Announcement Announcement Module
No announcement yet.
Spring ignores security annotations Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring ignores security annotations


    I tried to add security constraints on method level. I added the following line to my applicationContext-security.xml:
    	<!-- Allows method level security -->
    	<global-method-security secured-annotations="enabled" pre-post-annotations="enabled" />
    Then I tried to secure my method like this:
    	public boolean updateUserProfile(UserAccountDTO acc) {
    		System.out.println("Role: " + UserDetailsServiceImpl.getCurrentRole());
    I want that only principals with ROLE_ADMIN can call this method. The sysout will return "ROLE_USER". So I expected a security exception. But nothing happens, all code following the sysout will be executed, even though it shoulnd't.

  • #2
    Check if your object is proxied, also make sure you use the object as configured in the applicationcontext. Also make sure that the method security is in the SAME applicationcontext as the bean you want to protect. If you put the method security in the root context (ContextLoaderListener) and your bean in the DispatcherServlet it isn't going to work (or vice-versa). Also make sure that if you use component-scanning you are only scanning the classes once and not twice (in both the ContextLoaderListener and DispatcherServlet).


    • #3
      I used the following sysout to check if the object gets proxied:
      System.out.println(UserDetailsServiceImpl.getCurrentRole() + " " + this.getClass());
      The sysout shows the normal class name. So I guess, we can rule this out.

      I'm using spring Roo but the security stuff is integrated there.

      The method level security is defined in the applicationContext-security.xml as follows:
      <!-- Allows method level security -->
      <global-method-security secured-annotations="enabled" pre-post-annotations="enabled" />
      The Services are scanned automatically like this:
      <context:component-scan base-package="" />
      This line is defined in the applicationContext.xml.

      So I guess the thing with the context she be ok as well? How can I get the current context or check if it's the same?


      • #4
        the getclass will always return the non proxied class when using JDK proxies because you are already inside the proxy...

        post your web.xml and servlet configuration.


        • #5
          Hi again, I found the problem:
          In Spring Roo, you must declare the method security config in the spring-mvc configuration file instead of the application security configuration file. Otherwise different contexts will exist as you proposed.
          Thanks for your help.