Announcement Announcement Module
Collapse
No announcement yet.
My MethodSecurityInterceptor doesnt run. Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • My MethodSecurityInterceptor doesnt run.

    Hi everybody.
    I'm quite new to Spring Security, using SS 3.0.5.
    I'm trying to make MethodSecurityInterceptor call my customized AccessDecisionManager, so i configurated a new MethodSecurityInterceptor as follow:
    Here is the code:
    Code:
    <beans:bean id="methodSecurityInterceptor" class="org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor">
            <beans:property name="authenticationManager" ref="authenticationManagerAlias"/>
            <beans:property name="accessDecisionManager" ref="accessDecisionManager"/>
            <beans:property name="securityMetadataSource" ref="delegatingMetadataSource"/>
        </beans:bean>
        
        <beans:bean id="methodSecurityMetadataSourceAdvisor" class="org.springframework.security.access.intercept.aopalliance.MethodSecurityMetadataSourceAdvisor"> 
            <beans:constructor-arg value="methodSecurityInterceptor"/>
            <beans:constructor-arg ref="delegatingMetadataSource"/>
            <beans:constructor-arg value="delegatingMetadataSource"/>
        </beans:bean>
        
        <beans:bean id="defaultAdvisorAutoProxyCreator" class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator">
            <beans:property name="beanName" value="methodSecurityMetadataSourceAdvisor"/>
        </beans:bean>
        
        <!-- Overall Delegating Metadata Source -->
        <beans:bean id="delegatingMetadataSource" class="org.springframework.security.access.method.DelegatingMethodSecurityMetadataSource">
            <beans:property name="methodSecurityMetadataSources">
                <beans:list>
                    <beans:ref local="prePostMetadataSource"/>
                    <beans:ref local="securedMetadataSource"/>
                </beans:list>
            </beans:property>
        </beans:bean>
        
        <!-- Spring @Secured Beans -->
        <beans:bean id="securedMetadataSource" class="org.springframework.security.access.annotation.SecuredAnnotationSecurityMetadataSource"/>
        
        <beans:bean id="prePostMetadataSource" class="org.springframework.security.access.prepost.PrePostAnnotationSecurityMetadataSource">
            <beans:constructor-arg ref="exprAnnotationAttrFactory"/>
        </beans:bean>
        
        <beans:bean id="exprAnnotationAttrFactory" class="org.springframework.security.access.expression.method.ExpressionBasedAnnotationAttributeFactory" >
            <beans:constructor-arg ref="methodExprHandler"/>
        </beans:bean>
        
        <beans:bean id="methodExprHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler"/>
    in which authenticationManagerAlias and accessDecisionManager are refered to my customized AuthenticationManager and AccessDecisionManager sequently.
    I also added
    Code:
    <sec:global-method-security secured-annotations="enabled"/>
    No error, but only the default MethodSecurityInterceptor ran, not mine.

    Would you like to give me some advice. Thank you all.

  • #2
    Don't use <global-method-security /> if you are using your own explicit AOP setup. It is just a shortcut for doing this and you will end up with duplicate infrastructure beans.

    Comment


    • #3
      Thanks Luke !
      I followed your advice and my MethodSecurityInterceptor runs well !
      You saved me.

      Comment

      Working...
      X