Announcement Announcement Module
No announcement yet.
Using @PreAuthorize on SpringData repositories Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Using @PreAuthorize on SpringData repositories

    I am trying to secure Spring-Data repositories by using @PreAuthorize annotations on the my repository interface (since most methods are inherited) so that all methods get secured.
    The result is that any custom methods included in my interface get security by all methods inherited by Spring-Data interfaces are not.
    Applying the same thing on a simple component interface extending a superinterface will work properly.
    I am not sure whether this is a Spring-Security or Spring-Data issue. I would appreciate some help figuring this out.
    I attach an example with unit tests for the working service setup and the non working Spring-Data repository. The failing testSuperRepositoryWithUser should get an AccessDeniedException, but the @PreAuthorize annotation does not apply on the JpaRepository interface.
    Last edited by rigas.grigoropoulos; Dec 7th, 2012, 08:27 AM.

  • #2
    The same issue also applies when security is applied using protect-pointcut in the xml configuration, even when a pointcut is configured for the ory interface as follows:

    <security:protect-pointcut expression="execution(**(..))" 
        access="ROLE_ADMIN" />


    • #3
      I've the same problems of rigas.grigoropoulos. Anyone has a solution for this issue? It's strange no-one complain about this problem; which is the convenience of using JpaRepository if I can't use @PreAuthorize on his methods?

      Thanks very much!


      • #4
        I haven't had a chance to look into this yet, but I created a JIRA to look into it. Follow SEC-2150 to keep up to date with this issue.


        • #5
          Thanks very much Rob!!!