Url seems to be secured properly, but authorize tag doesn't show correct result.
I have a controller secured with:
Code:
@PreAuthorize("hasRole('ROLE_USER')")
and a jsp with a link to that controller:
Code:
<sec:authorize url='/api/example'>You can currently access <a href="/api/example">"/api/example"</a>.</sec:authorize>
In that configuration:
if I am not logged in with ROLE_USER, and try to hit /api/example, I am denied. However, the link still appears on the jsp.
If I am logged in with ROLE_USER, and try to hit /api/example, I am allowed through.
So the underlying spring-security config appears to be good, but something is off with the taglib.
My next step was to try removing the PreAuthorize tag from the controller, and just dump it into the security-config:
Code:
<intercept-url pattern="/api/example" access="hasAnyRole('ROLE_USER')"/>
In that configuration:
If I am not logged in with ROLE_USER, and try to hit /api/example, I am denied and the link disappears from the jsp.
If I am logged in with ROLE_USER, and try to hit /api/example, I am allowed and the link appears in the jsp
Any thoughts as to what I've misconfigured?
Additionally, some relevant bits in the config files follows.
In security-config:
Code:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.1.xsd">
<global-method-security pre-post-annotations="enabled" />
In mvc-config:
Code:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.1.xsd">
<context:component-scan base-package="package.web" />
<security:global-method-security pre-post-annotations="enabled" />
<mvc:annotation-driven />
