Announcement Announcement Module
Collapse
No announcement yet.
@PreAuthorize & @PostAuthorize being ignored Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • @PreAuthorize & @PostAuthorize being ignored

    Greetings,

    I'm using Spring 3.2.0 and Spring Security 3.1.2

    I'm having a problem with my secured method annotations, the secured method is a private method within a Controller, but it is being ignored and I'm not sure why.

    I've read numerous threads about placing the global-method-security in the application context, which I have done to no avail.

    During startup there are no special messages regarding method security failure. Only this:

    [DEBUG] 00:57:29 AspectJMethodSecurityInterceptor - Validated configuration attributes


    Below is snippets of my configuration and code. I would really appreciate any pointers on what I might be doing wrong or might have missed.


    web.xml

    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <web-app>
    
      <display-name>mywebapp</display-name>
      
      <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>/WEB-INF/spring/root-context.xml</param-value>
      </context-param>
      <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
      </listener>
      <servlet>
        <servlet-name>mywebapp</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <init-param>
          <param-name>contextConfigLocation</param-name>
          <param-value>/WEB-INF/spring/mywebapp-servlet.xml</param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
      </servlet>
      <servlet-mapping>
        <servlet-name>mywebapp</servlet-name>
        <url-pattern>/</url-pattern>
      </servlet-mapping>
      <filter>
        <filter-name>securityFilter</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
        <init-param>
          <param-name>targetBeanName</param-name>
          <param-value>springSecurityFilterChain</param-value>
        </init-param>
      </filter>
      <filter-mapping>
        <filter-name>securityFilter</filter-name>
        <url-pattern>/*</url-pattern>
      </filter-mapping>
    </web-app>

    mywebapp-servlet.xml

    Code:
    <context:spring-configured />
    <context:component-scan base-package="my.webapp" />
    
    <mvc:annotation-driven />
    
    <security:global-method-security pre-post-annotations="enabled" proxy-target-class="true" mode="aspectj" />

    MyContoller.class

    Code:
    @Controller
    public class MyContoller implements ServletContextAware
    {
    
    public MyContoller () {
    		super();
    }
    
    @PostAuthorize("hasRole('admin')  or returnObject.username == authentication.name")
    private Account getAccount(Integer id, Authentication auth)
    {
    Account account = null;
    if(id != null)
    	account = accountService.getAccount(id);
    else
    	account = accountService.getAccountByEmail(auth.getName());
    return account;
    }
    
    @RequestMapping(value="/settings/profile", method=RequestMethod.GET)
    public ModelAndView getProfile(@RequestParam(value="id", required=false) Integer id, Authentication auth, WebRequest request)
    {
    Account account = getAccount(id, auth);
    //Etc.
    }
    
    }

  • #2
    I suggest a read of the reference guide.. Only EXTERNAL method calls can be intercepted and not INTERNAL method calls, due to the fact spring uses proxies to apply AOP. So the annotation on your private method (which is always an internal method calll) isn't going to work.

    If you want this to work you need to either switch to loadtime or compile time weaving to apply AOP.

    Comment


    • #3
      Is the same true of classes which implement an interface? I shifted the code to a service class and it is still ignored.

      Comment


      • #4
        If it is an internal method call it doesn't matter where it is it will never be intercepted with proxy based AOP.

        Comment

        Working...
        X