AppFuse

UserSecurityAdvice not being applied to UserManager

Details

  • Type: Bug Bug
  • Status: Resolved Resolved
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: 1.9.4, 2.0-M2
  • Fix Version/s: 1.9.4, 2.0-M2
  • Component/s: Security
  • Labels:
    None

Description

UserSecurityAdvice is not being applied to UserManager because of a conflict of the advisorId in applicationContext-service.xml and with the bean id in security.xml. Both have an entry for "userManagerSecurity" The bean from security.xml seems to dominate and thus the UserSecurityAdvice is not applied. The current unit tests do not fail on this problem because the unit test is not configured with the same naming conflicts. Changing the name of the id in one or the other fixes this problem.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Matt Raible added a comment -

Do you have a test case or scenario to prove that this happens?

Show
Matt Raible added a comment - Do you have a test case or scenario to prove that this happens?
Hide
Permalink
Darren Salomons added a comment -

Well spring would have thrown an error if the two were in the same xml file since it wouldn't validate having non-unique keys. But since they are in separate xml files spring is very quiet about the conflict. In fact you would have to be logging up to the INFO threshold to see this... it wasnt until I turned on INFO that I saw exactly what the problem was. I had done a small adhoc attack on upgrading the users role using the firefox Web Developer Toolbar. This toolbar allows you to edit the html live through a sidebar which I can then modify the contents of the hidden input variables(changing user to admin) and then just hitting submit. A very seemless way of testing form hacking. (if you have never used the toolbar its under Miscellaneous->Edit Html) I noticed that it allowed me to upgrade. After messing with the execution pointcuts for a while I found the real problem and this was the output:

INFO - DefaultListableBeanFactory.registerBeanDefinition(327) | Overriding bean definition for bean 'userManagerSecurity': replacing [Root bean: class [org.springframework.aop.aspectj.AspectJPointcutAdvisor]; scope=singleton; abstract=false; lazyInit=false; autowireCandidate=true; autowireMode=0; dependencyCheck=0; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null] with [Root bean: class [org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor]; scope=singleton; abstract=false; lazyInit=false; autowireCandidate=true; autowireMode=0; dependencyCheck=0; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null; defined in URL file:/Users/digid/Documents/workspace/.metadata/.plugins/org.eclipse.wst.server.core/tmp0/webapps/appfuse-svn/WEB-INF/classes/security.xml]

note how the first bean is saying it will be replced by the second by the one from security.xml

Show
Darren Salomons added a comment - Well spring would have thrown an error if the two were in the same xml file since it wouldn't validate having non-unique keys. But since they are in separate xml files spring is very quiet about the conflict. In fact you would have to be logging up to the INFO threshold to see this... it wasnt until I turned on INFO that I saw exactly what the problem was. I had done a small adhoc attack on upgrading the users role using the firefox Web Developer Toolbar. This toolbar allows you to edit the html live through a sidebar which I can then modify the contents of the hidden input variables(changing user to admin) and then just hitting submit. A very seemless way of testing form hacking. (if you have never used the toolbar its under Miscellaneous->Edit Html) I noticed that it allowed me to upgrade. After messing with the execution pointcuts for a while I found the real problem and this was the output: INFO - DefaultListableBeanFactory.registerBeanDefinition(327) | Overriding bean definition for bean 'userManagerSecurity': replacing [Root bean: class [org.springframework.aop.aspectj.AspectJPointcutAdvisor] ; scope=singleton; abstract=false; lazyInit=false; autowireCandidate=true; autowireMode=0; dependencyCheck=0; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null] with [Root bean: class [org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor] ; scope=singleton; abstract=false; lazyInit=false; autowireCandidate=true; autowireMode=0; dependencyCheck=0; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null; defined in URL file:/Users/digid/Documents/workspace/.metadata/.plugins/org.eclipse.wst.server.core/tmp0/webapps/appfuse-svn/WEB-INF/classes/security.xml ] note how the first bean is saying it will be replced by the second by the one from security.xml

People

  • Assignee:
    Matt Raible
    Reporter:
    Darren Salomons
Vote (0)
Watch (0)

Dates

  • Created:
    Updated:
    Resolved: