Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Injecting views as secured proxies cause strange side effects #270

Closed
peholmst opened this issue Feb 18, 2016 · 5 comments
Closed

Injecting views as secured proxies cause strange side effects #270

peholmst opened this issue Feb 18, 2016 · 5 comments
Assignees
@peholmst
Labels
bug security
Milestone
0.0.7.RELEASE

Comments

@peholmst
Copy link
Owner

When adding @Secured to views, they are injected as proxies into the view provider. This causes strange side effects in the UI.
@peholmst peholmst self-assigned this Feb 18, 2016
@peholmst peholmst added this to the 0.0.7.RELEASE milestone Feb 18, 2016
@peholmst
Copy link
Owner Author

This also applies to @PreAuthorize views, which essentially renders the PreAuthorizeViewInstanceAccessControl useless.

@aricooperman
Copy link

I had this issue with my views that had @PreAuthorize on them and had to change them to @secured to work as if I used PreAuthorize I get a class cast exception in PreInvocationAuthorizationAdviceVoter:

java.lang.ClassCastException: [[My View Class]] cannot be cast to org.aopalliance.intercept.MethodInvocation
    at org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter.vote(PreInvocationAuthorizationAdviceVoter.java:25) ~[spring-security-core-4.0.3.RELEASE.jar:4.0.3.RELEASE]
    at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:62) ~[spring-security-core-4.0.3.RELEASE.jar:4.0.3.RELEASE]
    at org.vaadin.spring.security.navigation.PreAuthorizeViewInstanceAccessControl.isAccessGranted(PreAuthorizeViewInstanceAccessControl.java:89) ~[vaadin-spring-ext-security-0.0.7-SNAPSHOT.jar:na]
    at com.vaadin.spring.navigator.SpringViewProvider.isAccessGrantedToViewInstance(SpringViewProvider.java:349) ~[vaadin-spring-1.0.0.jar:1.0.0]
    at com.vaadin.spring.navigator.SpringViewProvider.getViewFromApplicationContextAndCheckAccess(SpringViewProvider.java:313) ~[vaadin-spring-1.0.0.jar:1.0.0]
    at com.vaadin.spring.navigator.SpringViewProvider.getViewFromApplicationContext(SpringViewProvider.java:296) ~[vaadin-spring-1.0.0.jar:1.0.0]
    at com.vaadin.spring.navigator.SpringViewProvider.getView(SpringViewProvider.java:274) ~[vaadin-spring-1.0.0.jar:1.0.0]

I changed it back to Secured and it seems to work fine even though it is proxied

@peholmst
Copy link
Owner Author

The problem is that the proxied views work sometimes and sometimes not. If you refresh a page with a proxied view in it, you will sometimes get an error complaining that the proxy class is not in the widgetset. This kind of behavior cannot be accepted in a real application.

@peholmst
Copy link
Owner Author

Looks like CGLIB proxies work.

@aricooperman
Copy link

Yeah, mine are CGLIB as I extends a base view class. Don't seem to have any
issues unless I use @PreAuthorize

On Fri, Feb 19, 2016 at 12:10 AM Petter Holmström notifications@github.com
wrote:

Looks like CGLIB proxies work.


Reply to this email directly or view it on GitHub
#270 (comment)
.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@peholmst peholmst

Labels
bug security
Projects
None yet
Milestone
0.0.7.RELEASE
Development

No branches or pull requests
2 participants
@peholmst @aricooperman