You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@camel.apache.org by "Paul Mietz Egli (JIRA)" <ji...@apache.org> on 2010/07/21 20:51:52 UTC
[jira] Issue Comment Edited: (CAMEL-2796) camel-spring-security:
provide reference to the policy when authorization fails
[ https://issues.apache.org/activemq/browse/CAMEL-2796?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=60831#action_60831 ]
Paul Mietz Egli edited comment on CAMEL-2796 at 7/21/10 2:50 PM:
-----------------------------------------------------------------
Willem, thanks for the update. There is still an issue with this change, however. If the SpringSecurityAuthorizationPolicy.authenticateIfRequired() method throws an exception (for example, a BadCredentialsException in the case where the username or password is incorrect), the policy ID header will not be set, which means that it won't be available for the thrown CamelAuthorizationException. The fix is pretty easy -- we just need to add the line which sets the policy ID header to the outer catch block. Working on a patch now.
was (Author: pegli):
Willem, thanks for the update. There is still an issue with this change, however. If the SpringSecurityAuthorizationPolicy.authenticateIfRequired() method throws an exception (for example, a BadCredentialsException in the case where the username or password is incorrect), the policy ID header will not be set, which means that it won't be available for the thrown CamelAuthorizationException. The fix is pretty easy -- we just need to move the code which sets the policy ID header to the top of the try/catch block.
> camel-spring-security: provide reference to the policy when authorization fails
> -------------------------------------------------------------------------------
>
> Key: CAMEL-2796
> URL: https://issues.apache.org/activemq/browse/CAMEL-2796
> Project: Apache Camel
> Issue Type: Improvement
> Affects Versions: 2.3.0
> Reporter: Paul Mietz Egli
> Assignee: Willem Jiang
> Fix For: 2.4.0
>
>
> While it is possible to set up different policies to enforce authorization rules on Camel routes with the new camel-spring-security plugin, there is currently no way to tell which policy was being enforced when a org.springframework.security.SpringSecurityException is thrown. It would be very helpful to have a reference to the policy ID in the CamelAuthorizationException or in the headers so we can use it in the onException handlers.
> For example, let's say you have two policies:
> {code}
> <authorizationPolicy id="user" access="ROLE_USER" authenticationManager="authenticationManager" accessDecisionManager="accessDecisionManager"
> xmlns="http://camel.apache.org/schema/spring-security" />
> <authorizationPolicy id="admin" access="ROLE_ADMIN" authenticationManager="authenticationManager" accessDecisionManager="accessDecisionManager"
> xmlns="http://camel.apache.org/schema/spring-security" />
> {code}
> You also have two routes which use these policies:
> {code}
> <camelContext id="myCamelContext" xmlns="http://camel.apache.org/schema/spring">
> <onException useOriginalMessage="true">
> <exception>org.springframework.security.BadCredentialsException</exception>
> <handled><constant>true</constant></handled>
> <to uri="log:auth_error" />
> </onException>
> <route>
> <from uri="direct:adminStart"/>
> <policy ref="admin">
> <to uri="mock:end"/>
> </policy>
> </route>
> <route>
> <from uri="direct:userStart"/>
> <policy ref="admin">
> <to uri="mock:end"/>
> </policy>
> </route>
> </camelContext>
> {code}
> Both of these routes will fail with an AccessDeniedException if the user doesn't have the proper role, but it would be desirable to handle exceptions for the ROLE_ADMIN failure differently than the ROLE_USER failure, maybe by using a <choice> element in the <onException> element.
> I know we have the CamelFailureEndpoint header, but this isn't very useful when more than one route uses the same authorization policy.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.