Announcement Announcement Module
Collapse
No announcement yet.
Spring MVC @Controller and Spring Security @PreAuthorize seems to be divorced. Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring MVC @Controller and Spring Security @PreAuthorize seems to be divorced.

    Hello everyone:

    I have a project in which I'm using Spring MVC and Spring Security and I have an issue that is getting me crazy. I have a controller which I have annotated with @Controller and a method inside annotated with @RequestMapping to map it to an URL. The problem comes when I try to establish the access to this method based on roles with the @PreAuthorize annotation.

    I have this in my context file *-servlet.xml:

    Code:
    <sec:global-method-security pre-post-annotations="enabled" />
    and I can see in the logs that the code is injected:

    Code:
    218481 DEBUG PrePostAnnotationSecurityMetadataSource  - @org.springframework.security.access.prepost.PreAuthorize(value=hasRole('ROLE_ADMINISTRATION')) found on specific method: public java.util.List com.example.services.UserServiceImpl.findAll()
    However, I debugged the application and I could see that the UserServiceImpl instance that is used by the Controller is different from the instance that is injected by Spring Security. That's why the controller is accessed without restrictions and the PreAuthorize annotation seems to be not working.

    Any idea? Am I doing anything wrong?

  • #2
    I fyou have different instances you have multiple instances and probably due to component-scanning which instantiates everything twice (once for the ContextLoaderListener and once for the DispatcherServlet).

    Comment

    Working...
    X