Pre/PostAuthorize annotations not working

[NedoBebic]

Hello

I'm using Spring 3.0.6 and Spring Security 3.0.7 and method protection annotations just don't work. Here is my configuration.

web.xml

<servlet>
<servlet-name>dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherSe rvlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/applicationContext.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>

<servlet-mapping>
<servlet-name>dispatcher</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>

<filter>
<filter-name>sitemesh</filter-name>
<filter-class>com.opensymphony.module.sitemesh.filter.Page Filter</filter-class>
</filter>

<filter-mapping>
<filter-name>sitemesh</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>


<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFil terProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>


<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/securityApplicationContext.xml</param-value>
</context-param>

<listener>
<listener-class>org.springframework.web.context.ContextLoade rListener</listener-class>
</listener>


securityApplicationContext.xml


<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schem...-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.4.xsd">

<security:global-method-security pre-post-annotations="enabled" secured-annotations="enabled" jsr250-annotations="enabled"/>

<security:http auto-config="true" use-expressions="true">
<security:intercept-url pattern="/genres/create" access="hasRole('ROLE_ADMIN')"/>
<security:intercept-url pattern="/*" access="hasAnyRole('ROLE_ADMIN','ROLE_USER')"/>
</security:http>

<security:authentication-manager alias="authenticationManager">
<security:authentication-provider>
<security:user-service>
<security:user name="user1" password="user1" authorities="ROLE_USER"/>
<security:user name="admin" password="admin" authorities="ROLE_ADMIN"/>
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>


</beans>

I'm protecting the method on my service interface this way:

public interface AlbumGenreService {

@PreAuthorize("hasRole('ROLE_ADMIN')")
public void deleteGenre(Integer genreId);

} and then invoking the method in the controller:

@RequestMapping(value="/genres/delete/{genreId}")
public String deleteGenre(@PathVariable("genreId") Integer genreId, Model model) {

albumGenreService.deleteGenre(genreId);

return "redirect:/genres/view";
}

When I log in with ROLE_USER role and try to delete the genre, the access to the protected method is granted and the genre is deleted.

[NedoBebic]

If someone is facing the same problem, the solution is trivial. You have to enable method security annotations in the root application context, where's the service bean declaration is being defined.

Cheers