HttpInvoker and @Secured

[ego]

hey,

I'm trying to secure a WebService exposed with HttpInvoker
My "security context file" is as follow

<sec:global-method-security secured-annotations="enabled" />

<sec:http auto-config="false" realm="ism realm" use-expressions="true">
<sec:http-basic />
<sec:intercept-url pattern="/ws/**" access="hasRole('ROLE_ADMIN')" />
</sec:http>
<sec:authentication-manager>
<sec:authentication-provider>
<sec:user-service>
<sec:user name="admin" password="admin" authorities="ROLE_ADMIN" />
</sec:user-service>
</sec:authentication-provider>
</sec:authentication-manager>


The interface of my service is :

import org.springframework.security.access.annotation.Sec ured;

public interface INewsManager {
@Secured("ROLE_USER")
public List<News> findAllNews();
}


You can see that the role used in the annotation is not the same than in my configuration file

And you know what ? I'm able to receive the response from my WebService :-(

Of course, my "client" is "admin" so if I change my configuration file and say authorities="ROLE_TELLER", my client is not able to call my WebService (I mean that the config of the HttpInvoker and the use of "commons httpclient" works)

Any idea ?


I use Srping security 3.0.5

[ego]

the solution is in the thread http://forum.springsource.org/showth...ns-not-working
beans must be defined after the global-method-security tag, so in the same file, just after works !