Spring Securit 2.0 @Secured Annotations: BUG?

[angela]

I just recognized that i have another problem now with my global-method-security definition!

In my old config I used a self implemented class which only added the @secured Annotation if one of the arguments in the method was of class LaufnummerId.

With my configuration now, @secured is added at every method.

Is there a way I can do this with the new configuration? Because the class SecurityAnnotationAttributes doesnt' exist anymore.

regards angela

[mchisty]

Since you are using 2.0-M2 you can also use the <security:annotation-driven/> element to specify that you are using annotations.

Point#1: As found in the latest version (Spring Security v2.0.3), this org.springframework.security.annotation.SecurityAn notationAttributes is not supported anymore.

Point#2: As seen from the url, http://jira.springframework.org/brow...s:all-tabpanel, it is mentioned (by Adam Dyga - 06/May/08 01:34 PM) that " .... MethodDefinitionAttributes class exists, but SecurityAnnotationAttributes doesn't and due to this org.springframework.security.annotation.SecuredMet hodDefinitionSource should be used instead of them. "

But it is NOT mentioned how to use the SecuredMethodDefinitionSource for method level security. It would be better if a detailed example is provided within the documentation. The official documentation seems incomplete.

Point#3: Using <security:annotation-driven/> or, <annotation-driven/ >as mentioned Luke Taylor. But in Spring Security latest version (v2.0.3), this annotation is not found. So it would be better if some concrete solution is provided.

I'm still facing the problem. The @Secured annotation does not work actually.

My suggestion to Luke (or, any other SpringSecurity deveopment team member) is: please provide a complete example for method-based security using the @Secured annotation, this will resolve many problems/queries for members like us. It would be nice if this example includes: a spring-security config file, sample java files with @Secured annotations and specific version of the springsecurity API.

Thanks,
... M. Chisty

[Luke Taylor]

Enabling secured annotations is already explained in the manual:

http://static.springframework.org/sp...ethod-security

and the basic tutorial sample is a complete example - it contains code and configuration files which use secured annotations.

[marshbourdon]

MCHISTY

The reason you are not finding the @Secure annotation is down to the JARs you have a dependency on. Taking the example directly from Spring's example, you could use the following dependency (Maven 2):

<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core-tiger</artifactId>
<version>${spring.security.version}</version>
<!-- Bringing in Spring 2.0.8 -->
<exclusions>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-support</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>${spring.security.version}</version>
<!-- Bringing in Spring 2.0.8 -->
<exclusions>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-support</artifactId>
</exclusion>
</exclusions>
</dependency>

And you will find that you have access to the annotation. Remember that annotations only exist in JDK 1.5 onwards, hence why the 'spring-security-core-tiger' artifact has them, when the 'spring-security-core' does not.

Apologies about the belated response, I hope it helps.