You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@hivemind.apache.org by Aleksej <al...@ivs.lt> on 2006/08/25 10:44:03 UTC
Hivetranse Lock: User is in specified role but access is still denied
Hi, list!
I got Service which have moveNodeUp method.
When I running code which calls to that method I got
Unregistered user cannot access method
myPackage.StructureLogic.moveNodeUp exception,
but I am sure that user IS in structure-admin role ( I tested it ).
Here is my service definition:
-----
<service-point id="Logic" interface="StructureLogic">
<invoke-factory model="threaded">
<construct class="impl.StructureLogicImpl">
</construct>
</invoke-factory>
<interceptor service-id="hivelock.core.AuthorizationInterceptor">
<method pattern="moveNodeUp" roles="structure-admin" />
<method pattern="*" roles="*" />
</interceptor>
</service-point>
-----
Maybe I forgot something?
Re: Hivetranse Lock: User is in specified role but access is still
denied
Posted by Aleksej <al...@ivs.lt>.
Hi Jean,
I solved that problem by simply writing my own interceptor which works
almost like yours
but with difference, that user credentials are moved into separate
interface SecurityInfoProvider
and injected as service into my security interceptor as service. In this
case I got very portable service
which only required to write SecurityInfoProvider service implementation
and authorization service will work.
There is some code and configs samples:
-----
Hivemind part ( without configuration schemes ):
<service-point id="AuthorizationInterceptor"
interface="org.apache.hivemind.ServiceInterceptorFactory"
parameters-schema-id="Method">
<invoke-factory model="primitive">
<construct class="impl.AuthorizationInterceptorFactory" />
</invoke-factory>
</service-point>
<service-point id="SecutiryInfoProvider"
interface="ivs.common.auth.SecurityInfoProvider">
<invoke-factory model="singleton">
<construct class="impl.DummySecurityInfoProviderImpl" />
</invoke-factory>
</service-point>
-----
SecutiryInfoProvider.java:
public interface SecurityInfoProvider
{
String getUserName();
boolean isUserInRoles( List roles );
}
-----
and there is project specific SecutiryInfoProvider service
implementation, which overwrites default Dummy
implementation which normally makes nothing. What do you think? If this
idea is OK, then is it possible for you
to include such problem solution in Hivetranse? Because It's better to
have centralized solution for a problem,
then to modify others people code or write your own.
Jean-Francois Poilpret wrote:
> Hi Aleksej,
>
> I don't know Tapestry very well so it will be hard for me to give you a
> sample code that will work.
> Yes, HiveLockFilter depends on HiveMindFilter to work correctly.
> Now your way to fix the problem will depend on how Tapestry can give you
> access to the Registry:
>
> 1. if Tapestry uses a ServletFilter (something like HiveMindFilter but
> different) to setup the Registry and to give access to it (through
> HttpRequest, HttpSession or whatever...), then I would say that your best
> option would be to derive from HiveLockFilter and override the
> initSecurityService() method to get the HiveMind Registry with the "tapestry
> way" and get the hivelock.SecurityService out of it.
>
> 2. if Tapestry instantiates the Registry directly in its Servlet (no
> Filter), then you'll have to find a Tapestry way (listener or something
> equivalent) to be notified just before and just after a request gets
> processed by Tapestry, in your "listener" you'll have to get access to
> hivelock.SecurityService (I believe you would have injection possibilities
> here) and call setCurrentUser/clearCurrentUser methods of SecurityService
> (take a look at the code in HiveLockFilter, but you can let aside the
> additional specific code that manages HttpSessions lifecycle).
>
> Let me know about your results!
>
> Regards
>
> Jean-Francois
>
> -----Original Message-----
> From: Aleksej [mailto:aleksej@ivs.lt]
> Sent: Monday, August 28, 2006 2:55 PM
> To: user@hivemind.apache.org
> Subject: Re: Hivetranse Lock: User is in specified role but access is still
> denied
>
> Hi Jean!
> Thanks for answer. I am using HiveLock with Tapestry4. I was looking in
> javadocs about HiveLockFilter
> but it is still unclear for me which filters I need to use. According to
> HiveLockFilter javadocs I need to use
> org.apache.hivemind.servlet.HiveMindFilter but i think that Tapestry
> already implements required functionality.
>
>
> Jean-Francois Poilpret wrote:
>
>> Hello Aleksej,
>>
>> One important point for the AuthorizationInterceptor to work correctly is
>>
> to
>
>> make sure to call SecurityService.setCurrentUser() at some point (early)
>>
> in
>
>> the calls stack.
>>
>> If you use the HiveLockFilter (ServletFilter) according to the way it is
>> documented (in the javadco of this class), then you have nothing special
>>
> to
>
>> do here (the filter will call SecurityService.setCurrentUser()
>> automatically), and everything should be fine. If you do not use it, then
>> you have to replace it in some way.
>>
>> Can you provide more detail about your configuration (web.xml,
>> hivemodule.xml)?
>> How do you manage authentication on the server side?
>>
>> A practical usage example of HiveLock is in the sample code that comes
>>
> with
>
>> HiveMind Utilities, you might consider taking a look at it.
>>
>> Don't hesitate to ask if you have questions (although normally the
>>
> hivemind
>
>> users list is not supposed to be used for support on HiveMind Utilities, I
>> hope that subscribers to this list don't feel bored about these messages,
>> please talk if you cannot stand HiveMind Utilities mails in this list).
>>
>> Cheers
>>
>> Jean-Francois
>>
>> -----Original Message-----
>> From: Aleksej [mailto:aleksej@ivs.lt]
>> Sent: Friday, August 25, 2006 3:44 PM
>> To: hivemind-user@jakarta.apache.org
>> Subject: Hivetranse Lock: User is in specified role but access is still
>> denied
>>
>> Hi, list!
>> I got Service which have moveNodeUp method.
>> When I running code which calls to that method I got
>> Unregistered user cannot access method
>> myPackage.StructureLogic.moveNodeUp exception,
>> but I am sure that user IS in structure-admin role ( I tested it ).
>> Here is my service definition:
>> -----
>> <service-point id="Logic" interface="StructureLogic">
>> <invoke-factory model="threaded">
>> <construct class="impl.StructureLogicImpl">
>> </construct>
>> </invoke-factory>
>> <interceptor service-id="hivelock.core.AuthorizationInterceptor">
>> <method pattern="moveNodeUp" roles="structure-admin" />
>> <method pattern="*" roles="*" />
>> </interceptor>
>> </service-point>
>> -----
>> Maybe I forgot something?
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
>
>
>
RE: Hivetranse Lock: User is in specified role but access is still denied
Posted by Jean-Francois Poilpret <jf...@hcm.vnn.vn>.
Hi Aleksej,
I don't know Tapestry very well so it will be hard for me to give you a
sample code that will work.
Yes, HiveLockFilter depends on HiveMindFilter to work correctly.
Now your way to fix the problem will depend on how Tapestry can give you
access to the Registry:
1. if Tapestry uses a ServletFilter (something like HiveMindFilter but
different) to setup the Registry and to give access to it (through
HttpRequest, HttpSession or whatever...), then I would say that your best
option would be to derive from HiveLockFilter and override the
initSecurityService() method to get the HiveMind Registry with the "tapestry
way" and get the hivelock.SecurityService out of it.
2. if Tapestry instantiates the Registry directly in its Servlet (no
Filter), then you'll have to find a Tapestry way (listener or something
equivalent) to be notified just before and just after a request gets
processed by Tapestry, in your "listener" you'll have to get access to
hivelock.SecurityService (I believe you would have injection possibilities
here) and call setCurrentUser/clearCurrentUser methods of SecurityService
(take a look at the code in HiveLockFilter, but you can let aside the
additional specific code that manages HttpSessions lifecycle).
Let me know about your results!
Regards
Jean-Francois
-----Original Message-----
From: Aleksej [mailto:aleksej@ivs.lt]
Sent: Monday, August 28, 2006 2:55 PM
To: user@hivemind.apache.org
Subject: Re: Hivetranse Lock: User is in specified role but access is still
denied
Hi Jean!
Thanks for answer. I am using HiveLock with Tapestry4. I was looking in
javadocs about HiveLockFilter
but it is still unclear for me which filters I need to use. According to
HiveLockFilter javadocs I need to use
org.apache.hivemind.servlet.HiveMindFilter but i think that Tapestry
already implements required functionality.
Jean-Francois Poilpret wrote:
> Hello Aleksej,
>
> One important point for the AuthorizationInterceptor to work correctly is
to
> make sure to call SecurityService.setCurrentUser() at some point (early)
in
> the calls stack.
>
> If you use the HiveLockFilter (ServletFilter) according to the way it is
> documented (in the javadco of this class), then you have nothing special
to
> do here (the filter will call SecurityService.setCurrentUser()
> automatically), and everything should be fine. If you do not use it, then
> you have to replace it in some way.
>
> Can you provide more detail about your configuration (web.xml,
> hivemodule.xml)?
> How do you manage authentication on the server side?
>
> A practical usage example of HiveLock is in the sample code that comes
with
> HiveMind Utilities, you might consider taking a look at it.
>
> Don't hesitate to ask if you have questions (although normally the
hivemind
> users list is not supposed to be used for support on HiveMind Utilities, I
> hope that subscribers to this list don't feel bored about these messages,
> please talk if you cannot stand HiveMind Utilities mails in this list).
>
> Cheers
>
> Jean-Francois
>
> -----Original Message-----
> From: Aleksej [mailto:aleksej@ivs.lt]
> Sent: Friday, August 25, 2006 3:44 PM
> To: hivemind-user@jakarta.apache.org
> Subject: Hivetranse Lock: User is in specified role but access is still
> denied
>
> Hi, list!
> I got Service which have moveNodeUp method.
> When I running code which calls to that method I got
> Unregistered user cannot access method
> myPackage.StructureLogic.moveNodeUp exception,
> but I am sure that user IS in structure-admin role ( I tested it ).
> Here is my service definition:
> -----
> <service-point id="Logic" interface="StructureLogic">
> <invoke-factory model="threaded">
> <construct class="impl.StructureLogicImpl">
> </construct>
> </invoke-factory>
> <interceptor service-id="hivelock.core.AuthorizationInterceptor">
> <method pattern="moveNodeUp" roles="structure-admin" />
> <method pattern="*" roles="*" />
> </interceptor>
> </service-point>
> -----
> Maybe I forgot something?
>
>
>
>
>
>
>
>
Re: Hivetranse Lock: User is in specified role but access is still
denied
Posted by Aleksej <al...@ivs.lt>.
Hi Jean!
Thanks for answer. I am using HiveLock with Tapestry4. I was looking in
javadocs about HiveLockFilter
but it is still unclear for me which filters I need to use. According to
HiveLockFilter javadocs I need to use
org.apache.hivemind.servlet.HiveMindFilter but i think that Tapestry
already implements required functionality.
Jean-Francois Poilpret wrote:
> Hello Aleksej,
>
> One important point for the AuthorizationInterceptor to work correctly is to
> make sure to call SecurityService.setCurrentUser() at some point (early) in
> the calls stack.
>
> If you use the HiveLockFilter (ServletFilter) according to the way it is
> documented (in the javadco of this class), then you have nothing special to
> do here (the filter will call SecurityService.setCurrentUser()
> automatically), and everything should be fine. If you do not use it, then
> you have to replace it in some way.
>
> Can you provide more detail about your configuration (web.xml,
> hivemodule.xml)?
> How do you manage authentication on the server side?
>
> A practical usage example of HiveLock is in the sample code that comes with
> HiveMind Utilities, you might consider taking a look at it.
>
> Don't hesitate to ask if you have questions (although normally the hivemind
> users list is not supposed to be used for support on HiveMind Utilities, I
> hope that subscribers to this list don't feel bored about these messages,
> please talk if you cannot stand HiveMind Utilities mails in this list).
>
> Cheers
>
> Jean-Francois
>
> -----Original Message-----
> From: Aleksej [mailto:aleksej@ivs.lt]
> Sent: Friday, August 25, 2006 3:44 PM
> To: hivemind-user@jakarta.apache.org
> Subject: Hivetranse Lock: User is in specified role but access is still
> denied
>
> Hi, list!
> I got Service which have moveNodeUp method.
> When I running code which calls to that method I got
> Unregistered user cannot access method
> myPackage.StructureLogic.moveNodeUp exception,
> but I am sure that user IS in structure-admin role ( I tested it ).
> Here is my service definition:
> -----
> <service-point id="Logic" interface="StructureLogic">
> <invoke-factory model="threaded">
> <construct class="impl.StructureLogicImpl">
> </construct>
> </invoke-factory>
> <interceptor service-id="hivelock.core.AuthorizationInterceptor">
> <method pattern="moveNodeUp" roles="structure-admin" />
> <method pattern="*" roles="*" />
> </interceptor>
> </service-point>
> -----
> Maybe I forgot something?
>
>
>
>
>
>
>
>
RE: Hivetranse Lock: User is in specified role but access is still denied
Posted by Jean-Francois Poilpret <jf...@hcm.vnn.vn>.
Hello Aleksej,
One important point for the AuthorizationInterceptor to work correctly is to
make sure to call SecurityService.setCurrentUser() at some point (early) in
the calls stack.
If you use the HiveLockFilter (ServletFilter) according to the way it is
documented (in the javadco of this class), then you have nothing special to
do here (the filter will call SecurityService.setCurrentUser()
automatically), and everything should be fine. If you do not use it, then
you have to replace it in some way.
Can you provide more detail about your configuration (web.xml,
hivemodule.xml)?
How do you manage authentication on the server side?
A practical usage example of HiveLock is in the sample code that comes with
HiveMind Utilities, you might consider taking a look at it.
Don't hesitate to ask if you have questions (although normally the hivemind
users list is not supposed to be used for support on HiveMind Utilities, I
hope that subscribers to this list don't feel bored about these messages,
please talk if you cannot stand HiveMind Utilities mails in this list).
Cheers
Jean-Francois
-----Original Message-----
From: Aleksej [mailto:aleksej@ivs.lt]
Sent: Friday, August 25, 2006 3:44 PM
To: hivemind-user@jakarta.apache.org
Subject: Hivetranse Lock: User is in specified role but access is still
denied
Hi, list!
I got Service which have moveNodeUp method.
When I running code which calls to that method I got
Unregistered user cannot access method
myPackage.StructureLogic.moveNodeUp exception,
but I am sure that user IS in structure-admin role ( I tested it ).
Here is my service definition:
-----
<service-point id="Logic" interface="StructureLogic">
<invoke-factory model="threaded">
<construct class="impl.StructureLogicImpl">
</construct>
</invoke-factory>
<interceptor service-id="hivelock.core.AuthorizationInterceptor">
<method pattern="moveNodeUp" roles="structure-admin" />
<method pattern="*" roles="*" />
</interceptor>
</service-point>
-----
Maybe I forgot something?