Spring Security problem with using @PreAuthorize("hasPermission(....

I am new to spring security and I'm trying to implement @PreAuthorize("hasPermission(#something, 'write')") on a method. I believe I have configured everything correctly (see config below) however whenever I use @PreAuthorize("hasPermission( my app no longer loads, if I remove it everything is fine.

I have utilized some of the elements of spring-security such as general Authentication, hasRole, etc.

I am using spring 3.1 and spring-security 3.1.2

spring-security.xml

Code:

---

<beans:beans xmlns="http://www.springframework.org/schema/security"
        xmlns:beans="http://www.springframework.org/schema/beans"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
        http://www.springframework.org/schema/security
        http://www.springframework.org/schema/security/spring-security-3.1.xsd">

        <global-method-security pre-post-annotations="enabled">
                <expression-handler ref="expressionHandler"/>
        </global-method-security>
       
       
    <http auto-config="true" access-denied-page="/accessDenied.jsp" use-expressions="true">
           
                <form-login login-page="/login.htm" default-target-url="/loginSuccess.htm"
                        authentication-failure-url="/loginfailed.htm" />
                <logout logout-success-url="/login.htm" />

   
    </http>       
       
        <authentication-manager>
                <authentication-provider>
               
                <password-encoder hash="md5" />
                <jdbc-user-service data-source-ref="dataSource"
 
                    users-by-username-query="
                      select login as username,trim(password)...."/>
                </authentication-provider>
        </authentication-manager>
</beans:beans>

---

applicationContext.xml

Code:

---

....
  <bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
        <property name="permissionEvaluator" ref="applicationUserPermission"/>
  </bean>       
       
  <bean id="applicationUserPermission" class="com.hwa.security.ApplicationUserPermissionEvaluator"/>
....

---

Evaluator implementation:

Code:

---

public class ApplicationUserPermissionEvaluator implements PermissionEvaluator {

        public boolean hasPermission(Authentication auth, Object target, Object permission) {
                boolean hasPermission = true;
                if (target instanceof ApplicationUser){
                        ApplicationUser applicationUser = (ApplicationUser) target; ......

---

Use of annotation

Code:

---

        @PreAuthorize("hasPermission(#applicationUser, 'write')")
        public void addOrUpdateApplicationUser(ApplicationUser applicationUser) {....}

---

The error is generic but here it is (note if I remove the hasPermission above the app loads):

Code:

---

INFO: Closing Hibernate SessionFactory
Sep 28, 2012 12:54:16 PM org.apache.catalina.core.StandardContext listenerStart
SEVERE: Exception sending context initialized event to listener instance of class org.springframework.web.context.ContextLoaderListener
java.lang.OutOfMemoryError: Java heap space
        at java.util.Arrays.copyOf(Arrays.java:2882)
        at java.lang.AbstractStringBuilder.expandCapacity(AbstractStringBuilder.java:100)
        at java.lang.AbstractStringBuilder.append(AbstractStringBuilder.java:390)
        at java.lang.StringBuffer.append(StringBuffer.java:224)
        at java.io.StringWriter.write(StringWriter.java:95)
        at java.io.PrintWriter.write(PrintWriter.java:412)
        at java.io.PrintWriter.write(PrintWriter.java:429)
        at java.io.PrintWriter.print(PrintWriter.java:559)
        at java.io.PrintWriter.println(PrintWriter.java:695)
        at java.lang.Throwable.printStackTrace(Throwable.java:512)
        at org.springframework.beans.factory.BeanCreationException.printStackTrace(BeanCreationException.java:176)
        at org.springframework.beans.factory.BeanCreationException.printStackTrace(BeanCreationException.java:180)
        at java.util.logging.SimpleFormatter.format(SimpleFormatter.java:72)
        at java.util.logging.StreamHandler.publish(StreamHandler.java:179)
        at java.util.logging.ConsoleHandler.publish(ConsoleHandler.java:88)
        at java.util.logging.Logger.log(Logger.java:478)
        at java.util.logging.Logger.doLog(Logger.java:500)
        at java.util.logging.Logger.logp(Logger.java:700)
        at org.apache.commons.logging.impl.Jdk14Logger.log(Jdk14Logger.java:101)
        at org.apache.commons.logging.impl.Jdk14Logger.error(Jdk14Logger.java:149)
        at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:307)
        at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:111)
        at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4206)
        at org.apache.catalina.core.StandardContext.start(StandardContext.java:4705)
        at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:799)
        at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:779)
        at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:601)
        at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:675)
        at org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:601)
        at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502)
        at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1317)
        at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:324)

---

Thanks in advanced,

Keith

Keith, have you tried increasing the heap size to see if the app starts? Using the annotation may push the memory usage over the current limit since it has to create proxies around method calls.

Code:

---

-Xms256m -Xmx512m

---

Thanks for the reply.

I changed from
-Xmn128m
-Xms256m
-Xmx768m
-Xss1m
-XX:PermSize=128m
-XX:MaxPermSize=384m

to

-Xmn128m
-Xms1024m
-Xmx1024m
-Xss2m
-XX:PermSize=128m
-XX:MaxPermSize=512m

Still received the same error... let me know if I should increase it further and perhaps to what.

Hmm, I don't think you need to increase it further. I'm not sure what the problem is then. To narrow down the cause of the problem, does the error occur when change the expression from "hasPermission(#applicationUser, 'write')" to something else? If that doesn't work, try with a different expression and don't set the custom permission evaluator. You can also try debugging to see what bean it's working on when the error happens. Good luck!

I tried something slightly different that I assumed would cause the same outcome... and it did.

I commented out all of my xml configs that I mentioned before and attempted to use the inline logic and still received the same error.

Code:

---

        @PreAuthorize("#applicationUser.login == authentication.name")
        public void addOrUpdateApplicationUser(ApplicationUser applicationUser) {...}

---

What if you are not using the custom PermissionEvaluator?

Turns out my logging wasn't receiving the errors generated by spring, once I fixed that I was able to see the "real" error. My actual error dealt with proxying a proxy, and I was able to get around that. Thanks for all your help.

Keith