Announcement Announcement Module
No announcement yet.
@Secured ("ROLE_ADMIN") not working for me in my controller... Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • @Secured ("ROLE_ADMIN") not working for me in my controller...

    ...but it is working in my service layer. It has to be something with my configuration but I can't seem to figure it out. Another set of eyes might help:

    security config:
    	<global-method-security secured-annotations="enabled" />
    	<http use-expressions="true" access-denied-page="/accessDenied.jsp">
    		<intercept-url pattern="/accessDenied.jsp" filters="none" />
    		<intercept-url pattern="/login.jsp" filters="none" />
    		<intercept-url pattern="/resources/**" filters="none" />
    		<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
    		<form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?error=1" />
    		<logout logout-success-url="/login.jsp?logout=1"/>
    The intercept url for /** may be the (or one of the) problem(s) but even when I remove it I still am able to get to the controller on a method I secured with an annotation:

    	@Secured ("ROLE_ADMIN")
    	@RequestMapping(value="/DeleteRoot", method=RequestMethod.GET)
    	public ModelAndView deleteRoot(@RequestParam(value="rootToDelete") long rootId) 
    		Node rootNode = nodeService.getNode(rootId);
    		if (!rootNode.isPublished())
    		return home();
    Just out of curiousity I added the annotation to my service and it worked (meaning I got a 403 Access is denied error as I would have expected):
    	@Secured ("ROLE_ADMIN")
    	public void deleteRoot(long rootId)
    So my question is how come it works in my service but not in the controller. What am I missing? Thanks to anyone who can provide some direction. I am using spring security 3.0.5, spring 3.0.5.

  • #2
    I suggest the search as this question has been answered before.

    Short answer, Bean(Factory)PostProcessor operate only on the context they are defined in. Your security configuration and services (are assumed) to be in the root applicationcontext (ContextLoaderListener), your controllers are in the web context (a child of the root context). AOP of the root isn't applied to the child (and vice-versa).