Announcement Announcement Module
No announcement yet.
HttpInvoker and @Secured Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • HttpInvoker and @Secured


    I'm trying to secure a WebService exposed with HttpInvoker
    My "security context file" is as follow

    <sec:global-method-security secured-annotations="enabled" />

    <sec:http auto-config="false" realm="ism realm" use-expressions="true">
    <sec:http-basic />
    <sec:intercept-url pattern="/ws/**" access="hasRole('ROLE_ADMIN')" />
    <sec:user name="admin" password="admin" authorities="ROLE_ADMIN" />

    The interface of my service is :

    import ured;

    public interface INewsManager {
    public List<News> findAllNews();

    You can see that the role used in the annotation is not the same than in my configuration file

    And you know what ? I'm able to receive the response from my WebService :-(

    Of course, my "client" is "admin" so if I change my configuration file and say authorities="ROLE_TELLER", my client is not able to call my WebService (I mean that the config of the HttpInvoker and the use of "commons httpclient" works)

    Any idea ?

    I use Srping security 3.0.5

  • #2
    the solution is in the thread
    beans must be defined after the global-method-security tag, so in the same file, just after works !