Putting security annotations in BlahController_Roo_Controller.aj

[MarkGo]

It seems Spring security now has 3 different implementations that can be implemented by annotations at the method level,

1) secured-annotations for pre-Spring 3.0 security

2) jsr250-annotations the Java standard way

3) pre-post-annotations introduced in Spring 3.0

I think I right saying each can be applied by putting an annotation .e.g @Secure("ROLE_BLAH") or similar at the start of a method.

I am not able to get any of these to be recognised when I put them above the methods in BlahRecordController_Roo_Controller.aj

Is it possible to include these security annotations in these aspects. If so what should I be doing

I am enabling the relevent security settings as follows
<global-method-security secured-annotations="enabled" jsr250-annotations="enabled" pre-post-annotations="enabled" />

[Andrew Swan]

I don't have the answer for you, but I do know that it's not a good idea to modify your project's .aj files, as these are managed by Roo (which might decide to remove your changes at some later point). If you want to customise your controllers' behaviour, the safe approach is to "push in" the relevant elements (methods, etc) from the .aj file into the .java file, and make your changes there. You might even find that this makes your annotations work properly.

[Ben Alex]

Good news... AspectJ is smart enough to allow you to introduce annotations to methods that were also introduced via an ITD!

The following is the "normal" style we use in Roo ITDs:

Code:

    @LogIt
    public static List<Choice> Choice.findAllChoices() {..}

This adds a findAllChoices() method into the Choice type. It also ensures that method is annotated with @LogIt.

This is actually equivalent:

Code:

    declare @method: public List<Choice> Choice.findAllChoices(): @LogIt;

    public static List<Choice> Choice.findAllChoices() {..}

The good news is the "declare @method" can be in a different ITD to the one that defines the method introduction. Therefore you can easily add annotations to Roo ITD-introduced methods, which will be ideal for your security use case.

HTH
Ben

PS: Ensure you're using the latest AJDT and AspectJ, otherwise you might see bug https://bugs.eclipse.org/bugs/show_bug.cgi?id=288635. I tested the above with AJDT version 2.0.3.e35x-20100129-1100; AspectJ version
1.6.8.20100108135337 in STS 2.3.1.RC2.

[jmvivo]

Good news... AspectJ is smart enough to allow you to introduce annotations to methods that were also introduced via an ITD!

Great!!!!

I think this is very useful!!

[MarkGo]

Hello Alex

Thanks for that it could be very helpful but I how do I implement it

For example the following is standard Roo generated code

BlahController_Roo_Controller.aj {
...
public String BlahController_Roo_Controller.list(@RequestParam(v alue = "page", required = false) Integer page, @RequestParam(value = "size", required = false) Integer size, ModelMap modelMap)
..
}

So I created an aspect

privileged aspect BlahController_Our_Controller {
declare @method: public String BlahController.list():
@Secured("ROLE_TELLER");
}

But I get error The method 'public java.lang.String BlahController.list()' does not exist

So I tried with all the parameters

declare @method: public String BlahController.list(Integer page, Integer size, ModelMap modelMap): @Secured("ROLE_TELLER");

But I get an error
Syntax error on token "page", ")"
which suggests to me they there should be no parameters

[Ben Alex]

For example the following is standard Roo generated code

Code:

BlahController_Roo_Controller.aj {
...
public String BlahController_Roo_Controller.list(@RequestParam(value = "page", required = false) Integer page, @RequestParam(value = "size", required = false) Integer size, ModelMap modelMap)
..
}

So I created an aspect

privileged aspect BlahController_Our_Controller {
declare @method: public String BlahController.list():
@Secured("ROLE_TELLER");
}

But I get error The method 'public java.lang.String BlahController.list()' does not exist

AspectJ is correct. You should use BlahController.list(..) (ie the .. means 0 or more matching arguments to AspectJ). Your expression above said you want a list() method with zero arguments.

So I tried with all the parameters

Code:

declare @method: public String BlahController.list(Integer page, Integer size, ModelMap modelMap): @Secured("ROLE_TELLER");

But I get an error
Syntax error on token "page", ")"
which suggests to me they there should be no parameters

In this second case you're putting in parameter names (ie page, size, modelMap). Try removing them, but leaving the parameter types (ie Integer, Integer, ModelMap). Assuming you've imported the types in the aspect's import statement area, or fully qualified those parameter types, it should work.

A good overview of writing pointcut definitions can be found in the AspectJ documentation. But I think the above will set you in the right direction. If not please don't forget to include your AJDT and AspectJ view (as shown in the About dialogue of STS/Eclipse after you click the AspectJ button).

[MarkGo]

I have got the following to compile

declare @method: public String OwnerController.list(Integer , Integer , ModelMap ): @Secured("ROLE_TELLER");

But even with the following in applicationContext-security.xml it still does not stop me acessing the owner list when I do not have the role "ROLE_TELLER".

<global-method-security secured-annotations="enabled"> </global-method-security>

[Ben Alex]

You need to add the Spring Security Aspects library into your Aspect Path and modify your global-method-security accordingly. I'd recommend asking about this on the Spring Security forum.