Spring Securit 2.0 @Secured Annotations: BUG?

[varunmehta]

Guys,

I'm trying my hands on Spring Security 2.0M2. Playing around with spring-security-samples-tutorial-2.0-M2.war I discovered that the @Secured tag does not function the way it should.

The BankService has the code snippet

Code:

  @Secured("ROLE_TELLER")
  public Account post(Account account, double amount);

which means only when the user is logged in as ROLE_TELLER can access the service method else throw a 403 exception. Makes sense. The applicationContext-business.xml says this line

Code:

  <bean id="bankService" class="bigbank.BankServiceImpl">
    <constructor-arg ref="bankDao"/>
    <!-- This will add a security interceptor to the bean
    <security:intercept-methods>
      <security:protect method="bigbank.BankService.*" access="IS_AUTHENTICATED_REMEMBERED" />
      <security:protect method="bigbank.BankService.post" access="ROLE_TELLER" />
    </security:intercept-methods>  -->
  </bean>

by default the security:intercept-methods is commented. The flow of the app I followed.

1. Enter Home Page
2. Click on listAccounts
3. Click on the amount to add or subtract the amount in account (calls the post method)
4. The amount is changed and the new amount is reflected.

As per the @Secured annotation I should have got the login screen first. which did not occur and I was able to access the resource without logging in.

Now let's ignore the @Secured and uncomment the security:intercept-methods from applicationContext-business.xml, and then restart the application

It asked me to login when trying to access the resource and gives access only to the ROLE_TELLER, the other user fails. Is this is a bug or something is missing in terms of configuration. or do I have to use both (does not make sense)

[Marten Deinum]

If you only use the @Secured nothing will happen. You will have to tell spring to do something with it. You will need to setup a MethodSecurityInterceptor with a
SecurityAnnotationAttributes.

Code:

<bean id="attributes"
            class="org.springframework.security.annotation.SecurityAnnotationAttributes"/>
<bean id="objectDefinitionSource"
            class="org.springframework.security.intercept.method.MethodDefinitionAttributes">
  <property name="attributes"><ref local="attributes"/></property>
</bean>

<bean id="bankManagerSecurity"
            class="org.springframework.security.intercept.method.aopalliance.MethodSecurityInterceptor">
  <property name="validateConfigAttributes"><value>false</value></property>
  <property name="authenticationManager"><ref bean="authenticationManager"/></property>
  <property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property>
  <property name="runAsManager"><ref bean="runAsManager"/></property>
  <property name="objectDefinitionSource"><ref bean="objectDefinitionSource"/></property>
</bean>

[Luke Taylor]

Since you are using 2.0-M2 you can also use the <security:annotation-driven/> element to specify that you are using annotations.

[varunmehta]

Since you are using 2.0-M2 you can also use the <security:annotation-driven/> element to specify that you are using annotations.

I am using the <annotation-driven /> element in the XML. Do I still need to use the interceptor?

[shahbazi]

Do you know what jar file holds org.springframework.security.annotation.SecurityAn notationAttributes?

[Luke Taylor]

This class is no longer in the codebase.

[mchisty]

Since you are using 2.0-M2 you can also use the <security:annotation-driven/> element to specify that you are using annotations.

Point#1: As found in the latest version (Spring Security v2.0.3), this org.springframework.security.annotation.SecurityAn notationAttributes is not supported anymore.

Point#2: As seen from the url, http://jira.springframework.org/brow...s:all-tabpanel, it is mentioned (by Adam Dyga - 06/May/08 01:34 PM) that " .... MethodDefinitionAttributes class exists, but SecurityAnnotationAttributes doesn't and due to this org.springframework.security.annotation.SecuredMet hodDefinitionSource should be used instead of them. "

But it is NOT mentioned how to use the SecuredMethodDefinitionSource for method level security. It would be better if a detailed example is provided within the documentation. The official documentation seems incomplete.

Point#3: Using <security:annotation-driven/> or, <annotation-driven/ >as mentioned Luke Taylor. But in Spring Security latest version (v2.0.3), this annotation is not found. So it would be better if some concrete solution is provided.

I'm still facing the problem. The @Secured annotation does not work actually.

My suggestion to Luke (or, any other SpringSecurity deveopment team member) is: please provide a complete example for method-based security using the @Secured annotation, this will resolve many problems/queries for members like us. It would be nice if this example includes: a spring-security config file, sample java files with @Secured annotations and specific version of the springsecurity API.

Thanks,
... M. Chisty

[Luke Taylor]

Enabling secured annotations is already explained in the manual:

http://static.springframework.org/sp...ethod-security

and the basic tutorial sample is a complete example - it contains code and configuration files which use secured annotations.

[marshbourdon]

MCHISTY

The reason you are not finding the @Secure annotation is down to the JARs you have a dependency on. Taking the example directly from Spring's example, you could use the following dependency (Maven 2):

<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core-tiger</artifactId>
<version>${spring.security.version}</version>
<!-- Bringing in Spring 2.0.8 -->
<exclusions>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-support</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>${spring.security.version}</version>
<!-- Bringing in Spring 2.0.8 -->
<exclusions>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-support</artifactId>
</exclusion>
</exclusions>
</dependency>

And you will find that you have access to the annotation. Remember that annotations only exist in JDK 1.5 onwards, hence why the 'spring-security-core-tiger' artifact has them, when the 'spring-security-core' does not.

Apologies about the belated response, I hope it helps.