Announcement Announcement Module
Collapse
No announcement yet.
@PostAuthorize not working Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • @PostAuthorize not working

    Hi,

    The following problem has been driving me insane:

    I have the following setup:

    _ interface StudyService
    _ @Service StudyServiceImpl implements StudyService
    _ @Controller StudyServiceController implements StudyService
    _ SampleDAOImpl implements SampleDAO
    _ A permissionEvaluator CdmPermissionEvaluator

    Code:
    class SampleDAOImpl implements SampleDAO {
    ...
        @Secured(Roles.USER)
        @PostAuthorize("hasPermission(returnObject, 'read')")
        Sample load(long sampleId) {
            ...
        }
    ...
    }
    The @Secured works, as I have to log in when that is present. However, the @PostAutorize doesn't work, even when I comment out the @Secured. I have a logging statement in CdmPermissionEvaluator.hasPermission(), and it never gets logged. This is also the case when I comment out the @Secured annotation (to avoid that the @PostAuthorize doesn't get evaluated because of the default AffirmativeBased voter).

    Relevant parts of web.xml:

    Code:
    ...
      <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
      </filter>
      <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
      </filter-mapping>
    ...
      <servlet>
        <servlet-name>spring</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
      </servlet>
      <servlet-mapping>
        <servlet-name>spring</servlet-name>
        <url-pattern>*.rpc</url-pattern>
      </servlet-mapping>
    ...
    Relevant parts of spring-servlet.xml:

    Code:
    ...
      <security:global-method-security secured-annotations="enabled"/>
      <context:annotation-config/>
    
      <!-- Auto-detect controllers; these extend RemoteServiceServlet and are -->
      <!-- annotated with @Controller -->
      <context:component-scan base-package="org.gmeb.crf.server">
        <context:include-filter type="annotation"
      			    expression="org.springframework.stereotype.Controller"/>
      </context:component-scan>
    ...
    Relevant parts of applicationContext.xml:

    Code:
      <context:annotation-config/>
    
      <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"/>
    
      <context:component-scan base-package="org.gmeb.crf">
        <context:exclude-filter type="annotation"
    			    expression="org.springframework.stereotype.Controller"/>
      </context:component-scan>
    Relevant parts of applicationContext-security.xml:

    Code:
      <http auto-config="true" entry-point-ref="authenticationEntryPoint"
            create-session="always" use-expressions="true">
        <intercept-url pattern="/**" access="permitAll()"/>
        <form-login authentication-success-handler-ref="authenticationSuccessHandler"
                    authentication-failure-handler-ref="authenticationFailureHandler"/>
        <logout success-handler-ref="logoutSuccessHandler"/>
        <anonymous/>
      </http>
    ...
      <global-method-security pre-post-annotations="enabled"> <!-- TODO: Add proxy-target-class="true" -->
        <expression-handler ref="expressionHandler"/>
      </global-method-security>
    
      <beans:bean id="expressionHandler"
                  class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
        <beans:property name="permissionEvaluator" ref="cdmPermissionEvaluator"/>
      </beans:bean>
    
      <beans:bean id="loggerListener"
                  class="org.springframework.security.authentication.event.LoggerListener"/>
    
      <context:annotation-config/>
    
      <beans:bean id="cdmPermissionEvaluator" class="org.gmeb.crf.server.auth.CdmPermissionEvaluator">
      </beans:bean>
    Any idea what I'm doing wrong here?

    Before I had this setup I had @PostAuthorize annotations with Spring EL expressions (no permissionEvaluator) in @Service StudyServiceImpl, and that worked. So what am I doing wrong, and what's the difference with the previous setup?

    Thanks in advance,

    Arnaud
    Last edited by installe; Jan 30th, 2012, 12:39 PM.
Working...
X