psmith
commented
9 years ago Is this a question, a request? I'm not understanding something.
Closed muneesmajid closed 8 years ago
psmith
commented
9 years ago Is this a question, a request? I'm not understanding something.
muneesmajid
commented
9 years ago I disabled global-method-security pre-post-annotations in WEB-INF/classes/security-context.xml like this
<s:global-method-security pre-post-annotations="disabled" secured-annotations="enabled"
authentication-manager-ref="authenticationManager">
<s:expression-handler ref="methodExpressionHandler"/>
</s:global-method-security>it thrown exception when i call web service http://mydomain/zuul/settings/dev/hr-services-config.properties POST method.
Exception: org.codehaus.groovy.runtime.typehandling.GroovyCastException: Cannot cast object 'anonymousUser' with class 'java.lang.String' to class 'org.devnull.security.model.User'
psmith
commented
8 years ago I'm trying to get a clear understanding of what exactly you want. In another issue, you post asking if we have authentication/authorization, and we should add it if we don't. Here, you post stating there are errors if you turn off authentication/authorization. So, that leaves me a bit confused.
Are you saying you want to be able to disable security completely? If so, why would you want such a feature? I can tell you now, if that is what you want, it will be at the end of the things to add in priority.
muneesmajid
commented
8 years ago can i able to disable security by disabling global-method-security pre-post-annotations in WEB-INF/classes/security-context.xml
psmith
commented
8 years ago What is your use case for wanting to completely disable security? If there is a good, valid reason, we can reopen this. I think the following answers what you want:
If all you are wanting is to access the properties file, you should have been able to already, without making any of those changes. Please review the following, and make note of the access control section, especially permitAll. Make your modifications to that file if need be.
As noted in issue https://github.com/Confluex/Zuul/issues/87 See https://github.com/Confluex/Zuul/wiki/Security and https://github.com/Confluex/Zuul/wiki/Client-Integration
muneesmajid
commented
8 years ago we are using java web application and also stand alone application. We need to write properties without prompting login page.
psmith
commented
8 years ago By write, are you talking about pushing properties to the server, or to the client? By default, everyone should already have the ability to read/view properties files.
Either way, just changing the access control list to permitAll for the url's you want everyone to have access to should work. Did you try that yet? See https://github.com/Confluex/Zuul/wiki/Security
Since somewhere else you are mention a post to http://mydomain/zuul/settings/dev/hr-services-config.properties
I assume you want to add the following
<intercept-url pattern="/settings/**/*.properties" access="permitAll" method="POST"/>
or, change the existing <intercept-url pattern="/settings/**/*.properties" access="permitAll" method="GET"/>setting to
<intercept-url pattern="/settings/**/*.properties" access="permitAll" />
Furthermore, I'd think you would really want to authentication/authorization unless you store nothing of value in your properties files.
Something like: http://javattitude.com/2014/06/07/spring-security-custom-token-based-rest-authentication/ or http://blog.jdriven.com/2014/10/stateless-spring-security-part-2-stateless-authentication/
I have seen source code of zuul service. There are @PreAuthorize annotation to the method of RESTful web services. When i disabled global method security of pre-post-annotations , but it thrown error.
org.codehaus.groovy.runtime.typehandling.GroovyCastException: Cannot cast object 'anonymousUser' with class 'java.lang.String' to class 'org.devnull.security.model.User'