Announcement Announcement Module
No announcement yet.
A little help with @PostAuthorize? (SS 3.0.0.M1) Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • A little help with @PostAuthorize? (SS 3.0.0.M1)

    Hi, I'm trying to use the @PostAuthorize annotation using EL to compare properties on the return value of a method.
    But I'm not having much luck - I'm able to access method return values that my principle should not be able to access:


    <global-method-security pre-post-annotations="enabled">
    <http use-expressions="true">
        <intercept-url pattern="/sites/**" access="hasRole('ROLE_OWNER')" />
        <http-basic />
    Service interface:

    public interface SiteService {
        @PostAuthorize("returnObject.owner.key == principal.key")
        Site getSite(String siteId);
    The Site object has a nested Owner object, which has a Long key property.
    The Principle is a custom UserDetails object, which has a Long key property.

    Anything I'm missing?

    I've verified I do have a correct principle in the context. But I'm able to call the getSite method above, even if my principle's key property does not match the return value's.

  • #2
    A little more info:

    Debugging shows that this class is never getting called: hod.ExpressionBasedPostInvocationAdvice

    though I assume it should. What would cause that to happen?

    From reading the various docs, I assumed that this would register the necessary classes:
    <global-method-security pre-post-annotations="enabled">


    • #3
      Ah, progress!

      Tried adding the @PostAuthorize annotation to a method on my controller, and it's behaving as expected.

      Then moved the annotation to the service implementation instead of the interface, and it works fine...

      I can live with that, but I thought the interface would work?

      The tutorial example shows these annotations on an interface:

      Same as here:

      If it is supported, what might be causing this behavior?


      • #4
        It should work on both interface and class. If

        doesn't apply, then post a sample demonstrating the problem in Jira and I'll take a look at it.