Method security + Java EE CDI

**PawelPiatkowski** · Aug 6th, 2012, 04:00 AM

Hello everybody,

I am trying to secure my Java EE CDI beans methods using Spring Security. I've found such description in the documentation (http://static.springsource.org/sprin...hod-security):

The annotated methods will only be secured for instances which are defined as Spring beans (in the same application context in which method-security is enabled). If you want to secure instances which are not created by Spring (using the new operator, for example) then you need to use AspectJ.

I've switched my Seam Security configuration to use AspectJ with:

Code:

<global-method-security secured-annotations="enabled" mode="aspectj" />

and as I can see it works with spring beans but unfortunatelly it has no effect when I'm adding the same @Secured annotation to my CDI bean.

Am I do something wrong or it is simply impossible?
Thank you for any help in advance.

**Marten Deinum** · Aug 6th, 2012, 06:17 AM

As mentioned in the reference guide it will only work for spring managed beans unless you use AspectJ and for that you have to compile your classes with AspectJ and have the spring-security-aspects on your compilation classpath. To make it work it requires a little more trickery then just setting the mode to aspectj...

**PawelPiatkowski** · Aug 6th, 2012, 06:31 AM

Agree... it is not only setting the mode to "aspectj". After such action the @Secured annotation isn't working even in Spring scoped beans but... I've finally made it work compiling with aspectj plugin in my pom.xml's <build> section:

Code:

<plugin>
	<groupId>org.codehaus.mojo</groupId>
	<artifactId>aspectj-maven-plugin</artifactId>
	<version>1.0</version>
	<configuration>
		<source>1.7</source>
		<target>1.7</target>
		<complianceLevel>1.7</complianceLevel>
		<Xlint>ignore</Xlint>
		<aspectLibraries>
			<aspectLibrary>
				<groupId>org.springframework.security</groupId>
				<artifactId>spring-security-aspects</artifactId>
			</aspectLibrary>
		</aspectLibraries>
	</configuration>
	<executions>
		<execution>
			<goals>
				<goal>compile</goal>
				<goal>test-compile</goal>
			</goals>
		</execution>
	</executions>
	<dependencies>
		<dependency>
			<groupId>org.aspectj</groupId>
			<artifactId>aspectjrt</artifactId>
			<version>1.6.8</version>
		</dependency>
		<dependency>
			<groupId>org.aspectj</groupId>
			<artifactId>aspectjtools</artifactId>
			<version>1.6.8</version>
		</dependency>
	</dependencies>
</plugin>

I've added also:

Code:

<context:load-time-weaver/>

to my context's xml file.

After this procedure @Secured annotations in Spring Beans have started to work again so that's why I'm asking if does it mean that @Secured annotation should now work in CDI beans?

**Marten Deinum** · Aug 6th, 2012, 07:10 AM

As mentioned you will need to rely fully on aspectj and need to use the aspectj agent to do the weaving. The load-time-weaver you configured will only modify classes loaded by spring and not the cdi container.

**PawelPiatkowski** · Aug 9th, 2012, 03:03 AM

I've finally made it so I would like to share my solution. Maybe someone will need it some day.

I've decided to do the compile time weaving. In my last post I was very close to do it. The aspectj-maven-plugin was simply too old but when I've changed it to 1.4 the weaving process was ok but... not for the CDI:

Code:

org.jboss.weld.exceptions.UnproxyableResolutionException: WELD-001437 Normal scoped bean class myPackageName.myClassName is not proxyable because the type is final or it contains a final method static final java.lang.String myPackageName.myClassName.myMethodName_aroundBody0(myPackageName.myClassName.,org.aspectj.lang.JoinPoint).

The problem was finally solved in the AspectJ 1.6.12 (you can find details here: https://bugs.eclipse.org/bugs/show_bug.cgi?id=349149) with the new option of ajc tool which is:

Code:

-Xset:avoidFinal=true

As far as I'm concerned it is not possible to use this option in the current (1.4) version of aspectj-maven-plugin but there is no such problem with ant 1.8.2.

The final solution is adding the following plugin to your <build> tag:

Code:

<plugin>
	<artifactId>maven-antrun-plugin</artifactId>
	<version>1.7</version>
	<executions>
	  <execution>
		<phase>compile</phase>
		<configuration>
			<target xmlns:aspectj="antlib:org.aspectj">
				<property name="compile-classpath" refid="maven.compile.classpath"/>
				<aspectj:iajc
					X="set:avoidFinal=true" 
					showWeaveInfo="true"
					inpath="${project.build.directory}"
					aspectpath="${settings.localRepository}/org/springframework/security/spring-security-aspects/${org.springframework.version}/spring-security-aspects-${org.springframework.version}.jar"
					destDir="${project.build.outputDirectory}"
					classpath="${compile-classpath}" />
			</target>
		</configuration>
		<goals>
			<goal>run</goal>
		</goals>
	  </execution>
	</executions>
	<dependencies>
		<dependency>
			<groupId>org.aspectj</groupId>
			<artifactId>aspectjrt</artifactId>
			<version>1.7.0</version>
		</dependency>
		<dependency>
			<groupId>org.aspectj</groupId>
			<artifactId>aspectjtools</artifactId>
			<version>1.7.0</version>
		</dependency>
	</dependencies>
</plugin>

Now Spring Security works everywhere. The

Code:

<context:load-time-weaver/>

option is no longer needed.

Thread: Method security + Java EE CDI

Thread Tools

Display

Method security + Java EE CDI

Tags for this Thread

Posting Permissions