Announcement Announcement Module
Collapse
No announcement yet.
Url seems to be secured properly, but authorize tag doesn't show correct result. Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Url seems to be secured properly, but authorize tag doesn't show correct result.

    I have a controller secured with:

    Code:
    @PreAuthorize("hasRole('ROLE_USER')")
    and a jsp with a link to that controller:
    Code:
    <sec:authorize url='/api/example'>You can currently access <a href="/api/example">"/api/example"</a>.</sec:authorize>
    In that configuration:
    if I am not logged in with ROLE_USER, and try to hit /api/example, I am denied. However, the link still appears on the jsp.
    If I am logged in with ROLE_USER, and try to hit /api/example, I am allowed through.

    So the underlying spring-security config appears to be good, but something is off with the taglib.

    My next step was to try removing the PreAuthorize tag from the controller, and just dump it into the security-config:
    Code:
    <intercept-url pattern="/api/example" access="hasAnyRole('ROLE_USER')"/>
    In that configuration:
    If I am not logged in with ROLE_USER, and try to hit /api/example, I am denied and the link disappears from the jsp.
    If I am logged in with ROLE_USER, and try to hit /api/example, I am allowed and the link appears in the jsp

    Any thoughts as to what I've misconfigured?

    Additionally, some relevant bits in the config files follows.
    In security-config:
    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <beans:beans xmlns="http://www.springframework.org/schema/security"
    	xmlns:beans="http://www.springframework.org/schema/beans"
    	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    	xmlns:util="http://www.springframework.org/schema/util"
    	xsi:schemaLocation="http://www.springframework.org/schema/beans  http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
    		http://www.springframework.org/schema/security  http://www.springframework.org/schema/security/spring-security-3.0.xsd
    		http://www.springframework.org/schema/util	  http://www.springframework.org/schema/util/spring-util-3.1.xsd">
    <global-method-security pre-post-annotations="enabled" />
    In mvc-config:
    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <beans xmlns="http://www.springframework.org/schema/beans"
    	xmlns:security="http://www.springframework.org/schema/security"
    	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    	xmlns:context="http://www.springframework.org/schema/context"
    	xmlns:mvc="http://www.springframework.org/schema/mvc"
    	xmlns:util="http://www.springframework.org/schema/util"
    	xsi:schemaLocation="
    		http://www.springframework.org/schema/beans	 http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
    		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd
    		http://www.springframework.org/schema/mvc	 http://www.springframework.org/schema/mvc/spring-mvc-3.1.xsd
    		http://www.springframework.org/schema/security  http://www.springframework.org/schema/security/spring-security-3.0.xsd
    		http://www.springframework.org/schema/util	 http://www.springframework.org/schema/util/spring-util-3.1.xsd">
    	<context:component-scan base-package="package.web" />
    	<security:global-method-security pre-post-annotations="enabled" />
    	<mvc:annotation-driven />

  • #2
    The authorize tag's url support looks at the Spring Security <http> <intercept-url>'s and knows nothing about your Spring MVC configuration.

    Comment

    Working...
    X