Spring Securit 2.0 @Secured Annotations: BUG?

[varunmehta]

Guys,

I'm trying my hands on Spring Security 2.0M2. Playing around with spring-security-samples-tutorial-2.0-M2.war I discovered that the @Secured tag does not function the way it should.

The BankService has the code snippet

Code:

  @Secured("ROLE_TELLER")
  public Account post(Account account, double amount);

which means only when the user is logged in as ROLE_TELLER can access the service method else throw a 403 exception. Makes sense. The applicationContext-business.xml says this line

Code:

  <bean id="bankService" class="bigbank.BankServiceImpl">
    <constructor-arg ref="bankDao"/>
    <!-- This will add a security interceptor to the bean
    <security:intercept-methods>
      <security:protect method="bigbank.BankService.*" access="IS_AUTHENTICATED_REMEMBERED" />
      <security:protect method="bigbank.BankService.post" access="ROLE_TELLER" />
    </security:intercept-methods>  -->
  </bean>

by default the security:intercept-methods is commented. The flow of the app I followed.

1. Enter Home Page
2. Click on listAccounts
3. Click on the amount to add or subtract the amount in account (calls the post method)
4. The amount is changed and the new amount is reflected.

As per the @Secured annotation I should have got the login screen first. which did not occur and I was able to access the resource without logging in.

Now let's ignore the @Secured and uncomment the security:intercept-methods from applicationContext-business.xml, and then restart the application

It asked me to login when trying to access the resource and gives access only to the ROLE_TELLER, the other user fails. Is this is a bug or something is missing in terms of configuration. or do I have to use both (does not make sense)

[Marten Deinum]

If you only use the @Secured nothing will happen. You will have to tell spring to do something with it. You will need to setup a MethodSecurityInterceptor with a
SecurityAnnotationAttributes.

Code:

<bean id="attributes"
            class="org.springframework.security.annotation.SecurityAnnotationAttributes"/>
<bean id="objectDefinitionSource"
            class="org.springframework.security.intercept.method.MethodDefinitionAttributes">
  <property name="attributes"><ref local="attributes"/></property>
</bean>

<bean id="bankManagerSecurity"
            class="org.springframework.security.intercept.method.aopalliance.MethodSecurityInterceptor">
  <property name="validateConfigAttributes"><value>false</value></property>
  <property name="authenticationManager"><ref bean="authenticationManager"/></property>
  <property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property>
  <property name="runAsManager"><ref bean="runAsManager"/></property>
  <property name="objectDefinitionSource"><ref bean="objectDefinitionSource"/></property>
</bean>

[Luke Taylor]

Since you are using 2.0-M2 you can also use the <security:annotation-driven/> element to specify that you are using annotations.

[varunmehta]

Since you are using 2.0-M2 you can also use the <security:annotation-driven/> element to specify that you are using annotations.

I am using the <annotation-driven /> element in the XML. Do I still need to use the interceptor?

[shahbazi]

Do you know what jar file holds org.springframework.security.annotation.SecurityAn notationAttributes?

[Luke Taylor]

This class is no longer in the codebase.

[Gideon]

Hi

i have the same problem, using spring 2.5.3 and spring-security 2.0

my config is:

Code:

<security:global-method-security >
      <security:protect-pointcut expression="execution(* de.reitsportkoch.*Service.*(..))" access="ROLE_USER"/>
</security:global-method-security>

or

Code:

<security:global-method-security   secured-annotations="enabled" />

and / or

Code:

<bean id="daacc" class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"/>
    
    <bean id="objectDefinitionSource" class="org.springframework.security.annotation.SecuredMethodDefinitionSource">
    </bean>

    <bean id="securityInterceptor" class="org.springframework.security.intercept.method.aopalliance.MethodSecurityInterceptor">
        <property name="authenticationManager"><ref local="authenticationManager"/></property>
        <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property>
        <property name="objectDefinitionSource">
            <ref local="objectDefinitionSource"/>
        </property>
    </bean>

for my junit test i create a AnonymousAuthenticationToken
so I expect that all my methods in the service, marked with @Secured
should throw a SecurityException. but this doesn't happen.

i haves looked into the docs and into the sample apps, but i didn't find my mistake.

i hope you can help, me. if you need more informations, so tell me.

thank you verry much

mfg Gideon

[svanvoor]

This class is no longer in the codebase.

So how do we configure spring 2.0.0 to work with annotations? The example application context file (applicationContext-acegi-security.xml in spring-security-samples-tutorial-2.0.0.war) still contains a reference to org.springframework.security.annotation.SecurityAn notationAttributes, which indeed isn't in the code base. Any docs around on how to set things up?

[angela]

So how do we configure spring 2.0.0 to work with annotations? The example application context file (applicationContext-acegi-security.xml in spring-security-samples-tutorial-2.0.0.war) still contains a reference to org.springframework.security.annotation.SecurityAn notationAttributes, which indeed isn't in the code base. Any docs around on how to set things up?

I'm having the same problem :-( Have you found a solution??

I also have a own SecurityAnnotations class, which adds by default a @Secured Annotation above every method. How can I implement that with Sprin Security 2.0?

Code:

public class Re7SecurityAnnotationAttributes extends SecurityAnnotationAttributes {

	private final SecurityConfig DEFAULT_ANNOTATION_SECURED = new SecurityConfig(SecyUserRole.JS_USER.getValue());

	/**
	 * Wir wollen diese Methode benutzen, um default Secured Annotations zu deklarieren fuer
	 * diejenigen Methoden, welche secured sein sollen. Falls Secured ueberschrieben wird aufm
	 * Interface, dann soll der Drfault ueberschrieben werden und diese Methode nichts machen.
	 */
	@Override
	public Collection getAttributes(Method method) {

		// bestehende Konfiguration holen...
		final Collection collection = super.getAttributes(method);

		// Pruefen ob keine Annotation config @Secured -> wir fuegen unseren default hinzu
		if (collection != null || collection.size() == 0) {
			final String packageName = SecurityHelper.getPackageName(method);
			final boolean votablePackage = najsre7.enums.Package.isVotablePackage(packageName);
			if (votablePackage) {
				final boolean hasVotableParameters = SecurityHelper.containsLaufnummerIdAsArgument(method);
				if (hasVotableParameters) {
					collection.add(DEFAULT_ANNOTATION_SECURED);
				}
			}
			else {
				// gehoert nicht zu den als votable registrierten Packages, drum sein lassen...
			}
		}
		else {
			// Default wurde mit Annotation ueberschrieben, ergo keinen Default setzen und nix
			// weiter veraendern.
		}
		return collection;
	}
}

Angela

[svanvoor]

No, not yet. My @secure annotations are ignored, seems like there's still some magic XML I need to find out about.

Code:

public class SpringSecurityTest {
    @Secured({"ROLE_ADMIN"})
    public String secretAdminOnly(){
        return "this top secret bet of text is for admin eyes only.";
    }

    @Secured({"ROLE_USER"})
    public String notSoSecret(){
        return "this is not extremely secret, still, a bit sensitive though.";
    }

    @Secured({"ROLE_ANONYMOUS"})
    public String publicKnowledge(){
        return "Everyone knows this. Not a secret at all.";
    }
}

When logged in as a regular user, no security exception gets thrown when I call secretAdminOnly().