Announcement Announcement Module
Collapse
No announcement yet.
SpringSecurity @PreAuthorize with JEE6 CDI-BEAN ? Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • SpringSecurity @PreAuthorize with JEE6 CDI-BEAN ?

    Hello,

    i have configured my JEE6 WebApp to use SpringSecurity for Authentication. Login is allready working.
    Now i would like to secure my methods with @PreAuthorize.
    Allthough my User does not have the correct role he is still able to call the method.
    Seems like the @PreAuthorize is not recognized with my CDI-Bean?

    My Bean:
    Code:
    @Model
    public class MyAuthenticator {
    	
    	private String anonym="Sample Text!";
    	
    	@PreAuthorize("hasRole('ROLE_TEST')")
    	public void setAnonym(){
    		anonym="Anonym Button: "+getTime();
    	}
    ...
    }
    I have added following to my spring-security.xml:
    Code:
    <global-method-security pre-post-annotations="enabled" />
    The method is called from myAuthenticator.xhtml
    Code:
    ...
    	<h:commandButton type="submit" action="#{myAuthenticator.setAnonym}" value="setAnonym" />
    ...

  • #2
    CDI Bean != Spring Bean... Spring Security will only protected beans that are under the control of spring, it will not protect beans created outside the scope of the spring container. So basically your @PreAuthorize is useless...

    Make the @Model annotated bean a spring bean and use Springs JSF integration (check the reference guide) to retrieve it from the application context.

    Comment


    • #3
      Thanks a lot for the fast reply.
      I supposed that mixing of technologie was the problem.

      Comment

      Working...
      X