Jul 6th, 2011, 02:12 PM
@Secured Is Not Working As Expected
I have the <global-method-security secured-annotations="enabled" />
defined in the security context.xml file.
Then, I annotated a method with @Secured("ADMIN"), but regardless of the role with which I log in with, the method runs anyway!
I've tried using pointcuts as an alternative, but that didn't work either.
Any ideas why this would be happening would be appreciated.
Jul 6th, 2011, 04:59 PM
Did you look at the FAQ? How are you creating the object that is annotated?
Jul 7th, 2011, 05:32 AM
Yes, but this didn't resolve the issue.
Jul 7th, 2011, 08:22 AM
Ok, so then....
Originally Posted by LondonM
You either need to use aspectj or ensure that Spring is creating the object for you. As the FAQ mentions your global-method-security should be in the same context as your secured bean.
Originally Posted by rwinch
Jul 7th, 2011, 08:34 AM
The global security tag is in the security context xml fiile.
The beans are auto-generated by Spring so are you saying the global security tag needs to be somewhere else? I tried to put it in the web context xml, but the syntax was marked as an error for that file.
I also tried creating an aspect, but that didn't work either.
Still missing something here...
Jul 7th, 2011, 08:39 AM
Using code tags please post the following:
Spring configuration files
Class that is annotated with @Secured
Class that is using the class that is annotated with @Secured
You may also want to enable logging and view the logs to see if that helps. If it doesn't it may be good to post the logs too.
Jul 7th, 2011, 08:55 AM
I totally appreciate your help here.
Unfortunately, I'm constrained with what files I can post publicly.
Thanks very much for your help.
Jul 7th, 2011, 11:19 PM
You might try to come up with a minimal example that demonstrates your problem and then post that. This may also help you figure out what is wrong.
Jul 8th, 2011, 05:16 AM
Jul 8th, 2011, 05:48 AM
Since creating an example application with Spring security, MVC, etc., enabled, would also be time consuming, I'm wondering if there's a simple way to turn on "Spring Logging" so I can glean some details.
I don't think log4J will work since none of my catch blocks ... "catch" anything when I go to the 403 page.
So, in Spring 3, is there a "simple way" to turn on logging so I can see what's going on? I also can't see that the user is injected into the class so it's virtually impossible to understand why the @Secured method is failing.
Tags for this Thread