrote:
>> > Umm.. i made a very stupid mistake which I just found. All's working
>> > well
>> > now. Sorry for bothering :P
>> >
>> > So Les it seems its pretty easy to integrate annotation with Guice, just
>> > one
>> > lie config needed.
>> >
>> > Cheers
>> > Animesh
>> >
>> > On Mon, Sep 22, 2008 at 6:01 PM, Animesh Jain <[hidden email]>
>> > wrote:
>> >>
>> >> Although it appears that the role check is working. Because the
>> >> annotated
>> >> method is not executing when the roles do not match. But no error is
>> >> being
>> >> thrown and the debugger is not reaching the
>> >> AopAllianceAnnotationsAuthorizingMethodInterceptor class. I've even put
>> >> a
>> >> System.out there and it only prints when the roles match, so its not a
>> >> debugger problem.
>> >>
>> >> I'm lost.
>> >>
>> >> Animesh
>> >>
>> >> On Mon, Sep 22, 2008 at 5:36 PM, Animesh Jain <[hidden email]>
>> >> wrote:
>> >>>
>> >>> Yes Jeremy, you're right. It works with a slight modification (but..
>> >>> not
>> >>> fully, which I'll explain below) -
>> >>>
>> >>> bindInterceptor(Matchers.any(),
>> >>> Matchers.annotatedWith(RequiresRoles.class), new
>> >>> AopAllianceAnnotationsAuthorizingMethodInterceptor());
>> >>>
>> >>> Basically Guice supports the AOP Alliance api, so
>> >>> RoleAnnotationMethodInterceptor and
>> >>> PermissionAnnotationMethodInterceptor
>> >>> cannot be bound directly as they are not implementing the alliance
>> >>> api's
>> >>> method interceptor. But I think Les has written
>> >>> AopAllianceAnnotationsAuthorizingMethodInterceptor for this very
>> >>> purpose.
>> >>>
>> >>> Now lets come to the problem..  when I login with a user who has a
>> >>> role
>> >>> (lets say "person") and call a method with the annotation
>> >>> RequiresRole("person"), then the
>> >>> AopAllianceAnnotationsAuthorizingMethodInterceptor is getting called
>> >>> and the
>> >>> call is infact going all the way upto RoleAnnotationMethodInterceptor
>> >>> as
>> >>> expected. But if the role is something else then it is supposed to
>> >>> throw a
>> >>> runtime error, which is not happening, the control is not even coming
>> >>> to
>> >>> AopAllianceAnnotationsAuthorizingMethodInterceptor. This is very
>> >>> strange.
>> >>> I'm just using Idea's debugger to see where the calls are going.
>> >>>
>> >>> So basically when all's well i.e. the subject role matches the
>> >>> annotation
>> >>> role, then aop seems to be working. But if the roles are different
>> >>> then aop
>> >>> doesn't seem to be working at all. No errors. Not even getting called.
>> >>>
>> >>> Any clue on what could be happening?
>> >>>
>> >>> Kind regards
>> >>> Animesh
>> >>>
>> >>>
>> >>> On Fri, Sep 19, 2008 at 8:14 PM, Jeremy Haile <[hidden email]>
>> >>> wrote:
>> >>>>
>> >>>> Animesh,
>> >>>> I only have light experience with Guice, but I know it supports AOP
>> >>>> Alliance method interceptors, just like Spring uses - and just like
>> >>>> JSecurity provides.
>> >>>> I think you'd simply need to bind those method interceptors as
>> >>>> appropriate.  I haven't tried it yet, but I imagine something like
>> >>>> the
>> >>>> following code would work.  Could you please try it out and let me
>> >>>> know if
>> >>>> it works?
>> >>>> binder.bindInterceptor( any(), annotatedWith(RequiresRoles.class),
>> >>>> new
>> >>>> RoleAnnotationMethodInterceptor());
>> >>>> binder.bindInterceptor( any(),
>> >>>> annotatedWith(RequiresPermissions.class), new
>> >>>> PermissionAnnotationMethodInterceptor());
>> >>>> Jeremy
>> >>>>
>> >>>>
>> >>>> On Sep 18, 2008, at 1:20 PM, Animesh Jain wrote:
>> >>>>
>> >>>> Well, can't really do the AOP part in Spring and the rest in Guice,
>> >>>> its
>> >>>> just making things unnecessarily intertwined. So I think I'll read up
>> >>>> on
>> >>>> what capabilities Guice has for AOP and try and write a Guice
>> >>>> implementation
>> >>>> for the RequiresRoles and RequiresPermissions tags. Any pointers will
>> >>>> be
>> >>>> appreciated on what I should try to do (on a higher level), because
>> >>>> I've
>> >>>> never tried my hand at AOP before this. Guice does have method
>> >>>> interceptors
>> >>>> I believe and that should be enough here, isn't it?
>> >>>>
>> >>>> Animesh
>> >>>>
>> >>>> On Thu, Sep 18, 2008 at 6:54 PM, Animesh Jain <[hidden email]>
>> >>>> wrote:
>> >>>>>
>> >>>>> Aah! This helps a lot. So I hope I can use this without using Spring
>> >>>>> for the Jsecurity Realm injection - for that I'm using Guice.
>> >>>>> Anyway.. I'll
>> >>>>> try this asap and update on the results. I think Jsecurity
>> >>>>> definitely needs
>> >>>>> some more documentation in a few areas. I'll try and write down a
>> >>>>> few
>> >>>>> tutorials when I find time.
>> >>>>>
>> >>>>> Animesh
>> >>>>>
>> >>>>> On Thu, Sep 18, 2008 at 6:45 PM, Jeremy Haile <[hidden email]>
>> >>>>> wrote:
>> >>>>>>
>> >>>>>> Animesh,
>> >>>>>>
>> >>>>>> Have you added these bean definitions to Spring?
>> >>>>>>
>> >>>>>>     <bean id="lifecycleBeanPostProcessor"
>> >>>>>>     class="org.jsecurity.spring.LifecycleBeanPostProcessor"/>
>> >>>>>>     <bean
>> >>>>>>
>> >>>>>>
>> >>>>>> class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
>> >>>>>>             depends-on="lifecycleBeanPostProcessor"/>
>> >>>>>>    <bean
>> >>>>>>
>> >>>>>>
>> >>>>>>  class="org.jsecurity.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
>> >>>>>>           <property name="securityManager" ref="securityManager"/>
>> >>>>>>     </bean>
>> >>>>>>
>> >>>>>> These are declared in webroot/WEB-INF/applicationContext.xml in the
>> >>>>>> spring sample application along with some additional documentation.
>> >>>>>>
>> >>>>>> The first bean helps initialize and destroy JSecurity related
>> >>>>>> beans.
>> >>>>>> The DefaultAdvisorAutoProxyCreator is required to enable Spring's
>> >>>>>> auto-proxying of beans based on annotations.  The last bean adds
>> >>>>>> support
>> >>>>>> for auto-proxying method calls to beans that use JSecurity
>> >>>>>> annotations.
>> >>>>>>
>> >>>>>> I hope this helps - let me know if you have more questions!
>> >>>>>>
>> >>>>>> Jeremy
>> >>>>>>
>> >>>>>> On Thu, 18 Sep 2008 18:30:40 +0530, "Animesh Jain"
>> >>>>>> <[hidden email]> said:
>> >>>>>> > I guess I'm missing setting it up with some AOP framework is it?
>> >>>>>> >
>> >>>>>> > On Wed, Sep 17, 2008 at 11:25 PM, Animesh Jain
>> >>>>>> > <[hidden email]>
>> >>>>>> > wrote:
>> >>>>>> >
>> >>>>>> > > Hi
>> >>>>>> > >
>> >>>>>> > > As I understood from the documentation, a checked exception
>> >>>>>> > > will
>> >>>>>> > > be thrown
>> >>>>>> > > if for eg. a user does not have the role specified by
>> >>>>>> > > @RequiresRoles. But
>> >>>>>> > > nothing's happening, the method gets executed regardless. In my
>> >>>>>> > > particular
>> >>>>>> > > case I want the method to fire only when a user of a particular
>> >>>>>> > > role is
>> >>>>>> > > logged in, but that method is executing even if I try after
>> >>>>>> > > logout. What am
>> >>>>>> > > I missing :|
>> >>>>>> > >
>> >>>>>> > > Animesh
>> >>>>>> > >
>> >>>>>
>> >>>>
>> >>>>
>> >>>
>> >>
>> >
>> >
>
>

Reply | Threaded
Open this post in threaded view
|

Re: Is there some sort of setup required in webapp to get annotations to work

Les Hazlewood
Administrator
In reply to this post by Jeremy Haile
At the time I wrote them, my thinking is that they wouldn't implement
them because AOP Alliance is not an industry/JSR standard - so there
are other implementations (like the JBoss one, that I've since removed
until we can focus on a more complete JBoss solution), or maybe
WebLogic or WebSphere that would have a different implementations.
So, I abstracted the little that JSecurity needed into an interface,
and left the specific AOP framework's APIs to implementations.

On Mon, Sep 22, 2008 at 8:52 AM, Jeremy Haile <[hidden email]> wrote:

> Les,
>
> I'm curious - why don't our method interceptors implement the AOP alliance
> interfaces?  This is a pretty standard thing, used by Spring, Guice, etc.
> Either way, seems like the AOP Alliance class is misplaced in the Spring
> module - since AOP Alliance is not Spring-specific.  I think this should all
> be moved into core.
>
> Jeremy
>
>
> On Sep 22, 2008, at 8:48 AM, Les Hazlewood wrote:
>
>> Cool!
>>
>> Could you give us a summary of everything that is required to get up
>> and running in Guice?  I can add this to a tutorial.  If you needed to
>> write any code also, that'd be great to have. :)
>>
>> Thanks!
>>
>> Les
>>
>> On Mon, Sep 22, 2008 at 8:41 AM, Animesh Jain <[hidden email]>
>> wrote:
>>>
>>> Umm.. i made a very stupid mistake which I just found. All's working well
>>> now. Sorry for bothering :P
>>>
>>> So Les it seems its pretty easy to integrate annotation with Guice, just
>>> one
>>> lie config needed.
>>>
>>> Cheers
>>> Animesh
>>>
>>> On Mon, Sep 22, 2008 at 6:01 PM, Animesh Jain <[hidden email]>
>>> wrote:
>>>>
>>>> Although it appears that the role check is working. Because the
>>>> annotated
>>>> method is not executing when the roles do not match. But no error is
>>>> being
>>>> thrown and the debugger is not reaching the
>>>> AopAllianceAnnotationsAuthorizingMethodInterceptor class. I've even put
>>>> a
>>>> System.out there and it only prints when the roles match, so its not a
>>>> debugger problem.
>>>>
>>>> I'm lost.
>>>>
>>>> Animesh
>>>>
>>>> On Mon, Sep 22, 2008 at 5:36 PM, Animesh Jain <[hidden email]>
>>>> wrote:
>>>>>
>>>>> Yes Jeremy, you're right. It works with a slight modification (but..
>>>>> not
>>>>> fully, which I'll explain below) -
>>>>>
>>>>> bindInterceptor(Matchers.any(),
>>>>> Matchers.annotatedWith(RequiresRoles.class), new
>>>>> AopAllianceAnnotationsAuthorizingMethodInterceptor());
>>>>>
>>>>> Basically Guice supports the AOP Alliance api, so
>>>>> RoleAnnotationMethodInterceptor and
>>>>> PermissionAnnotationMethodInterceptor
>>>>> cannot be bound directly as they are not implementing the alliance
>>>>> api's
>>>>> method interceptor. But I think Les has written
>>>>> AopAllianceAnnotationsAuthorizingMethodInterceptor for this very
>>>>> purpose.
>>>>>
>>>>> Now lets come to the problem..  when I login with a user who has a role
>>>>> (lets say "person") and call a method with the annotation
>>>>> RequiresRole("person"), then the
>>>>> AopAllianceAnnotationsAuthorizingMethodInterceptor is getting called
>>>>> and the
>>>>> call is infact going all the way upto RoleAnnotationMethodInterceptor
>>>>> as
>>>>> expected. But if the role is something else then it is supposed to
>>>>> throw a
>>>>> runtime error, which is not happening, the control is not even coming
>>>>> to
>>>>> AopAllianceAnnotationsAuthorizingMethodInterceptor. This is very
>>>>> strange.
>>>>> I'm just using Idea's debugger to see where the calls are going.
>>>>>
>>>>> So basically when all's well i.e. the subject role matches the
>>>>> annotation
>>>>> role, then aop seems to be working. But if the roles are different then
>>>>> aop
>>>>> doesn't seem to be working at all. No errors. Not even getting called.
>>>>>
>>>>> Any clue on what could be happening?
>>>>>
>>>>> Kind regards
>>>>> Animesh
>>>>>
>>>>>
>>>>> On Fri, Sep 19, 2008 at 8:14 PM, Jeremy Haile <[hidden email]>
>>>>> wrote:
>>>>>>
>>>>>> Animesh,
>>>>>> I only have light experience with Guice, but I know it supports AOP
>>>>>> Alliance method interceptors, just like Spring uses - and just like
>>>>>> JSecurity provides.
>>>>>> I think you'd simply need to bind those method interceptors as
>>>>>> appropriate.  I haven't tried it yet, but I imagine something like the
>>>>>> following code would work.  Could you please try it out and let me
>>>>>> know if
>>>>>> it works?
>>>>>> binder.bindInterceptor( any(), annotatedWith(RequiresRoles.class), new
>>>>>> RoleAnnotationMethodInterceptor());
>>>>>> binder.bindInterceptor( any(),
>>>>>> annotatedWith(RequiresPermissions.class), new
>>>>>> PermissionAnnotationMethodInterceptor());
>>>>>> Jeremy
>>>>>>
>>>>>>
>>>>>> On Sep 18, 2008, at 1:20 PM, Animesh Jain wrote:
>>>>>>
>>>>>> Well, can't really do the AOP part in Spring and the rest in Guice,
>>>>>> its
>>>>>> just making things unnecessarily intertwined. So I think I'll read up
>>>>>> on
>>>>>> what capabilities Guice has for AOP and try and write a Guice
>>>>>> implementation
>>>>>> for the RequiresRoles and RequiresPermissions tags. Any pointers will
>>>>>> be
>>>>>> appreciated on what I should try to do (on a higher level), because
>>>>>> I've
>>>>>> never tried my hand at AOP before this. Guice does have method
>>>>>> interceptors
>>>>>> I believe and that should be enough here, isn't it?
>>>>>>
>>>>>> Animesh
>>>>>>
>>>>>> On Thu, Sep 18, 2008 at 6:54 PM, Animesh Jain <[hidden email]>
>>>>>> wrote:
>>>>>>>
>>>>>>> Aah! This helps a lot. So I hope I can use this without using Spring
>>>>>>> for the Jsecurity Realm injection - for that I'm using Guice.
>>>>>>> Anyway.. I'll
>>>>>>> try this asap and update on the results. I think Jsecurity definitely
>>>>>>> needs
>>>>>>> some more documentation in a few areas. I'll try and write down a few
>>>>>>> tutorials when I find time.
>>>>>>>
>>>>>>> Animesh
>>>>>>>
>>>>>>> On Thu, Sep 18, 2008 at 6:45 PM, Jeremy Haile <[hidden email]>
>>>>>>> wrote:
>>>>>>>>
>>>>>>>> Animesh,
>>>>>>>>
>>>>>>>> Have you added these bean definitions to Spring?
>>>>>>>>
>>>>>>>>   <bean id="lifecycleBeanPostProcessor"
>>>>>>>>   class="org.jsecurity.spring.LifecycleBeanPostProcessor"/>
>>>>>>>>   <bean
>>>>>>>>
>>>>>>>>
>>>>>>>> class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
>>>>>>>>           depends-on="lifecycleBeanPostProcessor"/>
>>>>>>>>  <bean
>>>>>>>>
>>>>>>>>
>>>>>>>> class="org.jsecurity.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
>>>>>>>>         <property name="securityManager" ref="securityManager"/>
>>>>>>>>   </bean>
>>>>>>>>
>>>>>>>> These are declared in webroot/WEB-INF/applicationContext.xml in the
>>>>>>>> spring sample application along with some additional documentation.
>>>>>>>>
>>>>>>>> The first bean helps initialize and destroy JSecurity related beans.
>>>>>>>> The DefaultAdvisorAutoProxyCreator is required to enable Spring's
>>>>>>>> auto-proxying of beans based on annotations.  The last bean adds
>>>>>>>> support
>>>>>>>> for auto-proxying method calls to beans that use JSecurity
>>>>>>>> annotations.
>>>>>>>>
>>>>>>>> I hope this helps - let me know if you have more questions!
>>>>>>>>
>>>>>>>> Jeremy
>>>>>>>>
>>>>>>>> On Thu, 18 Sep 2008 18:30:40 +0530, "Animesh Jain"
>>>>>>>> <[hidden email]> said:
>>>>>>>>>
>>>>>>>>> I guess I'm missing setting it up with some AOP framework is it?
>>>>>>>>>
>>>>>>>>> On Wed, Sep 17, 2008 at 11:25 PM, Animesh Jain
>>>>>>>>> <[hidden email]>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>> Hi
>>>>>>>>>>
>>>>>>>>>> As I understood from the documentation, a checked exception will
>>>>>>>>>> be thrown
>>>>>>>>>> if for eg. a user does not have the role specified by
>>>>>>>>>> @RequiresRoles. But
>>>>>>>>>> nothing's happening, the method gets executed regardless. In my
>>>>>>>>>> particular
>>>>>>>>>> case I want the method to fire only when a user of a particular
>>>>>>>>>> role is
>>>>>>>>>> logged in, but that method is executing even if I try after
>>>>>>>>>> logout. What am
>>>>>>>>>> I missing :|
>>>>>>>>>>
>>>>>>>>>> Animesh
>>>>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>>
>
>