Announcement Announcement Module
No announcement yet.
authorize tag w/url and Using @PreAuthorize in Controller Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • authorize tag w/url and Using @PreAuthorize in Controller

    Using springframework 3.0.3-release and spring-security-3.0.2-release, the following does not seem to work exactly as I would have thought. I have security configured in the xml that all the app's url's require a "basic" role. Then with individual controller methods, I restrict the access to them using a @PreAuthorize annotation. When the authorize tag uses a url parameter, it does not check the @PreAuthorize. I am guessing it just sees the general security configuration in the XML and doesn't go further. I was trying to avoid putting the same security setting in two or more places, one being in the JSP where the URL is called and the other being in the Java code.

    security.xml contents:
      <http auto-config='true' use-expressions='true'>
        <intercept-url pattern="/index.htm" access="permitAll"/>
        <intercept-url pattern="/favicon.ico" access="permitAll"/>
        <intercept-url pattern="/login.jsp*" access="permitAll"/>
        <intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
        <form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?login_error=1" />
      <global-method-security pre-post-annotations="enabled"/>
    JSP code snippet:
    <sec:authorize url="/app/site/create"><a href="/app/site/create">Create Site</a></sec:authorize>
    Controller code snippet:
    @RequestMapping(value="/create", method = RequestMethod.GET)
    public String create(Model model) {

    Note, that upon clicking the link, the user does get an access denied page. It's just that the link shouldn't be available and I wanted to avoid having to test on hasRole('ROLE_ADMIN') in two places (for fear that someone else doesn't realize they need to change it in two or more places).

  • #2
    Well you cannot... Because they both serve a different purpose and the @PreAuthorize/@Secured annotations get checked ONLY on method execution. So the autorize tag (currently) has no way of knowing that there is an extra restriction. This would depend also on the mapping and other full configuration of your app.