CODEWITHSUNDEEP
springspring-security
rvelaz
rvelaz

Reputation: 593

Spring security AccessDecisionManager: roleVoter, Acl Voter

I'm trying to setup a Spring Security 3.2 project using Java Config and no XML at all. I want to have an Access decision voter that supports both RoleHierarchyVoter and AclEntryVoters. This is the configuration I'm using:

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
        @Autowired
        private AclEntryVoter aclUpdatePropertyVoter;

        @Autowired
        private AclEntryVoter aclDeletePropertyVoter;

        @Override
        protected void configure(HttpSecurity http) throws Exception {
                http
                        .formLogin()
                        .and()
                        .logout()
                            .deleteCookies("JSESSIONID")
                            .logoutSuccessUrl("/")
                        .and()
                        .authorizeRequests()
                                 .accessDecisionManager(accessDecisionManager()) 
                                .antMatchers("/login", "/signup/email", "/logout",                 "/search", "/").permitAll()
                                .anyRequest().authenticated();

}


@Bean
public RoleHierarchyVoter roleVoter() {
        RoleHierarchyImpl roleHierarchy = new RoleHierarchyImpl();
        roleHierarchy.setHierarchy("ROLE_USER > ROLE_ANONYMOUS");
        RoleHierarchyVoter roleHierarchyVoter = new RoleHierarchyVoter(roleHierarchy);
        return roleHierarchyVoter;
}

@Bean
public AffirmativeBased accessDecisionManager() {
        List<AccessDecisionVoter> decisionVoters = new ArrayList<>();
        WebExpressionVoter webExpressionVoter = new WebExpressionVoter();
        decisionVoters.add(webExpressionVoter);
        decisionVoters.add(roleVoter());
        decisionVoters.add(aclDeletePropertyVoter);
        decisionVoters.add(aclUpdatePropertyVoter);

        AffirmativeBased affirmativeBased = new AffirmativeBased(decisionVoters);
        return affirmativeBased;
}



}

However, when the app gets initialized I get the following exception:

I get the exception:

java.lang.IllegalArgumentException: AccessDecisionManager does not support secure object class: class org.springframework.security.web.FilterInvocation

When debugging the code I can see that when AbstractAccessDecisionManager is called and the following code is executed:

public boolean supports(Class<?> clazz) {
    for (AccessDecisionVoter voter : this.decisionVoters) {
        if (!voter.supports(clazz)) {
            return false;
        }
    }

    return true;
}

RoleHierarchyVoter support FilterInvocation, however AclEntryVoters fail to pass it. What I'm doing wrong in the configuration? How can I set the project so that it supports both types of voters? Thanks a lot in advance

Upvotes: 3

Views: 4478

Answers (1)

Shaun the Sheep
Shaun the Sheep

Reputation: 22762

As you've observed, the acl voters don't support filter invocations as they are intended for checking secured methods, not web requests.

You should configure a separate AccessDecisionManager for use with your method security and add the acl voters to that.

Upvotes: 1

Related Questions