SpringSecurity @PreAuthorize with JEE6 CDI-BEAN ?

[mortimor]

Hello,

i have configured my JEE6 WebApp to use SpringSecurity for Authentication. Login is allready working.
Now i would like to secure my methods with @PreAuthorize.
Allthough my User does not have the correct role he is still able to call the method.
Seems like the @PreAuthorize is not recognized with my CDI-Bean?

My Bean:

Code:

@Model
public class MyAuthenticator {
	
	private String anonym="Sample Text!";
	
	@PreAuthorize("hasRole('ROLE_TEST')")
	public void setAnonym(){
		anonym="Anonym Button: "+getTime();
	}
...
}

I have added following to my spring-security.xml:

Code:

<global-method-security pre-post-annotations="enabled" />

The method is called from myAuthenticator.xhtml

Code:

...
	<h:commandButton type="submit" action="#{myAuthenticator.setAnonym}" value="setAnonym" />
...

[Marten Deinum]

CDI Bean != Spring Bean... Spring Security will only protected beans that are under the control of spring, it will not protect beans created outside the scope of the spring container. So basically your @PreAuthorize is useless...

Make the @Model annotated bean a spring bean and use Springs JSF integration (check the reference guide) to retrieve it from the application context.

[mortimor]

Thanks a lot for the fast reply.
I supposed that mixing of technologie was the problem.