@Secured Is Not Working As Expected

**LondonM** · Jul 6th, 2011, 02:12 PM

Hello,

I have the <global-method-security secured-annotations="enabled" />
defined in the security context.xml file.

Then, I annotated a method with @Secured("ADMIN"), but regardless of the role with which I log in with, the method runs anyway!

I've tried using pointcuts as an alternative, but that didn't work either.

Any ideas why this would be happening would be appreciated.

Thanks

L

**Rob Winch** · Jul 6th, 2011, 04:59 PM

Did you look at the FAQ? How are you creating the object that is annotated?

**LondonM** · Jul 7th, 2011, 05:32 AM

Yes, but this didn't resolve the issue.

Thanks,

**Rob Winch** · Jul 7th, 2011, 08:22 AM

Originally Posted by LondonM

Yes, but this didn't resolve the issue.

Thanks,

Ok, so then....

Originally Posted by rwinch

How are you creating the object that is annotated?

You either need to use aspectj or ensure that Spring is creating the object for you. As the FAQ mentions your global-method-security should be in the same context as your secured bean.

**LondonM** · Jul 7th, 2011, 08:34 AM

It is.

The global security tag is in the security context xml fiile.

The beans are auto-generated by Spring so are you saying the global security tag needs to be somewhere else? I tried to put it in the web context xml, but the syntax was marked as an error for that file.

-----

I also tried creating an aspect, but that didn't work either.

Still missing something here...

Thanks,

**Rob Winch** · Jul 7th, 2011, 08:39 AM

Using code tags please post the following:

web.xml
Spring configuration files
Class that is annotated with @Secured
Class that is using the class that is annotated with @Secured

You may also want to enable logging and view the logs to see if that helps. If it doesn't it may be good to post the logs too.

**LondonM** · Jul 7th, 2011, 08:55 AM

I totally appreciate your help here.

Unfortunately, I'm constrained with what files I can post publicly.

Thanks very much for your help.

**Rob Winch** · Jul 7th, 2011, 11:19 PM

You might try to come up with a minimal example that demonstrates your problem and then post that. This may also help you figure out what is wrong.

**LondonM** · Jul 8th, 2011, 05:16 AM

Good idea. Thanks.

**LondonM** · Jul 8th, 2011, 05:48 AM

Since creating an example application with Spring security, MVC, etc., enabled, would also be time consuming, I'm wondering if there's a simple way to turn on "Spring Logging" so I can glean some details.

I don't think log4J will work since none of my catch blocks ... "catch" anything when I go to the 403 page.

So, in Spring 3, is there a "simple way" to turn on logging so I can see what's going on? I also can't see that the user is injected into the class so it's virtually impossible to understand why the @Secured method is failing.

Thanks,

Thread: @Secured Is Not Working As Expected

Thread Tools

Display

@Secured Is Not Working As Expected

Tags for this Thread

Posting Permissions