Announcement Announcement Module
Collapse
No announcement yet.
Security annotations are not working Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Security annotations are not working

    Hi Guys,

    Here is my applicationContext-security.xml

    Code:
     <global-method-security secured-annotations="enabled" jsr250-annotations="enabled" /> 
    
    <http use-expressions="true">
    		<intercept-url pattern="/user_authenticated.jsp" access="isAuthenticated()" />
    		<intercept-url pattern="/supervisor.jsp" access="hasRole('ROLE_SUPERVISOR')" />
    		<intercept-url pattern="/teller.jsp" access="hasRole('ROLE_TELLER')" />
    		<intercept-url pattern="/user.jsp" access="hasRole('ROLE_USER')" />
    		<intercept-url pattern="/**" access="permitAll" />
    		<form-login login-page='/login.jsp' />
    		<logout />
    		<remember-me />
    		<!--
    			Uncomment to enable X509 client authentication support <x509 />
    		-->
    		<!-- Uncomment to limit the number of sessions a user can have -->
    		<session-management invalid-session-url="/timeout.jsp">
    			<concurrency-control max-sessions="1"
    				error-if-maximum-exceeded="true" />
    		</session-management>
    
    	</http>
    My Interface

    Code:
    public interface Form {
    
        @Secured("ROLE_TELLER")
        public void processUser(String name, Integer age);
    }
    Servlet

    Code:
    public class Test extends HttpServlet implements Form {
    
        /**
         *
         */
        private static final long serialVersionUID = -5622047352415764390L;
    
        @Override
        protected void doGet(HttpServletRequest req, HttpServletResponse resp)
    	    throws ServletException, IOException {
    	doPost(req, resp);
        }
    
        @Override
        protected void doPost(HttpServletRequest req, HttpServletResponse resp)
    	    throws ServletException, IOException {
    
    	String name = req.getParameter("name");
    	Integer age = Integer.parseInt(req.getParameter("age"));
    
    	processUser(name, age);
        }
    
        @Override
        public void processUser(String name, Integer age) {
    
    	System.out.println("Name is : " + name);
    	System.out.println("Age is : " + age);
        }
    }
    Even if I logged in with any other role except ROLE_TELLER, values getting printed (name and the age). It ignores the authorization.

    What needs to be done to fix this, any help will be greatly appreciated.

  • #2
    even i faced similar problem and I see in the logs, there is nothing even related to spring-security:

    Code:
    INFO: Initializing Spring FrameworkServlet 'rva'
    INFO [org.springframework.web.servlet.DispatcherServlet] - FrameworkServlet 'rva': initialization started
    INFO [org.springframework.web.context.support.XmlWebApplicationContext] - Refreshing WebApplicationContext for namespace 'rva-servlet': startup date [Fri Mar 26 10:28:51 MDT 2010]; parent: Root WebApplicationContext
    INFO [org.springframework.beans.factory.xml.XmlBeanDefinitionReader] - Loading XML bean definitions from ServletContext resource [/WEB-INF/rva-servlet.xml]
    INFO [org.springframework.beans.factory.support.DefaultListableBeanFactory] - Pre-instantiating singletons in org.springframework.beans.factory.support.DefaultListableBeanFactory@a2fc31: defining beans [loginController,org.springframework.context.annotation.internalConfigurationAnnotationProcessor,org.springframework.context.annotation.internalAutowiredAnnotationProcessor,org.springframework.context.annotation.internalRequiredAnnotationProcessor,org.springframework.context.annotation.internalCommonAnnotationProcessor,freemarkerConfig,viewResolver]; parent: org.springframework.beans.factory.support.DefaultListableBeanFactory@cc74e7
    INFO [org.springframework.web.servlet.view.freemarker.FreeMarkerConfigurer] - ClassTemplateLoader for Spring macros added to FreeMarker configuration
    INFO [org.springframework.web.servlet.mvc.annotation.DefaultAnnotationHandlerMapping] - Mapped URL path [/login/secure] onto handler [com.cable.comcast.neto.nse.rva.controller.LoginController@79b32a]
    INFO [org.springframework.web.servlet.mvc.annotation.DefaultAnnotationHandlerMapping] - Mapped URL path [/login/secure.*] onto handler [com.cable.comcast.neto.nse.rva.controller.LoginController@79b32a]
    INFO [org.springframework.web.servlet.mvc.annotation.DefaultAnnotationHandlerMapping] - Mapped URL path [/login/secure/] onto handler [com.cable.comcast.neto.nse.rva.controller.LoginController@79b32a]
    INFO [org.springframework.web.servlet.mvc.annotation.DefaultAnnotationHandlerMapping] - Mapped URL path [/login] onto handler [com.cable.comcast.neto.nse.rva.controller.LoginController@79b32a]
    INFO [org.springframework.web.servlet.mvc.annotation.DefaultAnnotationHandlerMapping] - Mapped URL path [/login.*] onto handler [com.cable.comcast.neto.nse.rva.controller.LoginController@79b32a]
    INFO [org.springframework.web.servlet.mvc.annotation.DefaultAnnotationHandlerMapping] - Mapped URL path [/login/] onto handler [com.cable.comcast.neto.nse.rva.controller.LoginController@79b32a]
    INFO [org.springframework.web.servlet.DispatcherServlet] - FrameworkServlet 'rva': initialization completed in 417 ms
    Mar 26, 2010 10:28:52 AM org.apache.coyote.http11.Http11Protocol start
    INFO: Starting Coyote HTTP/1.1 on http-8080
    Mar 26, 2010 10:28:52 AM org.apache.jk.common.ChannelSocket init
    INFO: JK: ajp13 listening on /0.0.0.0:8009
    Mar 26, 2010 10:28:52 AM org.apache.jk.server.JkMain start
    INFO: Jk running ID=0 time=0/31  config=null
    Mar 26, 2010 10:28:52 AM org.apache.catalina.startup.Catalina start
    INFO: Server startup in 1873 ms
    WARN [org.springframework.web.servlet.PageNotFound] - No mapping found for HTTP request with URI [/rva-web/] in DispatcherServlet with name 'rva'

    Comment


    • #3
      You're using Spring EL expressions as an authorization mechanism.

      Your original interface uses @Secured
      Code:
      public interface Form {
      
          @Secured("ROLE_TELLER")
          public void processUser(String name, Integer age);
      }
      Try the following instead:
      Code:
      public interface Form {
      
          @PreAuthorize("hasAuthority('ROLE_TELLER')")
          public void processUser(String name, Integer age);
      }

      Comment


      • #4
        Originally posted by skram View Post
        You're using Spring EL expressions as an authorization mechanism.

        Your original interface uses @Secured
        Code:
        public interface Form {
        
            @Secured("ROLE_TELLER")
            public void processUser(String name, Integer age);
        }
        Try the following instead:
        Code:
        public interface Form {
        
            @PreAuthorize("hasAuthority('ROLE_TELLER')")
            public void processUser(String name, Integer age);
        }
        Nope, even with @PreAuthorize it doesnt works...

        Comment


        • #5
          You are using spring security and expecting a non spring managed bean to be protected, that isn't going to work. The servlet is outside the scope of spring, it will not be proxied, so no security will be applied.

          Comment


          • #6
            Originally posted by Marten Deinum View Post
            You are using spring security and expecting a non spring managed bean to be protected, that isn't going to work. The servlet is outside the scope of spring, it will not be proxied, so no security will be applied.
            Hi,

            Thanks for your reply. I dont have much knowledge on Spring. can you kindly tell me how can I get this fixed.

            Comment


            • #7
              See if this thread can help http://forum.springsource.org/showthread.php?p=351264

              Comment

              Working...
              X