@Secured ("ROLE_ADMIN") not working for me in my controller...
...but it is working in my service layer. It has to be something with my configuration but I can't seem to figure it out. Another set of eyes might help:
security config:
The intercept url for /** may be the (or one of the) problem(s) but even when I remove it I still am able to get to the controller on a method I secured with an annotation:Code:<global-method-security secured-annotations="enabled" /> <http use-expressions="true" access-denied-page="/accessDenied.jsp"> <intercept-url pattern="/accessDenied.jsp" filters="none" /> <intercept-url pattern="/login.jsp" filters="none" /> <intercept-url pattern="/resources/**" filters="none" /> <intercept-url pattern="/**" access="hasRole('ROLE_USER')" /> <form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?error=1" /> <logout logout-success-url="/login.jsp?logout=1"/> </http> ...
Just out of curiousity I added the annotation to my service and it worked (meaning I got a 403 Access is denied error as I would have expected):Code:@Secured ("ROLE_ADMIN") @RequestMapping(value="/DeleteRoot", method=RequestMethod.GET) public ModelAndView deleteRoot(@RequestParam(value="rootToDelete") long rootId) { Node rootNode = nodeService.getNode(rootId); if (!rootNode.isPublished()) { nodeService.deleteRoot(rootId); } return home(); }
So my question is how come it works in my service but not in the controller. What am I missing? Thanks to anyone who can provide some direction. I am using spring security 3.0.5, spring 3.0.5.Code:@Secured ("ROLE_ADMIN") public void deleteRoot(long rootId) { nodeDAO.deleteNode(rootId); }
Reply With Quote
