Using @PreAuthorize on SpringData repositories

[rigas.grigoropoulos]

I am trying to secure Spring-Data repositories by using @PreAuthorize annotations on the my repository interface (since most methods are inherited) so that all methods get secured.
The result is that any custom methods included in my interface get security by all methods inherited by Spring-Data interfaces are not.
Applying the same thing on a simple component interface extending a superinterface will work properly.
I am not sure whether this is a Spring-Security or Spring-Data issue. I would appreciate some help figuring this out.
I attach an example with unit tests for the working service setup and the non working Spring-Data repository. The failing testSuperRepositoryWithUser should get an AccessDeniedException, but the @PreAuthorize annotation does not apply on the JpaRepository interface.

[rigas.grigoropoulos]

The same issue also applies when security is applied using protect-pointcut in the xml configuration, even when a pointcut is configured for the org.springframework.data.jpa.repository.JpaReposit ory interface as follows:

Code:

<security:protect-pointcut expression="execution(* org.springframework.data.jpa.repository.JpaRepository.*(..))" 
    access="ROLE_ADMIN" />

[drenda81]

Hi,
I've the same problems of rigas.grigoropoulos. Anyone has a solution for this issue? It's strange no-one complain about this problem; which is the convenience of using JpaRepository if I can't use @PreAuthorize on his methods?

Thanks very much!

[Rob Winch]

I haven't had a chance to look into this yet, but I created a JIRA to look into it. Follow SEC-2150 to keep up to date with this issue.

[drenda81]

Thanks very much Rob!!!