Announcement Announcement Module
Collapse
No announcement yet.
Spring Security and MVC Annotations Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring Security and MVC Annotations

    Hi,

    I am using spring security with MVC annotations in my project.
    That was working perfectly until I changed my code to use two servlets.

    My spring security bean is declared in applicationContext.xml
    Code:
    <import resource="beans-security.xml"/>
    My web.xml needs the spring-security bean to be declared in the the web app context as a filter references it.
    Code:
    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>  
    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    Both of my servlets contain all the mvc beans that use the spring security @secured annotation. Those beans are automatically created using the following code
    Code:
    <mvc:annotation-driven />
    <context:component-scan base-package="com.dummyapp.api"/>
    The problem is that the bean security bean needs to be created after the MVC beans are, otherwise spring-security doesn't care about the @Secured annotation.

    Is there a way I can get around that ?


    Thank you very much.

  • #2

    The problem is that the bean security bean needs to be created after the MVC beans are, otherwise spring-security doesn't care about the @Secured annotation.
    No it doesn't... You simply need to add the appropriate configuration to your servlets contexts (it is all about proxy creating so I suggest a read of the AOP chapter in the reference guide). Simply put in all servlet context file the element that enables the @Secured (http:global-method-security />).

    Comment


    • #3
      Originally posted by Marten Deinum View Post
      No it doesn't... You simply need to add the appropriate configuration to your servlets contexts (it is all about proxy creating so I suggest a read of the AOP chapter in the reference guide). Simply put in all servlet context file the element that enables the @Secured (http:global-method-security />).
      Thank you very much, it seems to solve the problem. I read another post that said the opposite, spring source forum is definitely a better source

      However, when I put this code in my context :
      Code:
       <security:global-method-security secured-annotations="enabled" />
      I see this exception :
      Code:
      javax.servlet.ServletException: No adapter for handler ..

      It is working when I remove global-method-security (without security though...)

      Comment


      • #4
        Which is indeed a problem (which should be fixe in Spring 3.1). There is a proxy being created for your controller and due to that the @Controller and/or @RequestMapping annotation isn't found anymore. If I'm not mistaken this is fixed in Spring 3.1

        Comment


        • #5
          Awesome ! I own you a big thank you.

          Updating to spring 3.1 actually gave me more details about the exception causes and it happened that I had an ExceptionHandler that was declaring handleException for the same exception twice, plus I needed to had proxy-target-class="true" to the global-security tag because I am using interfaces.

          Thank you very much for your help.

          Comment


          • #6
            Originally posted by Marten Deinum View Post
            You simply need to add the appropriate configuration to your servlets contexts... Simply put in all servlet context file the element that enables the @Secured (http:global-method-security).
            @Marten - is it enough to simply define <http:global-method-security/> in the ROOT app-context loaded by ContextLoaderListener or does it need to also be defined in each WEB app-context loaded by DispatcherServlet?

            Comment


            • #7
              No... Each context needs to have this (not each xml file all the xml files make up one context). The namespace registers Bean(Factory)PostProcessor and those operate only on the context in which they are defined.

              Comment

              Working...
              X