Announcement Announcement Module
Collapse
No announcement yet.
Pre/PostAuthorize annotations not working Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Pre/PostAuthorize annotations not working

    Hello

    I'm using Spring 3.0.6 and Spring Security 3.0.7 and method protection annotations just don't work. Here is my configuration.

    web.xml

    <servlet>
    <servlet-name>dispatcher</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherSe rvlet</servlet-class>
    <init-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>/WEB-INF/applicationContext.xml</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
    </servlet>

    <servlet-mapping>
    <servlet-name>dispatcher</servlet-name>
    <url-pattern>/</url-pattern>
    </servlet-mapping>

    <filter>
    <filter-name>sitemesh</filter-name>
    <filter-class>com.opensymphony.module.sitemesh.filter.Page Filter</filter-class>
    </filter>

    <filter-mapping>
    <filter-name>sitemesh</filter-name>
    <url-pattern>/*</url-pattern>
    </filter-mapping>


    <filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFil terProxy</filter-class>
    </filter>
    <filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
    </filter-mapping>


    <context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>/WEB-INF/securityApplicationContext.xml</param-value>
    </context-param>

    <listener>
    <listener-class>org.springframework.web.context.ContextLoade rListener</listener-class>
    </listener>


    securityApplicationContext.xml


    <beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:security="http://www.springframework.org/schema/security"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schem...-beans-3.0.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-3.0.4.xsd">

    <security:global-method-security pre-post-annotations="enabled" secured-annotations="enabled" jsr250-annotations="enabled"/>

    <security:http auto-config="true" use-expressions="true">
    <security:intercept-url pattern="/genres/create" access="hasRole('ROLE_ADMIN')"/>
    <security:intercept-url pattern="/*" access="hasAnyRole('ROLE_ADMIN','ROLE_USER')"/>
    </security:http>

    <security:authentication-manager alias="authenticationManager">
    <security:authentication-provider>
    <security:user-service>
    <security:user name="user1" password="user1" authorities="ROLE_USER"/>
    <security:user name="admin" password="admin" authorities="ROLE_ADMIN"/>
    </security:user-service>
    </security:authentication-provider>
    </security:authentication-manager>


    </beans>

    I'm protecting the method on my service interface this way:

    public interface AlbumGenreService {

    @PreAuthorize("hasRole('ROLE_ADMIN')")
    public void deleteGenre(Integer genreId);

    } and then invoking the method in the controller:

    @RequestMapping(value="/genres/delete/{genreId}")
    public String deleteGenre(@PathVariable("genreId") Integer genreId, Model model) {

    albumGenreService.deleteGenre(genreId);

    return "redirect:/genres/view";
    }

    When I log in with ROLE_USER role and try to delete the genre, the access to the protected method is granted and the genre is deleted.

  • #2
    If someone is facing the same problem, the solution is trivial. You have to enable method security annotations in the root application context, where's the service bean declaration is being defined.

    Cheers

    Comment

    Working...
    X