[bean,access] Prevent Method call without Exception using @PreAuthorize

Prevent Method call without Exception using @PreAuthorize Annotation
package com.myapp;

public class MyMethodSecurityInterceptor extends MethodSecurityInterceptor {

@Override
public Object invoke(MethodInvocation mi) throws Throwable {
Object result = null;
try {
InterceptorStatusToken token = super.beforeInvocation(mi);
} catch (AccessDeniedException e) {
(to be continue...)

(continue)
// access denied - do not invoke the method and return null
return null;
}

// access granted - proceed with the method invocation
try {
result = mi.proceed();
} finally {
result = super.afterInvocation(token, result);
}

return result;
}
}

<aop:config>

<aop:pointcut id="myMethods"
expression='execution(* com.myapp.myService+.*(..))'/>
<aop:advisor advice-ref="mySecurityInterceptor" pointcut-ref="myMethods"/>
</aop:config>


<bean id="mySecurityInterceptor"
class="com.myapp.MyMethodSecurityInterceptor">
<property name="securityMetadataSource">
<bean class="org.springframework.security.access.prepost.PrePostAnnotationSecurityMetadataSource">
<constructor-arg>
<bean class="org.springframework.security.access.expression.method.ExpressionBasedAnnotationAttributeFactory">
<constructor-arg>
<bean class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler"/>
</constructor-arg>
</bean>
</constructor-arg>
</bean>
</property>
<property name="validateConfigAttributes" value="false"/>
<property name="accessDecisionManager" ref="accessDecisionManager"/>
<property name="authenticationManager" ref="authenticationManager"/>
</bean>


<bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
<property name="decisionVoters">
<list>
<bean class="org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter">
<constructor-arg>
<bean class="org.springframework.security.access.expression.method.ExpressionBasedPreInvocationAdvice"/>
</constructor-arg>
</bean>
</list>
</property>
</bean>




@Aspect
public class AccessDeniedHaltPreventionAdvice {
private final Log logger = LogFactory.getLog(AccessDeniedHaltPrevention.class);

@Around("execution(@org.springframework.security.access.prepost.PreAuthorize * *(..))")
public Object preventAccessDeniedHalting(ProceedingJoinPoint pjp) throws Throwable{
Object retVal = null;
try{
retVal = pjp.proceed();
}catch(AccessDeniedException ade){
logger.debug("** Access Denied ** ");
}catch(Throwable t){
throw t;
}
return retVal;
}

<aop:aspectj-autoproxy/>

public class SkipMethodCallAccessDecisionManager extends AffirmativeBased {
@Override
public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes){
try{
super.decide(authentication, object, configAttributes);
}catch(AccessDeniedException adex){
logger.debug("Access Denied on:" + object);
}
}
}

<sec:global-method-security pre-post-annotations="enabled" access-decision-manager-ref="skipMethodCallAccessDecisionManager "/>

<bean id="skipMethodCallAccessDecisionManager" class="com.application.auth.vote.SkipMethodCallAccessDecisionManager ">
<property name="decisionVoters">
<list>
<bean class="org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter">
<constructor-arg ref="expressionBasedPreInvocationAdvice"/>
</bean>

<bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>
</list>
</property>
</bean>

<bean id="expressionBasedPreInvocationAdvice" class="org.springframework.security.access.expression.method.ExpressionBasedPreInvocationAdvice">
<property name="expressionHandler" ref="expressionHandler"/>
</bean>

Date: 2012-07-06 14:40:03 and last modified: 2012-07-06 14:40:03

Relate tags:

access
bean

[bean,access] Prevent Method call without Exception using @PreAuthorize

Relate tags:

Relate posts:

Recent posts:

Hot tags: