Security annotations are not working

[kushan]

Hi Guys,

Here is my applicationContext-security.xml

Code:

 <global-method-security secured-annotations="enabled" jsr250-annotations="enabled" /> 

<http use-expressions="true">
		<intercept-url pattern="/user_authenticated.jsp" access="isAuthenticated()" />
		<intercept-url pattern="/supervisor.jsp" access="hasRole('ROLE_SUPERVISOR')" />
		<intercept-url pattern="/teller.jsp" access="hasRole('ROLE_TELLER')" />
		<intercept-url pattern="/user.jsp" access="hasRole('ROLE_USER')" />
		<intercept-url pattern="/**" access="permitAll" />
		<form-login login-page='/login.jsp' />
		<logout />
		<remember-me />
		<!--
			Uncomment to enable X509 client authentication support <x509 />
		-->
		<!-- Uncomment to limit the number of sessions a user can have -->
		<session-management invalid-session-url="/timeout.jsp">
			<concurrency-control max-sessions="1"
				error-if-maximum-exceeded="true" />
		</session-management>

	</http>

My Interface

Code:

public interface Form {

    @Secured("ROLE_TELLER")
    public void processUser(String name, Integer age);
}

Servlet

Code:

public class Test extends HttpServlet implements Form {

    /**
     *
     */
    private static final long serialVersionUID = -5622047352415764390L;

    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp)
	    throws ServletException, IOException {
	doPost(req, resp);
    }

    @Override
    protected void doPost(HttpServletRequest req, HttpServletResponse resp)
	    throws ServletException, IOException {

	String name = req.getParameter("name");
	Integer age = Integer.parseInt(req.getParameter("age"));

	processUser(name, age);
    }

    @Override
    public void processUser(String name, Integer age) {

	System.out.println("Name is : " + name);
	System.out.println("Age is : " + age);
    }
}

Even if I logged in with any other role except ROLE_TELLER, values getting printed (name and the age). It ignores the authorization.

What needs to be done to fix this, any help will be greatly appreciated.

[ArticlesColumn]

even i faced similar problem and I see in the logs, there is nothing even related to spring-security:

Code:

INFO: Initializing Spring FrameworkServlet 'rva'
INFO [org.springframework.web.servlet.DispatcherServlet] - FrameworkServlet 'rva': initialization started
INFO [org.springframework.web.context.support.XmlWebApplicationContext] - Refreshing WebApplicationContext for namespace 'rva-servlet': startup date [Fri Mar 26 10:28:51 MDT 2010]; parent: Root WebApplicationContext
INFO [org.springframework.beans.factory.xml.XmlBeanDefinitionReader] - Loading XML bean definitions from ServletContext resource [/WEB-INF/rva-servlet.xml]
INFO [org.springframework.beans.factory.support.DefaultListableBeanFactory] - Pre-instantiating singletons in org.springframework.beans.factory.support.DefaultListableBeanFactory@a2fc31: defining beans [loginController,org.springframework.context.annotation.internalConfigurationAnnotationProcessor,org.springframework.context.annotation.internalAutowiredAnnotationProcessor,org.springframework.context.annotation.internalRequiredAnnotationProcessor,org.springframework.context.annotation.internalCommonAnnotationProcessor,freemarkerConfig,viewResolver]; parent: org.springframework.beans.factory.support.DefaultListableBeanFactory@cc74e7
INFO [org.springframework.web.servlet.view.freemarker.FreeMarkerConfigurer] - ClassTemplateLoader for Spring macros added to FreeMarker configuration
INFO [org.springframework.web.servlet.mvc.annotation.DefaultAnnotationHandlerMapping] - Mapped URL path [/login/secure] onto handler [com.cable.comcast.neto.nse.rva.controller.LoginController@79b32a]
INFO [org.springframework.web.servlet.mvc.annotation.DefaultAnnotationHandlerMapping] - Mapped URL path [/login/secure.*] onto handler [com.cable.comcast.neto.nse.rva.controller.LoginController@79b32a]
INFO [org.springframework.web.servlet.mvc.annotation.DefaultAnnotationHandlerMapping] - Mapped URL path [/login/secure/] onto handler [com.cable.comcast.neto.nse.rva.controller.LoginController@79b32a]
INFO [org.springframework.web.servlet.mvc.annotation.DefaultAnnotationHandlerMapping] - Mapped URL path [/login] onto handler [com.cable.comcast.neto.nse.rva.controller.LoginController@79b32a]
INFO [org.springframework.web.servlet.mvc.annotation.DefaultAnnotationHandlerMapping] - Mapped URL path [/login.*] onto handler [com.cable.comcast.neto.nse.rva.controller.LoginController@79b32a]
INFO [org.springframework.web.servlet.mvc.annotation.DefaultAnnotationHandlerMapping] - Mapped URL path [/login/] onto handler [com.cable.comcast.neto.nse.rva.controller.LoginController@79b32a]
INFO [org.springframework.web.servlet.DispatcherServlet] - FrameworkServlet 'rva': initialization completed in 417 ms
Mar 26, 2010 10:28:52 AM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-8080
Mar 26, 2010 10:28:52 AM org.apache.jk.common.ChannelSocket init
INFO: JK: ajp13 listening on /0.0.0.0:8009
Mar 26, 2010 10:28:52 AM org.apache.jk.server.JkMain start
INFO: Jk running ID=0 time=0/31  config=null
Mar 26, 2010 10:28:52 AM org.apache.catalina.startup.Catalina start
INFO: Server startup in 1873 ms
WARN [org.springframework.web.servlet.PageNotFound] - No mapping found for HTTP request with URI [/rva-web/] in DispatcherServlet with name 'rva'

[skram]

You're using Spring EL expressions as an authorization mechanism.

Your original interface uses @Secured

Code:

public interface Form {

    @Secured("ROLE_TELLER")
    public void processUser(String name, Integer age);
}

Try the following instead:

Code:

public interface Form {

    @PreAuthorize("hasAuthority('ROLE_TELLER')")
    public void processUser(String name, Integer age);
}

[kushan]

You're using Spring EL expressions as an authorization mechanism.

Your original interface uses @Secured

Code:

public interface Form {

    @Secured("ROLE_TELLER")
    public void processUser(String name, Integer age);
}

Try the following instead:

Code:

public interface Form {

    @PreAuthorize("hasAuthority('ROLE_TELLER')")
    public void processUser(String name, Integer age);
}

Nope, even with @PreAuthorize it doesnt works...

[Marten Deinum]

You are using spring security and expecting a non spring managed bean to be protected, that isn't going to work. The servlet is outside the scope of spring, it will not be proxied, so no security will be applied.

[kushan]

You are using spring security and expecting a non spring managed bean to be protected, that isn't going to work. The servlet is outside the scope of spring, it will not be proxied, so no security will be applied.

Hi,

Thanks for your reply. I dont have much knowledge on Spring. can you kindly tell me how can I get this fixed.

[amitkhanna]

See if this thread can help http://forum.springsource.org/showthread.php?p=351264