views:

177

answers:

1

Hey guys,

I have an app that uses Spring security and BlazeDS. Flex 3.2 is used for the client app. Generally client app makes service calls using RemoteObjects.

However, for certain cases client app is sending a request to a URL. We're using Annotated Controllers for URL mapping. Here's where the "Access is denied" exception comes up:

2010-04-12 11:43:23,486 [qtp5138683-16] ERROR fr.plasticomnium.gpoc.utils.ServiceExceptionInterceptor - Unexpected RuntimeException : Access is denied org.springframework.security.access.AccessDeniedException: Access is denied at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:71) at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:203) at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:64) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at fr.plasticomnium.gpoc.utils.ServiceExceptionInterceptor.invoke(ServiceExceptionInterceptor.java:15) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:110) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202) ... ...

+1  A: 

The best way to get some insight into what is going on is to crank logging up the DEBUG and then take a look at the logs while the offending request is happening.

My guess is that your SpringSecurity config is applying the wrong access rules to the request. If you post the request URL and the access control config, we might be able to figure out what exactly is happening. But my initial suspicion would be that:

  • you have the <intercept-url> elements in the wrong order, or
  • you are using method attributes in some of your <intercept-url> elements, and haven't got your head around the (IMO counter-intuitive) consequences.
Stephen C