Announcement Announcement Module
Collapse
No announcement yet.
A little help with @PostAuthorize? (SS 3.0.0.M1) Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • A little help with @PostAuthorize? (SS 3.0.0.M1)

    Hi, I'm trying to use the @PostAuthorize annotation using EL to compare properties on the return value of a method.
    But I'm not having much luck - I'm able to access method return values that my principle should not be able to access:

    Config:

    Code:
    <global-method-security pre-post-annotations="enabled">
    
    <http use-expressions="true">
        <intercept-url pattern="/sites/**" access="hasRole('ROLE_OWNER')" />
        <http-basic />
    </http>
    Service interface:

    Code:
    @PreAuthorize("hasRole('ROLE_OWNER')")
    public interface SiteService {
    
        @PostAuthorize("returnObject.owner.key == principal.key")
        Site getSite(String siteId);
    }
    The Site object has a nested Owner object, which has a Long key property.
    The Principle is a custom UserDetails object, which has a Long key property.


    Anything I'm missing?

    I've verified I do have a correct principle in the context. But I'm able to call the getSite method above, even if my principle's key property does not match the return value's.

  • #2
    A little more info:

    Debugging shows that this class is never getting called:
    org.springframework.security.access.expression.met hod.ExpressionBasedPostInvocationAdvice

    though I assume it should. What would cause that to happen?

    From reading the various docs, I assumed that this would register the necessary classes:
    <global-method-security pre-post-annotations="enabled">

    Comment


    • #3
      Ah, progress!

      Tried adding the @PostAuthorize annotation to a method on my controller, and it's behaving as expected.

      Then moved the annotation to the service implementation instead of the interface, and it works fine...

      I can live with that, but I thought the interface would work?

      The tutorial example shows these annotations on an interface:
      https://src.springframework.org/svn/...nkService.java

      Same as here:
      http://stsmedia.net/spring-finance-p...3-integration/

      If it is supported, what might be causing this behavior?

      Comment


      • #4
        It should work on both interface and class. If

        http://static.springsource.org/sprin...in-web-context

        doesn't apply, then post a sample demonstrating the problem in Jira and I'll take a look at it.

        Comment

        Working...
        X