Can @Secured be applied to Controller methods?

Printable View

Oct 7th, 2009, 02:38 PM
honeybunny

Can @Secured be applied to Controller methods?

I am trying to apply @Secured annotations to my controller methods, but it does not seem to be working. Is there something that I am doing wrong? I have my spring security config in a separate file, is there any chance that the "global-method-security" annotation needs to be read before the controller definition is loaded?

I have enabled global method security:

Code:

<security:global-method-security secured-annotations="enabled" jsr250-annotations="enabled"/>

I have a web controller method

Code:

public class CreateUserController extends AbstractMultiActionController implements ICreateUserController { @Secured(MyPermissions.USER_ADD) public ModelAndView fetch(HttpServletRequest request, HttpServletResponse response) throws Exception { ... } }

I even created a security annotated interface in case that was somehow required:

Code:

public interface ICreateUserController { @Secured(MyPermissions.USER_ADD) public ModelAndView fetch(HttpServletRequest request, HttpServletResponse response) throws Exception; @Secured(MyPermissions.USER_ADD) public ModelAndView create(HttpServletRequest request, HttpServletResponse response) throws Exception; }
Oct 8th, 2009, 01:43 AM
Marten Deinum

And another one.

Read chapter 6.6.1 of the spring reference guide.

Short answer: you can only intercept method calls INTO the object. the MultiActionController only has one externally callable method handleRequest. All other method calls are INTERNAL and cannot be intercepted.

For more information use the search and read the reference guide.
Oct 8th, 2009, 10:23 AM
honeybunny

Thank you so much! -- Yes that explains it. MultiActionController invokes my various controller action methods via introspection on the delegate (which by default is the controller itself).

This also explains why none of my transactional controller methods are working. In fact, I had asked this same question before in a different form (and totally forgotten the excellent answer provided by Denis Zhdanov):
http://forum.springsource.org/showthread.php?t=63843

After reading MultiActionController.java I am going to try calling setDelegate() to an inner class which is annotated. In theory, if the inner class gets a dynamic proxy put around it, when the container loads it, then the security (and probably transaction) annotations will be applied:

basically:

Code:

public class MyWebController extends MultiActionController { public class InnerProxy { @Secured({ROLE_A, ROLE_B}); public ModelAndView fetch(HttpServletRequest request, HttpServletResponse response) throws Exception { MyWebController.fetch() } public ModelAndView fetch(HttpServletRequest request, HttpServletResponse response) throws Exception { ... } }

Previously, I had though that I just did not "turn on" enough AOP stuff in order to decorate the class. I was in the process of trying to figure out if a dynamic proxy was created for my controller class. Is there an easy way to tell, perhaps some kind of logging option I can enable?
Oct 8th, 2009, 10:48 AM
honeybunny

Oh silly me, my inner class didn't get a proxy put on it, because it was not loaded by spring.
With controllers the rule seems to be (effectively) AspectJ or nothing.