I'm trying my hands on Spring Security 2.0M2. Playing around with spring-security-samples-tutorial-2.0-M2.war I discovered that the @Secured tag does not function the way it should.
The BankService has the code snippet
which means only when the user is logged in as ROLE_TELLER can access the service method else throw a 403 exception. Makes sense. The applicationContext-business.xml says this lineCode:@Secured("ROLE_TELLER") public Account post(Account account, double amount);
by default the security:intercept-methods is commented. The flow of the app I followed.Code:<bean id="bankService" class="bigbank.BankServiceImpl"> <constructor-arg ref="bankDao"/> <!-- This will add a security interceptor to the bean <security:intercept-methods> <security:protect method="bigbank.BankService.*" access="IS_AUTHENTICATED_REMEMBERED" /> <security:protect method="bigbank.BankService.post" access="ROLE_TELLER" /> </security:intercept-methods> --> </bean>
- Enter Home Page
- Click on listAccounts
- Click on the amount to add or subtract the amount in account (calls the post method)
- The amount is changed and the new amount is reflected.
As per the @Secured annotation I should have got the login screen first. which did not occur and I was able to access the resource without logging in.
Now let's ignore the @Secured and uncomment the security:intercept-methods from applicationContext-business.xml, and then restart the application
It asked me to login when trying to access the resource and gives access only to the ROLE_TELLER, the other user fails. Is this is a bug or something is missing in terms of configuration. or do I have to use both (does not make sense)