使用@Secured 时，spring 会话范围表单为空

Question

When use @Secured annotation, form(controller's member and session scope) become null.

Form.java

@Component
@Scope(value = "session", proxyMode = ScopedProxyMode.TARGET_CLASS)
public class Form {
  //members...
}

Controller.java

@Controller
public class Controller {
    @Autowired
    private Form form;

    @ModelAttribute("form")
    private Form initForm(Principal principal) {
        return form;
    }

    @RequestMapping(value = "/someAction", method = { RequestMethod.POST })
    @Secured("hasRole('ROLE_CHILD')")
    public String someAction(Principal principal) {
        return "/some"
    }
}

some.html(with thymeleaf)

<!-- display when form is NOT null -->
<span th:if="${form}">form is NOT null</span>
<!-- display when form is null -->
<span th:unless="${form}">form is null</span>

I browse "/someAction", then "form is null" is displayed.

and change Controller#someAction(Principal) code like below (delete @Secured annotation)

    @RequestMapping(value = "/someAction", method = { RequestMethod.POST })
    //@Secured("hasRole('ROLE_CHILD')")
    public String someAction(Principal principal) {
        return "/some"
    }

again browse page, "form is NOT null" is displayed.

if use @PreAuthorize instead of @Secured, it becomes same result. And Security function supplied by @Secured works fine. I got 403 response.

Why @Secured make form null?

tested on

• spring-security-web:3.2.0.M2
• spring-security-web:3.2.0.RELEASE
• spring-security-web:3.2.4.RELEASE

and

• spring-core:3.2.9

Answer 1

Try changing the scope of initForm method from private to public. – Shinichi Kai You save my day, thanks you !