Using @annotation with Spring Security Annotations

Printable View

Jun 29th, 2011, 10:02 PM
zach.marshall

Using @annotation with Spring Security Annotations

I have a service interface that has a method that looks like the following:

Code:

package com.foo.svcs; public interface FooService { @PreAuthorize("ROLE_USER") @com.foo.svcs.CustomAnnotation public void doSomething(); }

My Spring application context xml configuration file looks partially like:

HTML Code:

<bean id="foo" class="com.foo.svcs.FooServiceImpl" /> <sec:global-method-security pre-post-annotations="enabled" access-decision-manager-ref="serviceAccessDecisionManager"> <sec:expression-handler ref="expressionHandler"/> </sec:global-method-security> <aop:config> <aop:advisor pointcut="execution(* com.foo.svcs.*.*(..)) and @annotation(com.foo.svcs.CustomAnnotation)" advice-ref="aceCreator" /> </aop:config>

I've found that when using the @annotation pointcut, my advice is not executed (even when removing the execution clause). However, if I do pointcut="bean(foo)" then my advice is executed. I am wondering if the proxies that are being created for the PrePost Spring Security annotation support are "hiding" my custom annotation on the service. Is that what's happening here, or is something else wrong?
Jun 30th, 2011, 09:37 AM
palbert

If you put your annotation on your FooServiceImpl class, your advice will most likely fire (unless something else is wrong). I had that same problem, since good programing practice says that the interface should have that information, not to mention that I would forget to put it on a MockFooService. I don't understand the logic for that decision, perhaps someone with a better understanding of the internals could explain.
Jun 30th, 2011, 02:37 PM
zach.marshall

Thanks, that does indeed work. However, if I do that, then I cannot get to the annotation which is present on the class from my interceptor (which implements org.aopalliance.intercept.MethodInterceptor):

Code:

// invocation is instanceof org.aopalliance.intercept.MethodInvocation com.foo.svcs.CustomAnnotation anno = invocation.getMethod().getAnnotation(com.foo.svcs.CustomAnnotation.class); Assert.assertNotNull(anno); //this fails, as the annotation is not present on the method invocation

Would switching to AspectJ aspects and advice allow me to capture that annotation when it is on the class?