Secured annotations not working in AspectJ Mode with Autoproxy

**rgladwell** · Jul 9th, 2012, 03:14 AM

I'm trying to get my Spring MVC app to play nice with Spring @Secured annotations and ASpectj autoproxying but it doesn't seem to be proxying or recognising my @Secured annotations. I have a controller like this:

Code:

@Controller
@RequestMapping("/")
public class ApplicationController {

	private ApplicationFactory applicationFactory;

	@Inject
	public ApplicationController(ApplicationFactory applicationFactory) {
		super();
		this.applicationFactory = applicationFactory;
	}

	@Secured("ROLE_USER")
	@ResponseBody
	@RequestMapping(method = GET)
	public Application getApplicationInfo() {
		return applicationFactory.buildApplication(this);
	}

}

And a spring security XML that looks something like this:

Code:

  <security:global-method-security secured-annotations="enabled" mode="aspectj" proxy-target-class="true" />

  <security:http auto-config="true" use-expressions="true">
    <security:http-basic/>
  </security:http>

However, Spring Security isn't detecting the annotation and I'm still able the secured endpoint above without being authorised.

Am I missing something? I tried adding the @EnableAspectJAutoProxy(proxyTargetClass = true) to my application configuration but that didn't help either. Is there anyway to have run time weaving or will I have to use compile time weaving to enable annotation-based security for my application?

**Marten Deinum** · Jul 9th, 2012, 05:07 AM

Please use the search as this question has been answered before..

In short your global-method-security is useless as it is defined in the root application context (loaded by the ContextLoaderListener) whereas your @Controller is detected by the DispatcherServlet. Aspect configuration of a parent context doesn't affect child contexts (and vice-versa).

Move/add the global-method-security to the dispatcherservlet.

**rgladwell** · Jul 9th, 2012, 09:26 AM

Hi Martin

Thanks for the response.

You are incorrect though: I did search, exhaustively for the keywords in the code above but couldn't find a single solution until you responded here.

**Rob Winch** · Jul 9th, 2012, 12:52 PM

See the FAQ

**rgladwell** · Jul 9th, 2012, 01:06 PM

I'm not sure that the issue with the application contexts from the FAQ is the problem. I only create one application context for the whole of my application. Please see my WebInitializer instance:

Code:

public class SpringMvcInitializer implements WebApplicationInitializer {

	private final AnnotationConfigWebApplicationContext context = new AnnotationConfigWebApplicationContext();

	public void onStartup(ServletContext servletContext) throws ServletException {
		context.register(ApplicationConfiguration.class);

        servletContext.addListener(new ContextLoaderListener(context));
        servletContext.addListener(new Log4jConfigListener());

        final DelegatingFilterProxy proxy = new DelegatingFilterProxy("springSecurityFilterChain", context);
        FilterRegistration.Dynamic filter = servletContext.addFilter("securityFilter", proxy);
        filter.addMappingForUrlPatterns(EnumSet.of(REQUEST), false, "/*");

        final DispatcherServlet servlet = new DispatcherServlet(context);
        ServletRegistration.Dynamic dispatcher = servletContext.addServlet("dispatcher", servlet);
		dispatcher.setLoadOnStartup(1);
		dispatcher.addMapping("/*");
	}

}

If that is the case, I'm unsure how to change the ordering of my security application context XML using the no-xml @Configuration component I'm using:

Code:

@Configuration
@ComponentScan(basePackages = {"com.example"})
@EnableWebMvc
@ImportResource("classpath:/security.xml")
public class ApplicationConfiguration extends WebMvcConfigurerAdapter {
}

Any help or suggestions would be gratefully received.

**Rob Winch** · Jul 9th, 2012, 01:19 PM

Are you weaving the classes with AspectJ as indicated in the reference doc for global-method-security@mode? How are you compiling with AspectJ (i.e. maven, ant, eclipse, etc) and what does the configuration look like? If you do not want to use AspectJ, you might try removing the mode="aspectj".

**rgladwell** · Jul 9th, 2012, 01:29 PM

Hi Rob,

I was specifically trying to avoid compile/load time weaving by using the proxy-target-class="true" directive.

Does this mean I have to use weaving to recompile my classes to get @Secured annotations to work? Is there an example Spring Security 3.1 project I could look at?

TIA...

-- Ricardo

**Rob Winch** · Jul 9th, 2012, 01:36 PM

You probably want to read some about Spring AOP. The choices are proxy based AOP which has an initial load time penalty (should be rather minimal) or compiling with AspectJ. There are a number of samples out there, but the best bet is to refer to the sample applications included with Spring Security.

**rgladwell** · Jul 9th, 2012, 01:45 PM

Hi Rob,

Thanks for the info, I am aware of the difference and I've got proxy based AOP to work with Spring MVC before, just not with spring-security and never with a "no-xml" spring application. I'm not sure I understand why the above isn't working.

I'll check out the sample apps and see if I get any answers from those.

Regards...

-- Ricardo

Thread: Secured annotations not working in AspectJ Mode with Autoproxy

Thread Tools

Display

Secured annotations not working in AspectJ Mode with Autoproxy

Tags for this Thread

Posting Permissions