Announcement Announcement Module
Collapse
No announcement yet.
@PreAuthorize not being invoked Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • sararajan
    started a topic @PreAuthorize not being invoked

    @PreAuthorize not being invoked

    Dear Team
    I am currently trying to implement Spring Security in my sample maven project.I am using Eclipse Indigo with java6.
    The requirement is to give a user access to methods based on his permission.
    Plan is to implement this using @PreAuthorize hasRole('ROLE_XYZ')
    Problem is @PreAuthorize is not being invoked.ie all users are able to access all my methods.

    I have set the global-security-method pre-post-annotation as enabled.
    Filter is PRE_AUTH_FILTER with custom class.
    At first I had put the @PreAuthorize in my controller class but later on move to a service and @Autowired it.
    As I debug my code I can see the principal and grantedAuthoroties with correct values.
    I read that the hasRole looks for SecurityExpressionRoot value so implemented the expression handler property RootHierarchy.But this class is not being parsed while debugging.

    Can anyone please give a checklist of sorts on implementing hasRole?
    I did go through the document in site ,its good; but I am not able to identify why the annotations are being ignored and how to set my ROLE.

  • sararajan
    replied
    These are the dependencies in my pom.xml
    <!-- Spring 3 dependencies -->
    <dependency>
    <groupId>org.springframework</groupId>
    <artifactId>spring-core</artifactId>
    <version>${spring.version}</version>
    </dependency>

    <dependency>
    <groupId>org.springframework</groupId>
    <artifactId>spring-web</artifactId>
    <version>${spring.version}</version>
    </dependency>

    <dependency>
    <groupId>org.springframework</groupId>
    <artifactId>spring-webmvc</artifactId>
    <version>${spring.version}</version>
    </dependency>

    <!-- Spring Security -->
    <dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-core</artifactId>
    <version>${spring.version}</version>
    </dependency>

    <dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-web</artifactId>
    <version>${spring.version}</version>
    </dependency>

    <dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-config</artifactId>
    <version>${spring.version}</version>
    </dependency>
    <dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-taglibs</artifactId>
    <version>${spring.version}</version>
    </dependency>
    <dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-acl</artifactId>
    <version>${spring.version}</version>
    </dependency>
    <dependency>
    <groupId>org.springframework</groupId>
    <artifactId>spring-expression</artifactId>
    <version>3.0.3.RELEASE</version>
    </dependency>

    <dependency>
    <groupId>cglib</groupId>
    <artifactId>cglib</artifactId>
    <version>2.2.2</version>
    </dependency>


    <dependency>
    <groupId>javax.servlet</groupId>
    <artifactId>servlet-api</artifactId>
    <version>2.4</version>
    </dependency>
    </dependencies>
    this is my spring security.xml located in WEB-INF

    <global-method-security pre-post-annotations="enabled">
    <expression-handler ref ="methodSecurityExpressionHandler" />
    </global-method-security>

    <http auto-config="true" use-expressions="true">
    <!-- matches the bean name for HeaderAuthenticationFilter class above -->
    <custom-filter position="PRE_AUTH_FILTER" ref="ssoHeaderFilter" />
    <intercept-url pattern="/*" access="hasRole('ROLE_USER')"/>
    </http>

    <authentication-manager alias="authenticationManager">
    <authentication-provider ref="preauthAuthProvider" />
    </authentication-manager>
    This is context.xml
    <bean id="ssoHeaderFilter" class="com.poc.common.security.HeaderAuthenticatio nFilter">
    <!-- fall back to other authentication providers is OAM SSO is not there -->
    <property name="exceptionIfHeaderMissing" value="false" />
    <property name="principalRequestHeader" value="OAM_REMOTE_USER"/>
    <property name="authenticationManager" ref="authenticationManager" />

    <property name="authenticationDetailsSource">
    <bean class="com.poc.common.security.HeaderAuthenticatio nDetails">
    <property name="userRoles2GrantedAuthoritiesMapper">
    <bean class="org.springframework.security.core.authority .mapping.SimpleAttributes2GrantedAuthoritiesMapper ">
    <property name="convertAttributeToUpperCase" value="true" />
    </bean>
    </property>

    </bean>
    </property>
    </bean>
    <bean id="preauthAuthProvider" class="org.springframework.security.web.authentica tion.preauth.PreAuthenticatedAuthenticationProvide r">
    <property name="preAuthenticatedUserDetailsService" ref="preAuthenticatedUserDetailsService" />
    </bean>
    <bean id = "methodSecurityExpressionHandler" class ="org.springframework.security.access.expression.m ethod.DefaultMethodSecurityExpressionHandler">
    <property name ="roleHierarchy">
    <bean class="com.poc.common.security.MethodExpressionHan dler"/>
    </property>
    <property name="permissionEvaluator" >
    <bean class="com.poc.common.security.CustomPermission"></bean>
    </property>
    </bean>
    <!-- magically map the user header to a valid user object -->
    <bean id="preAuthenticatedUserDetailsService" class="org.springframework.security.web.authentica tion.preauth.PreAuthenticatedGrantedAuthoritiesUse rDetailsService" />
    <bean id="securityContextHolderAwareRequestFilter" class="org.springframework.security.web.servletapi .SecurityContextHolderAwareRequestFilter" />
    Both above two xml's have been specified in web.xml
    Last edited by sararajan; Apr 23rd, 2012, 04:37 AM.

    Leave a comment:


  • itsavvy.ankur
    replied
    sharing your configuration would aid us to guide you better !

    Leave a comment:


  • sararajan
    replied
    I have included CGLIB.But annotations are not being invoked still.

    Leave a comment:


  • itsavvy.ankur
    replied
    you probably need CGLIB in your classpath inorder for annotations to work. try including it and see if it works.

    Leave a comment:

Working...
X