Results 1 to 5 of 5

Thread: @Secured annotation doesn't work

  1. Jan 14th, 2009, 08:42 AM #1
    sangupta
    sangupta is offline Junior Member
    Join Date
    Nov 2008
    Posts
    19

    Default @Secured annotation doesn't work

    I am using Spring Security 2.5.4 with Spring 2.5.4 and the security layer works pretty well straight way. I now plan to add method level security to my application. For the same I added the following line to my application-security.xml

    Code:
    <security:global-method-security secured-annotations="enabled" />
    And then added the @Secured annotations to the methods of my controller class with the permissions such as,

    Code:
    public class MyController extends AbstractWizardFormController {

  @Secured( { "THIS_IS_A_ROLE_DESTINED_TO_FAIL" } )
  public void addUser() {
    // some stuff
  }

}
    But the code doesn't seem to intercept the @Secured annotations. Am I missing something here?

    Thanks for all the help in advance.

    ~ Sandy
  2. Jan 14th, 2009, 09:20 AM #2
    sangupta
    sangupta is offline Junior Member
    Join Date
    Nov 2008
    Posts
    19

    Default Additional Info

    Just to add that the application-security.xml is invoked from the applicationContext.xml and the beans I am trying to secure lie in my application-servlet.xml. Yes, I am talking of a web application.
  3. Jan 14th, 2009, 12:52 PM #3
    Marten Deinum
    Marten Deinum is offline Senior Member
    Join Date
    Jun 2006
    Location
    The Netherlands
    Posts
    13,624

    Default

    That is never going to work. Security is only going to work in the same ApplicationContext it is defined in... You will have to move it the application-servlet.xml (or move everything from there into the one loaded by ContextLoaderListener).
    Marten Deinum
    Java Consultant / Pragmatist / Open Source Enthousiast / Author

    Pro Spring MVC: With Web Flow
    Conspect

    Have you read the reference guide.
    Use the [ code ] tags, young padawan
  4. Jan 15th, 2009, 01:17 AM #4
    sangupta
    sangupta is offline Junior Member
    Join Date
    Nov 2008
    Posts
    19

    Default

    I added both my applicationContext.xml and application-servlet.xml file to my contextConfigLocation but still that seems to not work. The application does start up but the annotation is not being picked up. I don't see the class being proxied either.

    Refactoring all bean mappings to be in applicationContext.xml would be a big pain. Importing application-servlet.xml into the applicationContext.xml didn't help either. The application blew up at startup.

    Please help.
  5. Jan 15th, 2009, 02:19 AM #5
    Marten Deinum
    Marten Deinum is offline Senior Member
    Join Date
    Jun 2006
    Location
    The Netherlands
    Posts
    13,624

    Default

    First I suggest you start reading the reference guide. Adding something to the contextConfigLocation will indeed add it to the root application context. However I also suspect that you have a DispatcherServlet named application which also loads the application-servlet.xml.

    Next to that it still is never going to work (I just noticed that you are using the AWFC). With Spring AOP you can only intercept method calls INTO the object (read chapter 6.6.1 of the reference guide explaining proxies). Your method is ONLY going to be called internally so the @Secured annotation isn't goint to work.

    The only way to get it to work is to switch to load or compile timeweaving. If you want to secure this method.
    Marten Deinum
    Java Consultant / Pragmatist / Open Source Enthousiast / Author

    Pro Spring MVC: With Web Flow
    Conspect

    Have you read the reference guide.
    Use the [ code ] tags, young padawan
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules