Announcement Announcement Module
No announcement yet.
@Secured Is Not Working As Expected Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • @Secured Is Not Working As Expected


    I have the <global-method-security secured-annotations="enabled" />
    defined in the security context.xml file.

    Then, I annotated a method with @Secured("ADMIN"), but regardless of the role with which I log in with, the method runs anyway!

    I've tried using pointcuts as an alternative, but that didn't work either.

    Any ideas why this would be happening would be appreciated.



  • #2
    Did you look at the FAQ? How are you creating the object that is annotated?


    • #3
      Yes, but this didn't resolve the issue.



      • #4
        Originally posted by LondonM View Post
        Yes, but this didn't resolve the issue.

        Ok, so then....

        Originally posted by rwinch View Post
        How are you creating the object that is annotated?
        You either need to use aspectj or ensure that Spring is creating the object for you. As the FAQ mentions your global-method-security should be in the same context as your secured bean.


        • #5
          It is.

          The global security tag is in the security context xml fiile.

          The beans are auto-generated by Spring so are you saying the global security tag needs to be somewhere else? I tried to put it in the web context xml, but the syntax was marked as an error for that file.


          I also tried creating an aspect, but that didn't work either.

          Still missing something here...



          • #6
            Using code tags please post the following:

            Spring configuration files
            Class that is annotated with @Secured
            Class that is using the class that is annotated with @Secured

            You may also want to enable logging and view the logs to see if that helps. If it doesn't it may be good to post the logs too.


            • #7
              I totally appreciate your help here.

              Unfortunately, I'm constrained with what files I can post publicly.

              Thanks very much for your help.


              • #8
                You might try to come up with a minimal example that demonstrates your problem and then post that. This may also help you figure out what is wrong.


                • #9
                  Good idea. Thanks.


                  • #10
                    Since creating an example application with Spring security, MVC, etc., enabled, would also be time consuming, I'm wondering if there's a simple way to turn on "Spring Logging" so I can glean some details.

                    I don't think log4J will work since none of my catch blocks ... "catch" anything when I go to the 403 page.

                    So, in Spring 3, is there a "simple way" to turn on logging so I can see what's going on? I also can't see that the user is injected into the class so it's virtually impossible to understand why the @Secured method is failing.



                    • #11
                      If you include log4j in your classpath, then commons-logging should send logging to log4j. At that point you can provide a file on your classpath that logs everything for spring security out. Keep in mind it should be the only file on your classpath (or at least the one highest on it). Something like this should work:


                      log4j.rootLogger = WARN, stdout
                      log4j.appender.stdout = org.apache.log4j.ConsoleAppender
                      log4j.appender.stdout.Threshold = DEBUG
                      log4j.appender.stdout.Target   = System.out
                      log4j.appender.stdout.layout = org.apache.log4j.PatternLayout
                      log4j.appender.stdout.layout.ConversionPattern = %d{ISO8601} %-5p [%F] : %m%n
                      If you are having problems getting that to work I'd suggest looking at commons-logging's doc to ensure log4j is being used and then log4j's site to ensure that you have log4j setup correctly. Of course there is detailed documentation about other logging options in Spring's reference too.


                      • #12
                        There is no special "Spring Logging". Do a google search for this and you will see that Spring uses the commons-logging API so you can plug in whatever implementation you want. You should always have debug logging enabled during development to get useful feedback on what's going on.

                        Also, you have started two threads on this, one of which says you are always denied access and this one saying that you are never denied access, so it's not really clear what the problem is. My guess from your description is that your user has an authority called "ADMIN", without the "ROLE_" prefix which is required by the RoleVoter.