@PostAuthorize not working
Hi,
The following problem has been driving me insane:
I have the following setup:
_ interface StudyService
_ @Service StudyServiceImpl implements StudyService
_ @Controller StudyServiceController implements StudyService
_ SampleDAOImpl implements SampleDAO
_ A permissionEvaluator CdmPermissionEvaluator
The @Secured works, as I have to log in when that is present. However, the @PostAutorize doesn't work, even when I comment out the @Secured. I have a logging statement in CdmPermissionEvaluator.hasPermission(), and it never gets logged. This is also the case when I comment out the @Secured annotation (to avoid that the @PostAuthorize doesn't get evaluated because of the default AffirmativeBased voter).Code:class SampleDAOImpl implements SampleDAO { ... @Secured(Roles.USER) @PostAuthorize("hasPermission(returnObject, 'read')") Sample load(long sampleId) { ... } ... }
Relevant parts of web.xml:
Relevant parts of spring-servlet.xml:Code:... <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> ... <servlet> <servlet-name>spring</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>spring</servlet-name> <url-pattern>*.rpc</url-pattern> </servlet-mapping> ...
Relevant parts of applicationContext.xml:Code:... <security:global-method-security secured-annotations="enabled"/> <context:annotation-config/> <!-- Auto-detect controllers; these extend RemoteServiceServlet and are --> <!-- annotated with @Controller --> <context:component-scan base-package="org.gmeb.crf.server"> <context:include-filter type="annotation" expression="org.springframework.stereotype.Controller"/> </context:component-scan> ...
Relevant parts of applicationContext-security.xml:Code:<context:annotation-config/> <bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"/> <context:component-scan base-package="org.gmeb.crf"> <context:exclude-filter type="annotation" expression="org.springframework.stereotype.Controller"/> </context:component-scan>
Any idea what I'm doing wrong here?Code:<http auto-config="true" entry-point-ref="authenticationEntryPoint" create-session="always" use-expressions="true"> <intercept-url pattern="/**" access="permitAll()"/> <form-login authentication-success-handler-ref="authenticationSuccessHandler" authentication-failure-handler-ref="authenticationFailureHandler"/> <logout success-handler-ref="logoutSuccessHandler"/> <anonymous/> </http> ... <global-method-security pre-post-annotations="enabled"> <!-- TODO: Add proxy-target-class="true" --> <expression-handler ref="expressionHandler"/> </global-method-security> <beans:bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler"> <beans:property name="permissionEvaluator" ref="cdmPermissionEvaluator"/> </beans:bean> <beans:bean id="loggerListener" class="org.springframework.security.authentication.event.LoggerListener"/> <context:annotation-config/> <beans:bean id="cdmPermissionEvaluator" class="org.gmeb.crf.server.auth.CdmPermissionEvaluator"> </beans:bean>
Before I had this setup I had @PostAuthorize annotations with Spring EL expressions (no permissionEvaluator) in @Service StudyServiceImpl, and that worked. So what am I doing wrong, and what's the difference with the previous setup?
Thanks in advance,
Arnaud
Reply With Quote
