stackoom
  简体   繁体   中英

@PreAuthorize not working when a secured method is called from another secured method in same class

 原文  2014-10-14 13:23:33       java/ spring-security

Question

@PreAuthorize    
public void methodA() {
methodB();
}

@PreAuthorize    
public void methodB() { 
}

Here methodA() is interface method and methodB() is called by methodA().

2 answers

solution1
 1 ACCPTED  2014-10-14 18:05:10

Spring method level security uses Spring AOP that is proxy-based. This means that method calls on an object reference will be calls on the proxy, and as such the proxy will be able to delegate to all of the interceptors (eg @PreAuthorize ) that are relevant to that particular method call.

However, once the call has finally reached the target object, any method calls that it may make on itself are going to be invoked against the this reference, and not the proxy. It means that self-invocation is not going to result in the advice associated with a method invocation getting a chance to execute.

You can find more details here .

solution2
 0  2018-05-30 13:36:14

Basically, It can work but this is not recommended. Ideally, you should change your design logic. This is your code when JVM runs it. 

@PreAuthorize    
public void methodA() {
this.methodB();
}

 @PreAuthorize    
public void methodB() { 
 }

First why it is not working:

Spring method level security is using Spring AOP based proxies, which means whenever you are calling a method, It is being called on a Proxy object(Not on Actual Object) and this object holds the Spring context and enables you to preauthorize.

But when the control is reached to the method called from the proxy, any method called inside that is called on actual object(this) which doesn't hold Spring context. Hence It is not performing any preauthorization on method.

Basically your code is calling methodB() as this.methodB() which is on actual object. If you somehow can get the same proxy (via reflection API or Application context), you can perform the operation desired via below code(not an actual implementation just an idea). 

@PreAuthorize    
public void methodA() {
proxyObject.methodB();
}

 @PreAuthorize    
public void methodB() { 
 }

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Combining @Secured and @PreAuthorize annotation on one method Spring Security: method is not secured with @PreAuthorize annotation ClassFormatError when using @Secured and @RequestMapping on same method Using @PreAuthorize or @Secured with Jersey when using Configuration Class When should we use @PreAuthorize and @Secured Transactional method called by method in same class called from another class valid not working spring boot when method is called from same class Spring test: How to test method secured with @PreAuthorize(“@SecurityPermission.hasPermission('somepermission')”) Annotated class with @Secured and @PreAuthorize does not secure super methods @Secured and @PreAuthorize work fine in Controller but not working in Service level
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM