Spring Security problem with using @PreAuthorize("hasPermission(....

**keith123** · Sep 28th, 2012, 01:26 PM

I am new to spring security and I'm trying to implement @PreAuthorize("hasPermission(#something, 'write')") on a method. I believe I have configured everything correctly (see config below) however whenever I use @PreAuthorize("hasPermission( my app no longer loads, if I remove it everything is fine.

I have utilized some of the elements of spring-security such as general Authentication, hasRole, etc.

I am using spring 3.1 and spring-security 3.1.2

spring-security.xml

Code:

<beans:beans xmlns="http://www.springframework.org/schema/security"
	xmlns:beans="http://www.springframework.org/schema/beans" 
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://www.springframework.org/schema/beans
	http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
	http://www.springframework.org/schema/security
	http://www.springframework.org/schema/security/spring-security-3.1.xsd">

	 <global-method-security pre-post-annotations="enabled">
	 	<expression-handler ref="expressionHandler"/>
	 </global-method-security>
	
	
    <http auto-config="true" access-denied-page="/accessDenied.jsp" use-expressions="true">
   	 
		<form-login login-page="/login.htm" default-target-url="/loginSuccess.htm"
			authentication-failure-url="/loginfailed.htm" />
		<logout logout-success-url="/login.htm" />

    
    </http>	
	
	<authentication-manager>
		<authentication-provider>
		
		<password-encoder hash="md5" />
		<jdbc-user-service data-source-ref="dataSource"
 
 		   users-by-username-query="
		      select login as username,trim(password)...."/>
		</authentication-provider>
	</authentication-manager>
</beans:beans>

applicationContext.xml

Code:

....
  <bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
        <property name="permissionEvaluator" ref="applicationUserPermission"/>
  </bean>	
	
  <bean id="applicationUserPermission" class="com.hwa.security.ApplicationUserPermissionEvaluator"/>
....

Evaluator implementation:

Code:

public class ApplicationUserPermissionEvaluator implements PermissionEvaluator {

	public boolean hasPermission(Authentication auth, Object target, Object permission) {
		boolean hasPermission = true; 
		if (target instanceof ApplicationUser){ 
			ApplicationUser applicationUser = (ApplicationUser) target; ......

Use of annotation

Code:

	@PreAuthorize("hasPermission(#applicationUser, 'write')")
	public void addOrUpdateApplicationUser(ApplicationUser applicationUser) {....}

The error is generic but here it is (note if I remove the hasPermission above the app loads):

Code:

INFO: Closing Hibernate SessionFactory
Sep 28, 2012 12:54:16 PM org.apache.catalina.core.StandardContext listenerStart
SEVERE: Exception sending context initialized event to listener instance of class org.springframework.web.context.ContextLoaderListener
java.lang.OutOfMemoryError: Java heap space
	at java.util.Arrays.copyOf(Arrays.java:2882)
	at java.lang.AbstractStringBuilder.expandCapacity(AbstractStringBuilder.java:100)
	at java.lang.AbstractStringBuilder.append(AbstractStringBuilder.java:390)
	at java.lang.StringBuffer.append(StringBuffer.java:224)
	at java.io.StringWriter.write(StringWriter.java:95)
	at java.io.PrintWriter.write(PrintWriter.java:412)
	at java.io.PrintWriter.write(PrintWriter.java:429)
	at java.io.PrintWriter.print(PrintWriter.java:559)
	at java.io.PrintWriter.println(PrintWriter.java:695)
	at java.lang.Throwable.printStackTrace(Throwable.java:512)
	at org.springframework.beans.factory.BeanCreationException.printStackTrace(BeanCreationException.java:176)
	at org.springframework.beans.factory.BeanCreationException.printStackTrace(BeanCreationException.java:180)
	at java.util.logging.SimpleFormatter.format(SimpleFormatter.java:72)
	at java.util.logging.StreamHandler.publish(StreamHandler.java:179)
	at java.util.logging.ConsoleHandler.publish(ConsoleHandler.java:88)
	at java.util.logging.Logger.log(Logger.java:478)
	at java.util.logging.Logger.doLog(Logger.java:500)
	at java.util.logging.Logger.logp(Logger.java:700)
	at org.apache.commons.logging.impl.Jdk14Logger.log(Jdk14Logger.java:101)
	at org.apache.commons.logging.impl.Jdk14Logger.error(Jdk14Logger.java:149)
	at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:307)
	at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:111)
	at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4206)
	at org.apache.catalina.core.StandardContext.start(StandardContext.java:4705)
	at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:799)
	at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:779)
	at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:601)
	at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:675)
	at org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:601)
	at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502)
	at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1317)
	at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:324)

Thanks in advanced,

Keith

**achang** · Sep 28th, 2012, 01:57 PM

Keith, have you tried increasing the heap size to see if the app starts? Using the annotation may push the memory usage over the current limit since it has to create proxies around method calls.

Code:

-Xms256m -Xmx512m

**keith123** · Sep 28th, 2012, 03:31 PM

Thanks for the reply.

I changed from
-Xmn128m
-Xms256m
-Xmx768m
-Xss1m
-XX:PermSize=128m
-XX:MaxPermSize=384m

to

-Xmn128m
-Xms1024m
-Xmx1024m
-Xss2m
-XX:PermSize=128m
-XX:MaxPermSize=512m

Still received the same error... let me know if I should increase it further and perhaps to what.

**achang** · Sep 28th, 2012, 05:34 PM

Hmm, I don't think you need to increase it further. I'm not sure what the problem is then. To narrow down the cause of the problem, does the error occur when change the expression from "hasPermission(#applicationUser, 'write')" to something else? If that doesn't work, try with a different expression and don't set the custom permission evaluator. You can also try debugging to see what bean it's working on when the error happens. Good luck!

**keith123** · Sep 30th, 2012, 09:03 PM

I tried something slightly different that I assumed would cause the same outcome... and it did.

I commented out all of my xml configs that I mentioned before and attempted to use the inline logic and still received the same error.

Code:

	@PreAuthorize("#applicationUser.login == authentication.name")
	public void addOrUpdateApplicationUser(ApplicationUser applicationUser) {...}

**Rob Winch** · Oct 3rd, 2012, 02:45 PM

What if you are not using the custom PermissionEvaluator?

Thread: Spring Security problem with using @PreAuthorize("hasPermission(....

Thread Tools

Display

Hybrid View

Spring Security problem with using @PreAuthorize("hasPermission(....

Just to note

Posting Permissions