views:

31

answers:

1

Hi all ,

As I say in the title of my question, I don't succeed in configuring Spring Security... I've followed two articles written by James Ward or Jettro Coenradie but I still don't have it !

First I tried to make all this working in a fake project, and it worked well, thant I tried in the "real" project. The configuration files are exactly the same regarding Spring Security, but the real project fails.

My config In web.xml :

<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>/WEB-INF/config/applicationContext.xml</param-value>
</context-param>

...

<filter>  
    <filter-name>springSecurityFilterChain</filter-name>  
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>  
    <filter-name>springSecurityFilterChain</filter-name>  
    <url-pattern>/*</url-pattern>
</filter-mapping>

    ...

<servlet>
    <servlet-name>Spring MVC Servlet Dispatcher</servlet-name>
    <display-name>Spring MVC Servlet Dispatcher</display-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <init-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>/WEB-INF/config/webApplicationContext.xml</param-  value>
        </init-param>
    <load-on-startup>1</load-on-startup>
</servlet>

In applicationContext.xml :

<security:global-method-security secured-annotations="enabled" jsr250-annotations="enabled" />

<security:http entry-point-ref="preAuthenticatedEntryPoint">
    <security:anonymous enabled="false"/>
</security:http>

<bean id="preAuthenticatedEntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint"/>

<security:authentication-manager>
    <security:authentication-provider>
        <security:user-service>
            <security:user name="arnaud" password="arnaud" authorities="ROLE_USER"/>
        </security:user-service>
    </security:authentication-provider>
</security:authentication-manager>

In webApplicationContext.xml ceci :

<flex:message-broker>
    <flex:secured />
</flex:message-broker>

And in each bean service :

<security:intercept-methods>
    <security:protect method="*" access="ROLE_USER" />
</security:intercept-methods>

First I tried to replace this last piece of code by annotations @Secured("ROLE_USER"), which didn't work, that's why I used the security:intercept-methods and security:protect tags.

In my first fake project, when I launch my flex application (a simple datagrid retrieving a list of products), the products are not loaded and I have a FaultEvent dispatched, so Spring Security works.

In the second project, the real one, I have an error on deploy telling me that "*" (or "findAll" when I tried) is not a valid method name.

With

<security:protect method="com.blablabla.UserService.findAll" access="ROLE_USER" />

I no longer have this error, and I can launch my flex application.

But when I launch it, all my users (yes, in this second application I retrieve users, not products) are loaded in the datagrid ! Which means the security doesn't work at all.

It's driving me crazy !

A: 

I would have expected to see some <security:intercept-url> elements in the <security:http> element.

Stephen C