Announcement Announcement Module
Collapse
No announcement yet.
@PreAuthorize and @PostAuthorize not working Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • @PreAuthorize and @PostAuthorize not working

    I've just converted a Spring 2.5 Web Application to version 3.06 with the intention of using @PreAuthorized and @PostAuthorized SpEL annotations to protect my repository layer.

    I added the “global-method-security...” tag to my main application context and to my servlet context but for some reason it just gets ignored when I try to access a method with the incorrect role. Any help would be appreciated.

    Here are my configuration files:

    Fragment of web-xml
    ------------------------

    <?xml version="1.0" encoding="ISO-8859-1"?>
    <web-app xmlns="http://java.sun.com/xml/ns/j2ee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="
    http://java.sun.com/xml/ns/j2ee
    http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
    version="2.4">

    <!-- Beans in these files will makeup the configuration of the root web application context -->
    <context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
    classpath:/security-config.xml,
    classpath:/repository-config.xml,
    classpath:/webapp-config.xml,
    </param-value>
    </context-param>

    <!-- Bootstraps the root web application context before servlet initialization -->
    <listener>
    <listener-class>org.springframework.web.context.ContextLoade rListener</listener-class>
    </listener>

    <!-- Deploys the 'user' dispatcher servlet whose configuration resides in /WEB-INF/users-servlet-config.xml -->
    <servlet>
    <servlet-name>user</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherSe rvlet</servlet-class>
    <load-on-startup>1</load-on-startup>
    </servlet>

    <!-- Maps all /user URLs to the 'user servlet' -->
    <servlet-mapping>
    <servlet-name>user</servlet-name>
    <url-pattern>/user/*</url-pattern>
    </servlet-mapping>

    <filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFil terProxy</filter-class>
    </filter>

    <filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
    </filter-mapping>

    <welcome-file-list>
    <welcome-file>forward.jsp</welcome-file>
    </welcome-file-list>
    </web-app>



    security-config.xml
    ---------------------

    <?xml version="1.0" encoding="UTF-8"?>
    <beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns="http://www.springframework.org/schema/security"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schem...-beans-3.0.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">

    <global-method-security pre-post-annotations="enabled"/>

    <http auto-config="true"
    use-expressions="true"
    access-denied-page="/user/accessDenied.html">

    <intercept-url pattern="/user/accessDenied.html" access="permitAll" />
    <intercept-url pattern="/user//*Error.html" access="permitAll" />
    <intercept-url pattern="/user/welcome.html" access="permitAll" />
    <intercept-url pattern="/user/findUser.html*" access="hasRole('ROLE_SUPPORT') and fullyAuthenticated" />
    <intercept-url pattern="/user/supportUser.html*" access="hasRole('ROLE_SUPPORT') and fullyAuthenticated " />
    <intercept-url pattern="/user/**" access="hasRole('ROLE_USER') and fullyAuthenticated" />

    <form-login login-page="/user/welcome.html"
    authentication-failure-url="/user/welcome.html?error=Failed Authentication"
    default-target-url="/user/login.html"/>

    <logout invalidate-session="true"
    logout-url="/logout.html"
    success-handler-ref="logoutSuccessHandler"/>
    </http>




    user-servlet.xml
    ------------------

    <?xml version="1.0" encoding="UTF-8"?>
    <beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:security="http://www.springframework.org/schema/security"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schem...-beans-3.0.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">

    <security:global-method-security pre-post-annotations="enabled" secured-annotations="enabled" jsr250-annotations="enabled"/>

    <!-- Configuration for the user dispatcher servlet -->

    <!-- Configure a message source to retrieve messages from -->
    <bean id="messageSource" class="org.springframework.context.support.Reloada bleResourceBundleMessageSource">
    <property name="basename" value="/WEB-INF/messages/validation" />
    </bean>

    <!-- Handles welcome requests -->
    <bean id="welcomeController" class="com.gatorsktch.tminup.web.controller.Welcom eController">
    <!-- <constructor-arg ref="userRepository" />
    <constructor-arg ref="messageSource" /> -->
    </bean>

    <!-- Handles login validation requests -->
    <bean id="loginController" class="com.gatorsktch.tminup.web.controller.LoginC ontroller">
    <!-- <constructor-arg ref="userRepository" />
    <constructor-arg ref="messageSource" /> -->
    </bean>

    <!-- Handles register requests -->
    <bean id="registerController" class="com.gatorsktch.tminup.web.controller.Regist erController">
    <constructor-arg ref="userRepository" />
    <constructor-arg ref="registrationMailSender" />
    </bean>

    <!-- Handles requestPassword requests -->
    <bean id="requestPasswordController" class="com.gatorsktch.tminup.web.controller.Reques tPasswordController">
    <constructor-arg ref="userRepository" />
    <constructor-arg ref="requestedPasswordMailSender" />
    </bean>


    <!-- Handles /*Error requests -->
    <bean id="exceptionController" class="com.gatorsktch.tminup.web.controller.Except ionController">
    </bean>

    <bean id="exceptionResolver" class="org.springframework.web.servlet.handler.Sim pleMappingExceptionResolver">
    <property name="defaultErrorView" value="defaultError"/>
    <property name="exceptionMappings">
    <value>
    org.apache.commons.fileupload.FileUploadBase$SizeL imitExceededException=fileSizeLimitError
    org.springframework.web.multipart.MaxUploadSizeExc eededException=fileSizeLimitError
    java.lang.NullPointerException=nullPointerError
    javax.servlet.ServletException=servletError
    com.gatorsktch.tminup.web.security.AccessDeniedExc eption=accessDeniedError
    </value>
    </property>
    </bean>

    <bean id="templateViewResolver" class="org.springframework.web.servlet.view.Resour ceBundleViewResolver">
    <property name="basename" value="views"/>
    </bean>

    <!-- Configure Apache Tiles for the view -->
    <bean id="tilesConfigurer" class="org.springframework.web.servlet.view.tiles2 .TilesConfigurer">
    <property name="definitions">
    <list>
    <value>/WEB-INF/layouts/layouts.xml</value>
    <value>/WEB-INF/views/views.xml</value>
    </list>
    </property>
    </bean>

    <bean id="viewResolver" class="org.springframework.web.servlet.view.UrlBas edViewResolver">
    <property name="requestContextAttribute" value="requestContext"/>
    <property name="viewClass" value="org.springframework.web.servlet.view.tiles2 .TilesView"/>
    </bean>

    </beans>


    Fragment of the User Repository Implementation
    -------------------------------------------------------

    package com.gatorsktch.tminup.internal.repository.impl;

    import org.springframework.security.access.prepost.PreAut horize;
    import org.springframework.stereotype.Repository;
    import org.springframework.transaction.annotation.Transac tional;


    /**
    * Repository used to manage all user related requests.
    * (User, UserProfile, Security &amp; GroupAllocation)
    *
    * @author djwright
    *
    */
    @Repository
    public class HibernateUserRepository extends HibernateRepository implements UserRepository
    {
    /**
    * Creates an new hibernate-based user repository.
    * @param sessionFactory the Hibernate session factory required to obtain sessions
    */
    public HibernateUserRepository( SessionFactory sessionFactory )
    {
    super( sessionFactory );
    }

    ...

    /**
    * Saves the data from the passed in user object.
    *
    * @param user User which contains the data to be saved.
    *
    * @return id of the saved user.
    */
    @PreAuthorize("hasRole('ROLE_SUPPORT')")
    @Transactional
    public Long save( User user )
    {
    Session session = getCurrentSession();

    Long ownerId = user.getOwnerId();

    // Check if a new owner group is required.
    if ( ownerId.longValue() == 0 )
    {
    ownerId = allocateNewOwnerGroupId( session );
    user.setOwnerId( ownerId );
    }

    // Create a blank Credentials object for the User.
    Credentials credentials = (Credentials)EntityHelper.createUnOwnedEntity( Credentials.class );
    Long credentialsId = save( credentials );
    user.setCredentialsId( credentialsId );

    Long id = (Long)session.save( user );
    return( id );
    }



Working...
X