Securing a SimpleFormController

**keith123** · Oct 11th, 2012, 03:27 PM

Maybe I am missing something but I read the FAQ's on securing controller methods and I implemented the solution, however my annotation is not working on SimpleFormController types it is only working on annotated ones. How would I wire this to work for both types of controllers (old and new).

servlet.xml

Code:

	<sec:global-method-security pre-post-annotations="enabled">
	 	 <sec:expression-handler ref="expressionHandler"/> 
	 </sec:global-method-security>

Works:

Code:

@RequestMapping(method=RequestMethod.GET)
@PreAuthorize("hasAuthority('ROLE_BOGUS')")
public void form(HttpSession session, Model model) {

Doesn't Work (SimpleFormController)

Code:

@PreAuthorize("hasAuthority('ROLE_BOGUS')")
protected Object formBackingObject(HttpServletRequest request)

Thanks,

Keith

**Marten Deinum** · Oct 12th, 2012, 01:18 AM

I suggest you read the Spring AOP chapter especially the part that explains about proxies...

Basically the only method to secure on old style controllers is handleRequest as that is the only public called method and because aop is based on proxies that is the only method that is being proxied all other calls are internal method calls.

Thread: Securing a SimpleFormController

Thread Tools

Display

Securing a SimpleFormController

Posting Permissions