@PreAuthorized annotation not working with ROO

[kobezig]

Hello,
I have tried to use the "@PreAuthorized" annotation as in page 78 of the Spring Security 3.0.1.RELEASE reference document.

I added the following annotation to the "PersonController.createForm" method:
@PreAuthorize("hasRole('ROLE_ADMIN')")
@RequestMapping(value = "/person/form", method = RequestMethod.GET)
public String createForm(ModelMap modelMap) {
modelMap.addAttribute("person", new Person());
modelMap.addAttribute("addresses", Address.findAllAddresses());
modelMap.addAttribute("emails", Email.findAllEmails());
modelMap.addAttribute("facilitys", Facility.findAllFacilitys());
modelMap.addAttribute("images", Image.findAllImages());
modelMap.addAttribute("phones", Phone.findAllPhones());
modelMap.addAttribute("titles", Title.findAllTitles());
return "person/create";
}

and other methods. For some reason it the Spring container seems to just ignore the annotation as all calls to this method when using a user that DOES NOT have "ROLE_ADMIN".

The example provided seems simple enough but I MUST be doing something wrong. I have also increased security logging in the LOG4J setting to INFO.

Here is my the ApplicationContext-Security.xml file that I'm using:

<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schem...-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">

<global-method-security pre-post-annotations="enabled"/>
<http use-expressions="true" auto-config="true">
<intercept-url pattern="/users**" access="hasRole('ROLE_ADMIN')"/>
<intercept-url pattern="/authorities**" access="hasRole('ROLE_ADMIN')"/>
<intercept-url pattern="/**" access="isAuthenticated()"/>

<session-management>
<concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
</session-management>
<remember-me />
</http>
<authentication-manager>
<authentication-provider>
<jdbc-user-service data-source-ref="dataSource"/>
</authentication-provider>
</authentication-manager>

</beans:beans>

Thanks much for your help!

[MarkGo]

Just out of curiousity how did you get the

@PreAuthorize("hasRole('ROLE_ADMIN')")

into your code.

Did you "Refactor > Push-In Refactor" and is this the resulting .aj file

[kobezig]

MarkGo,
Because I thought the problem could have been that I was using the "@PreAuthorize" annotation in the .aj files generated by ROO I decided to use "push in" refactoring which merged all the the aspect code in the .aj files into their respective .java files. This did not work.

Made a typo in the previous posting "@PreAuthorized" should have been "@PreAuthorize" which is what I used in my code.

I think there is an issue with Spring and ROO in that the proxy decorator object that provides the security services created by Spring Security is not being used but instead the core object that is being wrapped (or decorated) is being referenced directly.

Does anyone know if this is the case? and if there is a fix currently or in the works?

appreciate your help!
Kobezig

[broesel]

Hi,
sorry I have no answer. But I have exactly the same problem. Does @PreAuthorize not work together with @RequestMapping?

Regards,
broesel

[dfranssen]

Anyone succeeded with the combination of those 2 annotations?
In my code it is also ignoring the @PreAuthorize annotation although it is configured with <global-method-security pre-post-annotations="enabled"/>

Thanks for your feedback

EDIT:
Found it, you need to redefine <global-method-security pre-post-annotations="enabled"/> in the config file which is also used for your controllers. In Spring Roo this is webmvc-config.xml. When configuring security with roo, the config file applicationContext-security.xml is initially configured to enable those annotations. This was a little confusing...

[hatim]

bump, thanks for the tip dfranssen , drove me all sorts of crazy

You would need
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:sec="http://www.springframework.org/schema/security" xmlns:context="http://www.springframework.org/schema/context" xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns="http://www.springframework.org/schema/p" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schem...-beans-3.0.xsd http://www.springframework.org/schema/context http://www.springframework.org/schem...ontext-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schem...curity-3.0.xsd http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd">
<sec:global-method-security pre-post-annotations="enabled"/>

on top of the file for this (not the sec and sec's xmlns)

[Luke Taylor]

This is due to the visibility of beans in child contexts - the controller beans aren't visible from the parent context. There's also a FAQ on this.