Announcement

Collapse
No announcement yet.
X
Collapse
  • Page of 1
  • Filter
  • Time
Clear All
new posts
Previous template Next
    #1

    SecurityException that shouldn't be thrown

    Hello,

    I am using SmartGWT Power:
    (SC_SNAPSHOT-2011-05-31/PowerEdition Deployment 2011-05-31)

    ... and am experiencing a problem.

    My app has one 'page' with public data, a list of Courses (building a course enrollment system). This page is to show students what courses are there.

    The rest of the course management system is secured by Spring Security 3. To allow this public page 'through' I created the following operationbinding:
    Code:
    <DataSource ID="CourseEdition" serverType="sql" tableName="CourseEdition"> 
...
  <operationBindings> 
    <operationBinding 
           operationType="fetch" 
           operationId="managersCourseFetchPublic" 
           dataURL="/generatedcode/sc/PublicIDACall"> 
       ...
    </operationBinding> 
    ... 
</operationBindings>
    As you can see, it has a different dataURL, pointing to my public version of the IDACall servlet. This is the default IDACall from smartGWT. For secure stuff I use my own extended version of IDACall, this whole SecureIDACall.java is secured by Spring Security, as an extra security measure.

    The servlet is called, and the query works, but I get this error:
    Code:
    java.lang.SecurityException: DataSource 'CourseEdition', operationType 'fetch', operationId 'managersCourseFetchPublic'.  No authenticated user
	at com.isomorphic.datasource.DSRequest.execute(DSRequest.java:1534)
	at com.isomorphic.servlet.IDACall.handleDSRequest(IDACall.java:199)
	at com.isomorphic.servlet.IDACall.processRPCTransaction(IDACall.java:156)
	at com.isomorphic.servlet.IDACall.processRequest(IDACall.java:121)
	at com.isomorphic.servlet.IDACall.doPost(IDACall.java:73)
...
    Why is this error showing? I know there is no authenticated user, and specified the operationBinding to be public, but what am I missing?
    Tags: None
    #2
    The setting that would make that DataSource accessible without an authenticated user is requiresAuthentication="false".

    Comment

      #3
      So not setting it is not equal to 'false'?

      Anyway, setting this, gives the following (slightly different) error:

      Code:
      java.lang.SecurityException: DataSource 'CourseEdition', operationType 'fetch', operationId 'managersCourseFetchPublic'.  requiresAuthentication was not set, but requiresRole was.  Roles cannot be checked without an authenticated user
	at com.isomorphic.datasource.DSRequest.execute(DSRequest.java:1534)
	at com.isomorphic.servlet.IDACall.handleDSRequest(IDACall.java:199)
	at com.isomorphic.servlet.IDACall.processRPCTransaction(IDACall.java:156)
	at com.isomorphic.servlet.IDACall.processRequest(IDACall.java:121)
      The operationbinding then looks like:
      Code:
       <operationBinding operationType="fetch" 
operationId="managersCourseFetchPublic" 
requiresAuthentication="false" 
dataURL="/generatedcode/sc/PublicIDACall"> 
...
    </operationBinding>
      So I am slightly confused now :-) Any ideas?

      Comment

        #4
        Not setting requiresAuthentication inherits the system-wide setting, which must be true for you.

        Role requirements are cumulative between DataSource-level and operationBinding-level settings. So this message means you've got roles required on the <DataSource> tag.

        Comment

          #5
          Fixed it. i added requiresRole="" to this specific operationBinding.

          My <datasource> tag does not have any requiresRole attributes by the way, but anyway, this works.

          Comment

          Previous template Next
          Working...
          X