hivemind-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aleksej <alek...@ivs.lt>
Subject Re: Hivetranse Lock: User is in specified role but access is still denied
Date Wed, 30 Aug 2006 05:27:36 GMT
Hi Jean,
I solved that problem by simply writing my own interceptor which works 
almost like yours
but with difference, that user credentials are moved into separate 
interface SecurityInfoProvider
and injected as service into my security interceptor as service. In this 
case I got very portable service
which only required to write SecurityInfoProvider service implementation 
and authorization service will work.
There is some code and configs samples:
-----
Hivemind part ( without configuration schemes ):
    <service-point id="AuthorizationInterceptor" 
interface="org.apache.hivemind.ServiceInterceptorFactory"  
parameters-schema-id="Method">
        <invoke-factory model="primitive">
            <construct class="impl.AuthorizationInterceptorFactory" />
        </invoke-factory>
    </service-point>
   
    <service-point id="SecutiryInfoProvider" 
interface="ivs.common.auth.SecurityInfoProvider">
        <invoke-factory model="singleton">
            <construct class="impl.DummySecurityInfoProviderImpl" />
        </invoke-factory>
    </service-point>
-----
SecutiryInfoProvider.java:

public interface SecurityInfoProvider
{
    String getUserName();
    boolean isUserInRoles( List roles );
}
-----
and there is project specific SecutiryInfoProvider service 
implementation, which overwrites default Dummy
implementation which normally makes nothing. What do you think? If this 
idea is OK, then is it possible for you
to include such problem solution in Hivetranse? Because It's better to 
have centralized solution for a problem,
then to modify others people code or write your own.

Jean-Francois Poilpret wrote:
> Hi Aleksej,
>
> I don't know Tapestry very well so it will be hard for me to give you a
> sample code that will work.
> Yes, HiveLockFilter depends on HiveMindFilter to work correctly.
> Now your way to fix the problem will depend on how Tapestry can give you
> access to the Registry:
>
> 1. if Tapestry uses a ServletFilter (something like HiveMindFilter but
> different) to setup the Registry and to give access to it (through
> HttpRequest, HttpSession or whatever...), then I would say that your best
> option would be to derive from HiveLockFilter and override the
> initSecurityService() method to get the HiveMind Registry with the "tapestry
> way" and get the hivelock.SecurityService out of it.
>
> 2. if Tapestry instantiates the Registry directly in its Servlet (no
> Filter), then you'll have to find a Tapestry way (listener or something
> equivalent) to be notified just before and just after a request gets
> processed by Tapestry, in your "listener" you'll have to get access to
> hivelock.SecurityService (I believe you would have injection possibilities
> here) and call setCurrentUser/clearCurrentUser methods of SecurityService
> (take a look at the code in HiveLockFilter, but you can let aside the
> additional specific code that manages HttpSessions lifecycle).
>
> Let me know about your results!
>
> Regards
>
> Jean-Francois
>
> -----Original Message-----
> From: Aleksej [mailto:aleksej@ivs.lt] 
> Sent: Monday, August 28, 2006 2:55 PM
> To: user@hivemind.apache.org
> Subject: Re: Hivetranse Lock: User is in specified role but access is still
> denied
>
> Hi Jean!
> Thanks for answer. I am using HiveLock with Tapestry4. I was looking in 
> javadocs about HiveLockFilter
> but it is still unclear for me which filters I need to use. According to 
> HiveLockFilter javadocs I need to use
> org.apache.hivemind.servlet.HiveMindFilter but i think that Tapestry 
> already implements required functionality.
>
>
> Jean-Francois Poilpret wrote:
>   
>> Hello Aleksej,
>>
>> One important point for the AuthorizationInterceptor to work correctly is
>>     
> to
>   
>> make sure to call SecurityService.setCurrentUser() at some point (early)
>>     
> in
>   
>> the calls stack.
>>
>> If you use the HiveLockFilter (ServletFilter) according to the way it is
>> documented (in the javadco of this class), then you have nothing special
>>     
> to
>   
>> do here (the filter will call SecurityService.setCurrentUser()
>> automatically), and everything should be fine. If you do not use it, then
>> you have to replace it in some way.
>>
>> Can you provide more detail about your configuration (web.xml,
>> hivemodule.xml)?
>> How do you manage authentication on the server side?
>>
>> A practical usage example of HiveLock is in the sample code that comes
>>     
> with
>   
>> HiveMind Utilities, you might consider taking a look at it.
>>
>> Don't hesitate to ask if you have questions (although normally the
>>     
> hivemind
>   
>> users list is not supposed to be used for support on HiveMind Utilities, I
>> hope that subscribers to this list don't feel bored about these messages,
>> please talk if you cannot stand HiveMind Utilities mails in this list).
>>
>> Cheers
>>
>> Jean-Francois
>>
>> -----Original Message-----
>> From: Aleksej [mailto:aleksej@ivs.lt] 
>> Sent: Friday, August 25, 2006 3:44 PM
>> To: hivemind-user@jakarta.apache.org
>> Subject: Hivetranse Lock: User is in specified role but access is still
>> denied
>>
>> Hi, list!
>> I got Service which have moveNodeUp method.
>> When I running code which calls to that method I got
>> Unregistered user cannot access method 
>> myPackage.StructureLogic.moveNodeUp exception,
>> but I am sure that user IS in structure-admin role ( I tested it ).
>> Here is my service definition:
>> -----
>> <service-point id="Logic" interface="StructureLogic">
>>         <invoke-factory model="threaded">
>>             <construct class="impl.StructureLogicImpl">
>>             </construct>
>>         </invoke-factory>
>>         <interceptor service-id="hivelock.core.AuthorizationInterceptor">
>>             <method pattern="moveNodeUp" roles="structure-admin" />
>>             <method pattern="*" roles="*" />
>>         </interceptor>       
>> </service-point>
>> -----
>> Maybe I forgot something?
>>
>>
>>
>>
>>
>>
>>
>>   
>>     
>
>
>
>   


Mime
View raw message