@PreAuthorize & @PostAuthorize being ignored

[Film Noir]

Greetings,

I'm using Spring 3.2.0 and Spring Security 3.1.2

I'm having a problem with my secured method annotations, the secured method is a private method within a Controller, but it is being ignored and I'm not sure why.

I've read numerous threads about placing the global-method-security in the application context, which I have done to no avail.

During startup there are no special messages regarding method security failure. Only this:

[DEBUG] 00:57:29 AspectJMethodSecurityInterceptor - Validated configuration attributes


Below is snippets of my configuration and code. I would really appreciate any pointers on what I might be doing wrong or might have missed.


web.xml

Code:

<?xml version="1.0" encoding="UTF-8"?>
<web-app>

  <display-name>mywebapp</display-name>
  
  <context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>/WEB-INF/spring/root-context.xml</param-value>
  </context-param>
  <listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
  </listener>
  <servlet>
    <servlet-name>mywebapp</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <init-param>
      <param-name>contextConfigLocation</param-name>
      <param-value>/WEB-INF/spring/mywebapp-servlet.xml</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
  </servlet>
  <servlet-mapping>
    <servlet-name>mywebapp</servlet-name>
    <url-pattern>/</url-pattern>
  </servlet-mapping>
  <filter>
    <filter-name>securityFilter</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    <init-param>
      <param-name>targetBeanName</param-name>
      <param-value>springSecurityFilterChain</param-value>
    </init-param>
  </filter>
  <filter-mapping>
    <filter-name>securityFilter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>
</web-app>

mywebapp-servlet.xml

Code:

<context:spring-configured />
<context:component-scan base-package="my.webapp" />

<mvc:annotation-driven />

<security:global-method-security pre-post-annotations="enabled" proxy-target-class="true" mode="aspectj" />

MyContoller.class

Code:

@Controller
public class MyContoller implements ServletContextAware
{

public MyContoller () {
		super();
}

@PostAuthorize("hasRole('admin')  or returnObject.username == authentication.name")
private Account getAccount(Integer id, Authentication auth)
{
Account account = null;
if(id != null)
	account = accountService.getAccount(id);
else
	account = accountService.getAccountByEmail(auth.getName());
return account;
}

@RequestMapping(value="/settings/profile", method=RequestMethod.GET)
public ModelAndView getProfile(@RequestParam(value="id", required=false) Integer id, Authentication auth, WebRequest request)
{
Account account = getAccount(id, auth);
//Etc.
}

}

[Marten Deinum]

I suggest a read of the reference guide.. Only EXTERNAL method calls can be intercepted and not INTERNAL method calls, due to the fact spring uses proxies to apply AOP. So the annotation on your private method (which is always an internal method calll) isn't going to work.

If you want this to work you need to either switch to loadtime or compile time weaving to apply AOP.

[Film Noir]

Is the same true of classes which implement an interface? I shifted the code to a service class and it is still ignored.

[Marten Deinum]

If it is an internal method call it doesn't matter where it is it will never be intercepted with proxy based AOP.