I am involved in a struts to spring 3.1 migration running on a WAS 7 server. I
am trying to use the @PreAuthorize("hasRole('ROLE_USER')") annotation. I am
using Spring for authorization, but all users are authenticated before they
enter the system. I am using a DelegatingFilterProxy to supply the
UserDetailService and with the UserDetails needed to authorize the transaction.
The filter is working and setting up the UserDetailService correctly, however
loadUserByUsername is never being called and the logged in user is able to
access the controller when they are not authorized to. I have read in several
places that Spring wants to do the authentication, and if you want to bypass
this then you need to put a dummy authentication in place. I've seen a couple
ways of doing this and have tried both without success (commented section of
applicationContext is the first of those tries.)

applicationContext.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:sec="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://www.springframework.org/schema/p"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schem...-beans-3.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schem...curity-3.1.xsd
http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.1.xsd"
xmlns:aop="http://www.springframework.org/schema/aop">

<sec:global-method-security pre-post-annotations="enabled" />

<sec:authentication-manager alias="authenticationManager">
<sec:authentication-provider ref="customAuthenticationProvider" />
</sec:authentication-manager>

<!--<import resource="http-config.xml"/> <import resource="idxml-config.xml"/>-->
<bean id="SpringDelegateFilter"
class="com.xxxx.web.auth.SpringDelegateFilter" scope="request">
<property name="userPermissionDetailsService">
<ref bean="userPermissionDetailsService" />
</property>
</bean>

<bean id="userPermissionDetailsService"
class="com.xxxx.xxxx.user.service.UserPermissionDe tailsService"
scope="request" >
<aop:scoped-proxy></aop:scoped-proxy>
</bean>

<!-- All this does is over ride additionalAuthenticationChecks and make it do nothing -->
<bean id="customAuthenticationProvider" class="com.xxxx.xxxx.web.permissions.DummyAuthenti cationProvider"
p:userDetailsService-ref="userPermissionDetailsService"/>
<sec:http use-expressions="true" auto-config="false" >
<sec:intercept-url pattern="/**" />
</sec:http>

<!--
<sec:http auto-config="false" entry-point-ref="preAuthenticatedProcessingFilterEntryPoint">
Additional http configuration omitted
<sec:custom-filter position="PRE_AUTH_FILTER" ref="siteminderFilter" />
</sec:http>

<bean id="preAuthenticatedProcessingFilterEntryPoint"
class="org.springframework.security.web.authentica tion.Http403ForbiddenEntryPoint" />

<bean id="siteminderFilter"
class="org.springframework.security.web.authentica tion.preauth.RequestHeaderAuthenticationFilter">
<property name="principalRequestHeader" value="SM_USER"/>
<property name="authenticationManager" ref="authenticationManager" />
</bean>

<bean id="preauthAuthProvider"
class="org.springframework.security.web.authentica tion.preauth.PreAuthenticatedAuthenticationProvide r">
<property name="preAuthenticatedUserDetailsService">
<bean id="userDetailsServiceWrapper"
class="org.springframework.security.core.userdetai ls.UserDetailsByNameServiceWrapper">
<property name="userDetailsService" ref="userPermissionDetailsService"/>
</bean>
</property>
</bean>
-->
</beans>

web.xml
<web-app
id="WebApp_ID"
version="2.5"
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:sec="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/config/applicationContext.xml</param-value>
</context-param>
<filter>
<filter-name>SpringDelegateFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFil terProxy</filter-class>
</filter>
</filter>
<filter>
<filter-name>requestContextFilter</filter-name>
<filter-class>org.springframework.web.filter.RequestContex tFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>requestContextFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>INCLUDE</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>SpringDelegateFilter</filter-name>
<servlet-name>SpringDispatcherServlet</servlet-name>
</filter-mapping>
<listener>
<listener-class>org.springframework.web.context.request.Requ estContextListener
</listener-class>
</listener>
<listener>
<listener-class>org.springframework.web.context.ContextLoade r</listener-class>
</listener>
<listener>
<listener-class>org.springframework.web.context.ContextLoade rListener</listener-class>
</listener>
<servlet>
<servlet-name>SpringDispatcherServlet</servlet-name>
<servlet-class>
org.springframework.web.servlet.DispatcherServlet
</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>SpringDispatcherServlet</servlet-name>
<url-pattern>*.html</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
<welcome-file>index.htm</welcome-file>
<welcome-file>index.jsp</welcome-file>
<welcome-file>default.html</welcome-file>
<welcome-file>default.htm</welcome-file>
<welcome-file>default.jsp</welcome-file>
</welcome-file-list>
<jsp-config>
<taglib>
<taglib-uri>/WEB-INF/spring.tld</taglib-uri>
<taglib-location>/WEB-INF/spring.tld</taglib-location>
</taglib>
<taglib>
<taglib-uri>/tags/xxxx-applicationcontext</taglib-uri>
<taglib-location>/WEB-INF/xxxx-applicationcontext.tld</taglib-location>
</taglib>
</jsp-config>
<security-constraint>
<display-name>xxxx_constraints</display-name>
<web-resource-collection>
<web-resource-name>do_resources</web-resource-name>
<description></description>
<url-pattern>*.do</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>HEAD</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description>application roles</description>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>UNSPECIFIED</auth-method>
</login-config>
<security-role>
<description>XXXX</description>
<role-name>user</role-name>
</security-role>
<resource-ref>
<description></description>
<res-ref-name>jdbc/oracle</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
<res-auth>Container</res-auth>
<res-sharing-scope>Shareable</res-sharing-scope>
</resource-ref>
</web-app>

The delegating filter class:
@Service
public class SpringDelegateFilter implements Filter {
private FilterConfig filterConfig;
private UserPermissionDetailsService userPermissionDetailsService;

@Autowired
public UserPermissionDetailsService getUserPermissionDetailsService() {
return userPermissionDetailsService;
}
public void setUserPermissionDetailsService(
UserPermissionDetailsService userPermissionDetailsService) {
this.userPermissionDetailsService = userPermissionDetailsService;
}

public void doFilter(ServletRequest req, ServletResponse resp,
FilterChain chain) throws IOException, ServletException {
if (log.isDebugEnabled())
log.debug("BEGIN SpringDelegateFilter.doFilter()");

// turn this into an HTTP event
HttpServletRequest hreq = (HttpServletRequest) req;
UserDetails currentLoggedInUser = new UserManagementWebUtil().getLoginUser(hreq);
userPermissionDetailsService.setUser(currentLogged InUser);
chain.doFilter(req, resp);
}

}

public class UserPermissionDetailsService implements UserDetailsService {

private UserDetails user;

public void setUser(UserDetails user) {
this.user = user;
}

public UserDetails loadUserByUsername(String userName) {
return this.user;

}
}