Results 1 to 4 of 4

Thread: A little help with @PostAuthorize? (SS 3.0.0.M1)

  1. Aug 16th, 2009, 12:15 AM #1
    bestguy
    bestguy is offline Member
    Join Date
    Aug 2006
    Posts
    70

    Question A little help with @PostAuthorize? (SS 3.0.0.M1)

    Hi, I'm trying to use the @PostAuthorize annotation using EL to compare properties on the return value of a method.
    But I'm not having much luck - I'm able to access method return values that my principle should not be able to access:

    Config:

    Code:
    <global-method-security pre-post-annotations="enabled">

<http use-expressions="true">
    <intercept-url pattern="/sites/**" access="hasRole('ROLE_OWNER')" />
    <http-basic />
</http>
    Service interface:

    Code:
    @PreAuthorize("hasRole('ROLE_OWNER')")
public interface SiteService {

    @PostAuthorize("returnObject.owner.key == principal.key")
    Site getSite(String siteId);
}
    The Site object has a nested Owner object, which has a Long key property.
    The Principle is a custom UserDetails object, which has a Long key property.


    Anything I'm missing?

    I've verified I do have a correct principle in the context. But I'm able to call the getSite method above, even if my principle's key property does not match the return value's.
  2. Aug 16th, 2009, 04:24 AM #2
    bestguy
    bestguy is offline Member
    Join Date
    Aug 2006
    Posts
    70

    Default

    A little more info:

    Debugging shows that this class is never getting called:
    org.springframework.security.access.expression.met hod.ExpressionBasedPostInvocationAdvice

    though I assume it should. What would cause that to happen?

    From reading the various docs, I assumed that this would register the necessary classes:
    <global-method-security pre-post-annotations="enabled">
  3. Aug 16th, 2009, 05:04 AM #3
    bestguy
    bestguy is offline Member
    Join Date
    Aug 2006
    Posts
    70

    Default

    Ah, progress!

    Tried adding the @PostAuthorize annotation to a method on my controller, and it's behaving as expected.

    Then moved the annotation to the service implementation instead of the interface, and it works fine...

    I can live with that, but I thought the interface would work?

    The tutorial example shows these annotations on an interface:
    https://src.springframework.org/svn/...nkService.java

    Same as here:
    http://stsmedia.net/spring-finance-p...3-integration/

    If it is supported, what might be causing this behavior?
  4. Aug 16th, 2009, 08:01 AM #4
    Luke Taylor
    Luke Taylor is offline Senior Member Acegi Security System TeamSpring Team
    Join Date
    Aug 2004
    Location
    Glasgow, Scotland
    Posts
    3,449

    Default

    It should work on both interface and class. If

    http://static.springsource.org/sprin...in-web-context

    doesn't apply, then post a sample demonstrating the problem in Jira and I'll take a look at it.
    Spring - by Pivotal
    twitter @tekul
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules