Announcement Announcement Module
Collapse
No announcement yet.
Secured annotations not working in AspectJ Mode with Autoproxy Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Secured annotations not working in AspectJ Mode with Autoproxy

    I'm trying to get my Spring MVC app to play nice with Spring @Secured annotations and ASpectj autoproxying but it doesn't seem to be proxying or recognising my @Secured annotations. I have a controller like this:

    Code:
    @Controller
    @RequestMapping("/")
    public class ApplicationController {
    
    	private ApplicationFactory applicationFactory;
    
    	@Inject
    	public ApplicationController(ApplicationFactory applicationFactory) {
    		super();
    		this.applicationFactory = applicationFactory;
    	}
    
    	@Secured("ROLE_USER")
    	@ResponseBody
    	@RequestMapping(method = GET)
    	public Application getApplicationInfo() {
    		return applicationFactory.buildApplication(this);
    	}
    
    }
    And a spring security XML that looks something like this:

    Code:
      <security:global-method-security secured-annotations="enabled" mode="aspectj" proxy-target-class="true" />
    
      <security:http auto-config="true" use-expressions="true">
        <security:http-basic/>
      </security:http>
    However, Spring Security isn't detecting the annotation and I'm still able the secured endpoint above without being authorised.

    Am I missing something? I tried adding the @EnableAspectJAutoProxy(proxyTargetClass = true) to my application configuration but that didn't help either. Is there anyway to have run time weaving or will I have to use compile time weaving to enable annotation-based security for my application?

  • #2
    Please use the search as this question has been answered before..

    In short your global-method-security is useless as it is defined in the root application context (loaded by the ContextLoaderListener) whereas your @Controller is detected by the DispatcherServlet. Aspect configuration of a parent context doesn't affect child contexts (and vice-versa).

    Move/add the global-method-security to the dispatcherservlet.

    Comment


    • #3
      Hi Martin

      Thanks for the response.

      You are incorrect though: I did search, exhaustively for the keywords in the code above but couldn't find a single solution until you responded here.

      Comment


      • #4
        See the FAQ

        Comment


        • #5
          I'm not sure that the issue with the application contexts from the FAQ is the problem. I only create one application context for the whole of my application. Please see my WebInitializer instance:

          Code:
          public class SpringMvcInitializer implements WebApplicationInitializer {
          
          	private final AnnotationConfigWebApplicationContext context = new AnnotationConfigWebApplicationContext();
          
          	public void onStartup(ServletContext servletContext) throws ServletException {
          		context.register(ApplicationConfiguration.class);
          
                  servletContext.addListener(new ContextLoaderListener(context));
                  servletContext.addListener(new Log4jConfigListener());
          
                  final DelegatingFilterProxy proxy = new DelegatingFilterProxy("springSecurityFilterChain", context);
                  FilterRegistration.Dynamic filter = servletContext.addFilter("securityFilter", proxy);
                  filter.addMappingForUrlPatterns(EnumSet.of(REQUEST), false, "/*");
          
                  final DispatcherServlet servlet = new DispatcherServlet(context);
                  ServletRegistration.Dynamic dispatcher = servletContext.addServlet("dispatcher", servlet);
          		dispatcher.setLoadOnStartup(1);
          		dispatcher.addMapping("/*");
          	}
          
          }
          If that is the case, I'm unsure how to change the ordering of my security application context XML using the no-xml @Configuration component I'm using:

          Code:
          @Configuration
          @ComponentScan(basePackages = {"com.example"})
          @EnableWebMvc
          @ImportResource("classpath:/security.xml")
          public class ApplicationConfiguration extends WebMvcConfigurerAdapter {
          }
          Any help or suggestions would be gratefully received.

          Comment


          • #6
            Are you weaving the classes with AspectJ as indicated in the reference doc for global-method-security@mode? How are you compiling with AspectJ (i.e. maven, ant, eclipse, etc) and what does the configuration look like? If you do not want to use AspectJ, you might try removing the mode="aspectj".

            Comment


            • #7
              Hi Rob,

              I was specifically trying to avoid compile/load time weaving by using the proxy-target-class="true" directive.

              Does this mean I have to use weaving to recompile my classes to get @Secured annotations to work? Is there an example Spring Security 3.1 project I could look at?

              TIA...

              -- Ricardo

              Comment


              • #8
                You probably want to read some about Spring AOP. The choices are proxy based AOP which has an initial load time penalty (should be rather minimal) or compiling with AspectJ. There are a number of samples out there, but the best bet is to refer to the sample applications included with Spring Security.

                Comment


                • #9
                  Hi Rob,

                  Thanks for the info, I am aware of the difference and I've got proxy based AOP to work with Spring MVC before, just not with spring-security and never with a "no-xml" spring application. I'm not sure I understand why the above isn't working.

                  I'll check out the sample apps and see if I get any answers from those.

                  Regards...

                  -- Ricardo

                  Comment

                  Working...
                  X