I am also facing the same issue and moving the annotation to the impl works for me as well. But, I dont want to do that.
Any pointers on how I could get this working in the interface layer?
Again I was unable to reproduce the issue, so I will need some more guidance on how to reproduce it. If you can come up with a dummy project that reproduces your issue that would be ideal.
Thanks for your response
I will try and put a sample app today.
Incase it helps, these are the steps.
0. I am deploying my app on virgo (3.0.3.RELEASE)
1. I have a core bundle which exposes a service and has @PreAuth anotations on the interface
2. A web bundle which uses this service.
3. After I deploy and try to load the url, I am getting the below exception.
[2012-08-24 12:04:29.178] INFO http-bio-8080-exec-3 System.out org.springframework.security.access.AccessDeniedEx ception: Access is denied
[2012-08-24 12:04:29.178] INFO http-bio-8080-exec-3 System.out 252881 [http-bio-8080-exec-3] ERROR c.w.HomeController - handleAccessDeniedException####Access is denied
(attached stack trace)
what i just learnt is.. in the osgi context spring-security is not working.
1. when the authorize annotations are on interface, it always throws AccessDenied irrespective of the roles.
2. when the annotations are on impl, its allowing all users despite not having the role.
I used @preAuthorize annotations in one bundle and defined the global-security-bean in another bundle.
After I moved them to the same bundle It started working fine.
Hope this helps someone and saves some time.