Announcement Announcement Module
No announcement yet.
@PreAuthorized annotation not working with ROO Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • @PreAuthorized annotation not working with ROO

    I have tried to use the "@PreAuthorized" annotation as in page 78 of the Spring Security 3.0.1.RELEASE reference document.

    I added the following annotation to the "PersonController.createForm" method:
    @RequestMapping(value = "/person/form", method = RequestMethod.GET)
    public String createForm(ModelMap modelMap) {
    modelMap.addAttribute("person", new Person());
    modelMap.addAttribute("addresses", Address.findAllAddresses());
    modelMap.addAttribute("emails", Email.findAllEmails());
    modelMap.addAttribute("facilitys", Facility.findAllFacilitys());
    modelMap.addAttribute("images", Image.findAllImages());
    modelMap.addAttribute("phones", Phone.findAllPhones());
    modelMap.addAttribute("titles", Title.findAllTitles());
    return "person/create";

    and other methods. For some reason it the Spring container seems to just ignore the annotation as all calls to this method when using a user that DOES NOT have "ROLE_ADMIN".

    The example provided seems simple enough but I MUST be doing something wrong. I have also increased security logging in the LOG4J setting to INFO.

    Here is my the ApplicationContext-Security.xml file that I'm using:

    <beans:beans xmlns=""

    <global-method-security pre-post-annotations="enabled"/>
    <http use-expressions="true" auto-config="true">
    <intercept-url pattern="/users**" access="hasRole('ROLE_ADMIN')"/>
    <intercept-url pattern="/authorities**" access="hasRole('ROLE_ADMIN')"/>
    <intercept-url pattern="/**" access="isAuthenticated()"/>

    <concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
    <remember-me />
    <jdbc-user-service data-source-ref="dataSource"/>


    Thanks much for your help!

  • #2
    Just out of curiousity how did you get the


    into your code.

    Did you "Refactor > Push-In Refactor" and is this the resulting .aj file


    • #3
      Because I thought the problem could have been that I was using the "@PreAuthorize" annotation in the .aj files generated by ROO I decided to use "push in" refactoring which merged all the the aspect code in the .aj files into their respective .java files. This did not work.

      Made a typo in the previous posting "@PreAuthorized" should have been "@PreAuthorize" which is what I used in my code.

      I think there is an issue with Spring and ROO in that the proxy decorator object that provides the security services created by Spring Security is not being used but instead the core object that is being wrapped (or decorated) is being referenced directly.

      Does anyone know if this is the case? and if there is a fix currently or in the works?

      appreciate your help!


      • #4
        Exactly the same problem...

        sorry I have no answer. But I have exactly the same problem. Does @PreAuthorize not work together with @RequestMapping?



        • #5
          same issue

          Anyone succeeded with the combination of those 2 annotations?
          In my code it is also ignoring the @PreAuthorize annotation although it is configured with <global-method-security pre-post-annotations="enabled"/>

          Thanks for your feedback

          Found it, you need to redefine <global-method-security pre-post-annotations="enabled"/> in the config file which is also used for your controllers. In Spring Roo this is webmvc-config.xml. When configuring security with roo, the config file applicationContext-security.xml is initially configured to enable those annotations. This was a little confusing...
          Last edited by dfranssen; May 8th, 2010, 04:11 PM.


          • #6
            bump, thanks for the tip dfranssen , drove me all sorts of crazy

            You would need
            <beans xmlns="" xmlns:sec="" xmlns:context="" xmlns:mvc="" xmlns="" xmlns:xsi="" xsi:schemaLocation="">
            <sec:global-method-security pre-post-annotations="enabled"/>

            on top of the file for this (not the sec and sec's xmlns)
            Last edited by hatim; May 18th, 2010, 10:07 PM.


            • #7
              This is due to the visibility of beans in child contexts - the controller beans aren't visible from the parent context. There's also a FAQ on this.