Announcement Announcement Module
Collapse
No announcement yet.
HttpInvoker and @Secured Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • HttpInvoker and @Secured

    hey,

    I'm trying to secure a WebService exposed with HttpInvoker
    My "security context file" is as follow

    <sec:global-method-security secured-annotations="enabled" />

    <sec:http auto-config="false" realm="ism realm" use-expressions="true">
    <sec:http-basic />
    <sec:intercept-url pattern="/ws/**" access="hasRole('ROLE_ADMIN')" />
    </sec:http>
    <sec:authentication-manager>
    <sec:authentication-provider>
    <sec:user-service>
    <sec:user name="admin" password="admin" authorities="ROLE_ADMIN" />
    </sec:user-service>
    </sec:authentication-provider>
    </sec:authentication-manager>


    The interface of my service is :

    import org.springframework.security.access.annotation.Sec ured;

    public interface INewsManager {
    @Secured("ROLE_USER")
    public List<News> findAllNews();
    }


    You can see that the role used in the annotation is not the same than in my configuration file

    And you know what ? I'm able to receive the response from my WebService :-(

    Of course, my "client" is "admin" so if I change my configuration file and say authorities="ROLE_TELLER", my client is not able to call my WebService (I mean that the config of the HttpInvoker and the use of "commons httpclient" works)

    Any idea ?


    I use Srping security 3.0.5

  • #2
    the solution is in the thread http://forum.springsource.org/showth...ns-not-working
    beans must be defined after the global-method-security tag, so in the same file, just after works !

    Comment

    Working...
    X