Announcement Announcement Module
Collapse
No announcement yet.
@PreAuthorize not being invoked Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • @PreAuthorize not being invoked

    Dear Team
    I am currently trying to implement Spring Security in my sample maven project.I am using Eclipse Indigo with java6.
    The requirement is to give a user access to methods based on his permission.
    Plan is to implement this using @PreAuthorize hasRole('ROLE_XYZ')
    Problem is @PreAuthorize is not being invoked.ie all users are able to access all my methods.

    I have set the global-security-method pre-post-annotation as enabled.
    Filter is PRE_AUTH_FILTER with custom class.
    At first I had put the @PreAuthorize in my controller class but later on move to a service and @Autowired it.
    As I debug my code I can see the principal and grantedAuthoroties with correct values.
    I read that the hasRole looks for SecurityExpressionRoot value so implemented the expression handler property RootHierarchy.But this class is not being parsed while debugging.

    Can anyone please give a checklist of sorts on implementing hasRole?
    I did go through the document in site ,its good; but I am not able to identify why the annotations are being ignored and how to set my ROLE.

  • #2
    you probably need CGLIB in your classpath inorder for annotations to work. try including it and see if it works.

    Comment


    • #3
      I have included CGLIB.But annotations are not being invoked still.

      Comment


      • #4
        sharing your configuration would aid us to guide you better !

        Comment


        • #5
          These are the dependencies in my pom.xml
          <!-- Spring 3 dependencies -->
          <dependency>
          <groupId>org.springframework</groupId>
          <artifactId>spring-core</artifactId>
          <version>${spring.version}</version>
          </dependency>

          <dependency>
          <groupId>org.springframework</groupId>
          <artifactId>spring-web</artifactId>
          <version>${spring.version}</version>
          </dependency>

          <dependency>
          <groupId>org.springframework</groupId>
          <artifactId>spring-webmvc</artifactId>
          <version>${spring.version}</version>
          </dependency>

          <!-- Spring Security -->
          <dependency>
          <groupId>org.springframework.security</groupId>
          <artifactId>spring-security-core</artifactId>
          <version>${spring.version}</version>
          </dependency>

          <dependency>
          <groupId>org.springframework.security</groupId>
          <artifactId>spring-security-web</artifactId>
          <version>${spring.version}</version>
          </dependency>

          <dependency>
          <groupId>org.springframework.security</groupId>
          <artifactId>spring-security-config</artifactId>
          <version>${spring.version}</version>
          </dependency>
          <dependency>
          <groupId>org.springframework.security</groupId>
          <artifactId>spring-security-taglibs</artifactId>
          <version>${spring.version}</version>
          </dependency>
          <dependency>
          <groupId>org.springframework.security</groupId>
          <artifactId>spring-security-acl</artifactId>
          <version>${spring.version}</version>
          </dependency>
          <dependency>
          <groupId>org.springframework</groupId>
          <artifactId>spring-expression</artifactId>
          <version>3.0.3.RELEASE</version>
          </dependency>

          <dependency>
          <groupId>cglib</groupId>
          <artifactId>cglib</artifactId>
          <version>2.2.2</version>
          </dependency>


          <dependency>
          <groupId>javax.servlet</groupId>
          <artifactId>servlet-api</artifactId>
          <version>2.4</version>
          </dependency>
          </dependencies>
          this is my spring security.xml located in WEB-INF

          <global-method-security pre-post-annotations="enabled">
          <expression-handler ref ="methodSecurityExpressionHandler" />
          </global-method-security>

          <http auto-config="true" use-expressions="true">
          <!-- matches the bean name for HeaderAuthenticationFilter class above -->
          <custom-filter position="PRE_AUTH_FILTER" ref="ssoHeaderFilter" />
          <intercept-url pattern="/*" access="hasRole('ROLE_USER')"/>
          </http>

          <authentication-manager alias="authenticationManager">
          <authentication-provider ref="preauthAuthProvider" />
          </authentication-manager>
          This is context.xml
          <bean id="ssoHeaderFilter" class="com.poc.common.security.HeaderAuthenticatio nFilter">
          <!-- fall back to other authentication providers is OAM SSO is not there -->
          <property name="exceptionIfHeaderMissing" value="false" />
          <property name="principalRequestHeader" value="OAM_REMOTE_USER"/>
          <property name="authenticationManager" ref="authenticationManager" />

          <property name="authenticationDetailsSource">
          <bean class="com.poc.common.security.HeaderAuthenticatio nDetails">
          <property name="userRoles2GrantedAuthoritiesMapper">
          <bean class="org.springframework.security.core.authority .mapping.SimpleAttributes2GrantedAuthoritiesMapper ">
          <property name="convertAttributeToUpperCase" value="true" />
          </bean>
          </property>

          </bean>
          </property>
          </bean>
          <bean id="preauthAuthProvider" class="org.springframework.security.web.authentica tion.preauth.PreAuthenticatedAuthenticationProvide r">
          <property name="preAuthenticatedUserDetailsService" ref="preAuthenticatedUserDetailsService" />
          </bean>
          <bean id = "methodSecurityExpressionHandler" class ="org.springframework.security.access.expression.m ethod.DefaultMethodSecurityExpressionHandler">
          <property name ="roleHierarchy">
          <bean class="com.poc.common.security.MethodExpressionHan dler"/>
          </property>
          <property name="permissionEvaluator" >
          <bean class="com.poc.common.security.CustomPermission"></bean>
          </property>
          </bean>
          <!-- magically map the user header to a valid user object -->
          <bean id="preAuthenticatedUserDetailsService" class="org.springframework.security.web.authentica tion.preauth.PreAuthenticatedGrantedAuthoritiesUse rDetailsService" />
          <bean id="securityContextHolderAwareRequestFilter" class="org.springframework.security.web.servletapi .SecurityContextHolderAwareRequestFilter" />
          Both above two xml's have been specified in web.xml
          Last edited by sararajan; Apr 23rd, 2012, 04:37 AM.

          Comment

          Working...
          X