Url seems to be secured properly, but authorize tag doesn't show correct result.

[danieldbower]

I have a controller secured with:

Code:

@PreAuthorize("hasRole('ROLE_USER')")

and a jsp with a link to that controller:

Code:

<sec:authorize url='/api/example'>You can currently access <a href="/api/example">"/api/example"</a>.</sec:authorize>

In that configuration:
if I am not logged in with ROLE_USER, and try to hit /api/example, I am denied. However, the link still appears on the jsp.
If I am logged in with ROLE_USER, and try to hit /api/example, I am allowed through.

So the underlying spring-security config appears to be good, but something is off with the taglib.

My next step was to try removing the PreAuthorize tag from the controller, and just dump it into the security-config:

Code:

<intercept-url pattern="/api/example" access="hasAnyRole('ROLE_USER')"/>

In that configuration:
If I am not logged in with ROLE_USER, and try to hit /api/example, I am denied and the link disappears from the jsp.
If I am logged in with ROLE_USER, and try to hit /api/example, I am allowed and the link appears in the jsp

Any thoughts as to what I've misconfigured?

Additionally, some relevant bits in the config files follows.
In security-config:

Code:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
	xmlns:beans="http://www.springframework.org/schema/beans"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xmlns:util="http://www.springframework.org/schema/util"
	xsi:schemaLocation="http://www.springframework.org/schema/beans  http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
		http://www.springframework.org/schema/security  http://www.springframework.org/schema/security/spring-security-3.0.xsd
		http://www.springframework.org/schema/util	  http://www.springframework.org/schema/util/spring-util-3.1.xsd">
<global-method-security pre-post-annotations="enabled" />

In mvc-config:

Code:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:security="http://www.springframework.org/schema/security"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xmlns:context="http://www.springframework.org/schema/context"
	xmlns:mvc="http://www.springframework.org/schema/mvc"
	xmlns:util="http://www.springframework.org/schema/util"
	xsi:schemaLocation="
		http://www.springframework.org/schema/beans	 http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd
		http://www.springframework.org/schema/mvc	 http://www.springframework.org/schema/mvc/spring-mvc-3.1.xsd
		http://www.springframework.org/schema/security  http://www.springframework.org/schema/security/spring-security-3.0.xsd
		http://www.springframework.org/schema/util	 http://www.springframework.org/schema/util/spring-util-3.1.xsd">
	<context:component-scan base-package="package.web" />
	<security:global-method-security pre-post-annotations="enabled" />
	<mvc:annotation-driven />

[Rob Winch]

The authorize tag's url support looks at the Spring Security <http> <intercept-url>'s and knows nothing about your Spring MVC configuration.