Announcement Announcement Module
No announcement yet.
No security check for inherited methods. Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • No security check for inherited methods.

    I use spring-security-3.0.5 and got two class like

    class BaseClass {
    public methodOne() {
    public methodTwo(){

    class CustomeClass extends BaseClass {
    public methodThree() {

    When I call the CustomeClass.methodThree() and I am not ADMIN I get AccessDeniedException,
    but when I try to call the inherited methods nothing happens I can do it without to get the exception.

    Do I miss a configuration or its not possible with spring security to do this ?

  • #2
    Sorry, I'm having a hard time understanding what you have calling what, can you post some source of what you are doing, and what you think should be happening?


    • #3
      When I login with a user ROLE_USER and I call
      CustomeClass.methodThree() => AccessDeniedException
      but when I try to call the inherited methods from the base class
      CustomeClass.methodOne() or CustomeClass.methodTwo() there is no security exception.

      What I expect is that if I give the @PreAuthorize("hasRole('ROLE_ADMIN')") annotation on the class level then all methods inside the class including the inherited ones should have the same security restrictions.

      Its seems someone else got his problem but no aswer.


      • #4
        I believe this should work as you describe. The logic in PrePostAnnotationSecurityMetadataSource will work its way back from a method or class with an annotation to find the annotation on the declaring class. Try starting up the application with Spr Sec DEBUG logging enabled and look for log statements like this: "PreAuthorize found on: methodOne".


        • #5

          I created a sample project that demonstrates the problem.

          Start with mvn jetty:run

          Login with user bob and password bobspassword

          With @Secured annotation
          http://localhost:8080/action/callSubMethod --> OK. Access denied
          http://localhost:8080/action/callSuperMethod --> Wrong. Access allowed

          With @PreAuthorize annotation
          http://localhost:8080/action/callSubPreMethod --> OK. Access denied
          http://localhost:8080/action/callSuperPreMethod --> Wrong. Access allowed



          • #6
            I turn on the logging for spring security (,
            but it did not show to much.

            -- START LOG --
            17:12:06,250 DEBUG DelegatingMethodSecurityMetadataSource:66 - Adding security method [CacheKey[CustomeClass; public ResultClass CustomeClass.methodThree()]] with attributes [ROLE_ADMIN]

            -- CustomeClass.methodThree() CALL LOG --
            16:51:06,750 DEBUG MethodSecurityInterceptor:191 - Secure object: ReflectiveMethodInvocation: public ResultClass CustomeClass.methodThree(); target is of class [CustomeClass]; Attributes: [ROLE_ADMIN]
            16:51:06,796 DEBUG MethodSecurityInterceptor:292 - Previously Authenticated: mePasswordAuthenticationToken@46e2d0da: Principal: UserClass@364492: Username: test; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_READ - Fullname: Test User; User ID: 1; Authority: ROLE_READ; ; Credentials: [PROTECTED]; Authenticated: true; Details: bAuthenticationDetails@0: RemoteIpAddress:; SessionId: 62BC35A8D07E3BCDF056476E73D2B97C; Granted Authorities: ROLE_READ
            16:51:06,906 DEBUG AffirmativeBased:53 - Voter: ocationAuthorizationAdviceVoter@1a52fe6, returned: 0
            16:51:06,906 DEBUG AffirmativeBased:53 - Voter: @1ebd825, returned: -1
            16:51:06,906 DEBUG AffirmativeBased:53 - Voter: atedVoter@bb9f91, returned: 0
            16:51:06,906 DEBUG AffirmativeBased:53 - Voter: 250Voter@1e9029c, returned: -1
            16:51:07,000 ERROR RouterController:211 - Error calling method: methodThree
   ception: Access is denied

            and there is nothing about the CustomeClass.methodOne() or CustomeClass.methodTwo() .


            • #7
              I give a up for this, lets hope that someone can answer it.