Spring Security @PreAuthorize annotaion doesn't work

Question

I have a Java web application with Spring Security. I use @PreAuthorize annotation, but it doesn't work.

I have a PermissionResolver class, which implements PermissionEvaluator interface and AccessClassService which uses @PreAuthorize annotation.

When I set breakpointes on hasPermission methods in PermissionResolver class and run application in debug mode, I see that hasPermission methods are not called.

Can anybody help me?

My securityContext.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
       xmlns:security="http://www.springframework.org/schema/security"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
                           http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">

    <security:global-method-security pre-post-annotations="enabled">
        <security:expression-handler ref="permissionHandler"/>
    </security:global-method-security>

    <bean id="permissionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
        <property name="permissionEvaluator" ref="eval"/>
    </bean>

    <bean id="eval" class="org.mydomain.myapp.infrastructure.security.PermissionResolver" />

    <security:http auto-config="true"  use-expressions="true" disable-url-rewriting="true">
        <security:intercept-url pattern="/favicon.ico" access="permitAll" />
        <security:intercept-url pattern="/resources/**" access="permitAll"/>
        <security:intercept-url pattern="/login" access="isAnonymous()"/>
        <security:intercept-url pattern="/registration/**" access="isAnonymous()"/>
        <security:intercept-url pattern="/restorePassword" access="isAnonymous()"/>
        <security:intercept-url pattern="/**" access="isAuthenticated()"/>

        <security:form-login login-page="/login" authentication-failure-url="/login?fail" default-target-url="/" />
    </security:http>

    <security:authentication-manager>
        <security:authentication-provider user-service-ref="hibernateUserService" />
    </security:authentication-manager>

</beans>

My PermissionResolver.java

public class PermissionResolver implements PermissionEvaluator{

    @Autowired
    private AccessClassService service;

    @Override
    public boolean hasPermission(Authentication a, Object o, Object o1) {
        return false;
    }

    @Override
    public boolean hasPermission(Authentication a, Serializable targetId, String targetType, Object o) {        
        return false;
    }

}

And a service with @PreAuthorize annotation (with test parameters)

@Service
public class AccessClassService {

    @Autowired
    private PersistableDAO dao;

    public AccessClass getInitialAccessClass(){
        return dao.getOneByAttr(AccessClass.class, "number", 0);
    }

    @Transactional
    @PreAuthorize("hasPermission('12','AccessClass')")
    public AccessClass get(Long id){
        return dao.get(AccessClass.class, id);
    }

    public Integer getAccessClassNumber(Long id){
        return (Integer)dao.getCriteria(AccessClass.class)
                .setProjection(Projections.property("number"))
                .add(Restrictions.eq("id", id)).uniqueResult();
    }

}

Answer 1

problem solved. I cannot use service within PermissionResolver. If i don't use it or use dao everything is ok