Announcement Announcement Module
Collapse
No announcement yet.
Securing a SimpleFormController Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Securing a SimpleFormController

    Maybe I am missing something but I read the FAQ's on securing controller methods and I implemented the solution, however my annotation is not working on SimpleFormController types it is only working on annotated ones. How would I wire this to work for both types of controllers (old and new).

    servlet.xml
    Code:
    	<sec:global-method-security pre-post-annotations="enabled">
    	 	 <sec:expression-handler ref="expressionHandler"/> 
    	 </sec:global-method-security>
    Works:
    Code:
    @RequestMapping(method=RequestMethod.GET)
    @PreAuthorize("hasAuthority('ROLE_BOGUS')")
    public void form(HttpSession session, Model model) {
    Doesn't Work (SimpleFormController)
    Code:
    @PreAuthorize("hasAuthority('ROLE_BOGUS')")
    protected Object formBackingObject(HttpServletRequest request)
    Thanks,

    Keith

  • #2
    I suggest you read the Spring AOP chapter especially the part that explains about proxies...

    Basically the only method to secure on old style controllers is handleRequest as that is the only public called method and because aop is based on proxies that is the only method that is being proxied all other calls are internal method calls.

    Comment

    Working...
    X