Announcement Announcement Module
Collapse
No announcement yet.
@Secured annotation not working with gwt-sl Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • @Secured annotation not working with gwt-sl

    Hi

    I have added the spring security and gwt-sl in my GWT app. I'm
    successful in implementing URL level security but not able to apply
    method level security. Can you please help me understand what is wrong
    in the following code:
    ----------------------------------------------
    web.xml

    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE web-app
    PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
    "http://java.sun.com/dtd/web-app_2_3.dtd">

    <web-app>
    <context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>classpath:applicationContext.xml</param-value>
    </context-param>
    <filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-
    class>org.springframework.web.filter.DelegatingFil terProxy</filter-
    class>
    </filter>
    <filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
    </filter-mapping>
    <listener>
    <listener-
    class>org.springframework.web.context.ContextLoade rListener</listener-
    class>
    </listener>
    <listener>
    <listener-
    class>org.springframework.security.web.session.Htt pSessionEventPublisher</
    listener-class>
    </listener>
    <!-- Servlets -->
    <servlet>
    <servlet-name>handler</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherSe rvlet</
    servlet-class>
    <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
    <servlet-name>handler</servlet-name>
    <url-pattern>/greetings/rpc/*</url-pattern>
    </servlet-mapping>
    <welcome-file-list>
    <welcome-file>Greetings.html</welcome-file>
    </welcome-file-list>
    </web-app>

    -------------------------------------------------------
    handler-servlet.xml:


    <?xml version="1.0" encoding="UTF-8"?>
    <beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans.xsd">
    <bean id="urlMapping"
    class="org.gwtwidgets.server.spring.GWTHandler">
    <property name="mappings">
    <map>
    <entry key="/greet" value-ref="greetService" />
    </map>
    </property>
    </bean>

    <bean id="greetService" class="pkg.java.GreetServiceImpl"/>

    </beans>

    ------------------------------------------------

    applicationContext.xml:

    <?xml version="1.0" encoding="UTF-8"?>
    <beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns="http://www.springframework.org/schema/p"
    xmlns:context="http://www.springframework.org/schema/
    context"
    xmlns:aop="http://www.springframework.org/schema/aop"
    xsi:schemaLocation="http://www.springframework.org/schema/
    beans http://www.springframework.org/schem...ring-beans.xsd
    http://www.springframework.org/schema/context
    http://www.springframework.org/schem...ng-context.xsd
    http://www.springframework.org/schema/aop
    http://www.springframework.org/schem...spring-aop.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security.xsd">
    <global-method-security pre-post-annotations="disabled" secured-
    annotations="enabled" jsr250-annotations="enabled"/>
    <http auto-config="true">
    <intercept-url pattern="/**/*.html" access="ROLE_USER"/>
    <form-login login-page="/login.jsp"/>
    </http>

    <authentication-manager alias="authenticationManager">
    <authentication-provider>
    <user-service>
    <user name="admin" password="secret"
    authorities="ROLE_ADMIN, ROLE_USER"/>
    <user name="user" password="user" authorities="ROLE_USER"/>
    </user-service>
    </authentication-provider>
    </authentication-manager>
    </beans:beans>
    ---------------------------------------------


    I have secured the greetServer method using @Secured("ROLE_ADMIN") but
    still i'm able to access the method when i login with "user".


    Please help me figure out the issues in the above code

    Thanks
    Amit Khanna

  • #2
    See this FAQ for the most likely cause.

    Comment


    • #3
      Hi Luke,

      Thanks for the link to FAQ.

      I'm beginner to spring framework, so I do not completely understand the meaning of the following line in the answer of FAQ
      The beans in the child context are not visible in the parent context so you need to either move the <global-method-security> declaration to the web context or moved the beans you want secured into the main application context.
      Does this mean that I'll have to move all my beans to a single applicationContext.xml file?

      Thanks
      Amit Khanna

      Comment


      • #4
        It means that you need to define your global-method-security declaration and the beans you want to secure in the same context. One context is defined by contextConfigLocation and the other is defined by the DispatcherServlet (i.e. handler-servlet.xml). So both the global-method-security and GreetServiceImpl should be loaded by the same context.

        Comment


        • #5
          Thanks All.

          I moved the service beans to applicaitionContext.xml and it worked fine.


          Regards
          Amit Khanna

          Comment

          Working...
          X