stackoom
  简体   繁体   中英

spring not enforcing method security annotations

 原文  2009-02-05 19:30:20       java/ annotations/ spring-security

Question

I'm some what lost as to why spring isn't enforcing the @Secured("ROLE_USER") on my service interface. My controllers are established using annotations.

An example of my service Interface 

public interface MyServiceManager {

    @Secured("ROLE_USER")
    public void delete(int cid);

    @RolesAllowed({"ROLE_USER"})
    public Contact getContact(int contactId);
}

my security-context: 

<global-method-security   secured-annotations="enabled" jsr250-annotations="enabled">
</global-method-security>

<http auto-config="true" >
    <intercept-url pattern="/secure/**" access="ROLE_SUPERVISOR" />
    <intercept-url pattern="/addcontact**" access="IS_AUTHENTICATED_REMEMBERED" />
    <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />

    <concurrent-session-control max-sessions="1"
        exception-if-maximum-exceeded="true"/>
    <form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?login_error=1"/>
    <logout logout-success-url="/welcome.do" logout-url="/logout"/>
</http>
    <authentication-provider>
    <password-encoder hash="md5"/>
    <user-service>
        <user name="rod" password="a564de63c2d0da68cf47586ee05984d7" authorities="ROLE_SUPERVISOR, ROLE_USER, ROLE_TELLER" />
    </user-service>
</authentication-provider>

7 answers

solution1
 7  2009-02-06 01:47:54

Do you have the statement 

<global-method-security   secured-annotations="enabled" jsr250-annotations="enabled" />

in the same configuration file as the one you defined the MyServiceManager bean? I had the same problem until I turned on debug for org.springframework, and noticed that spring security was only applied on the same file as the ones where global-method-security was defined in.

solution2
 4  2011-03-30 10:03:48

In my case, the exact location of this statement: 

<global-method-security secured-annotations="enabled" >

proved to be very important. Make sure that you put it after you declare which classes should be scanned and used as controllers. 

<context:component-scan base-package="com.test.controller" />

This is the way to make sure that the @Secured annotations will also get into the game

solution3
 2  2009-02-11 20:20:59

After doing more research on this problem I came to the following conclusion/solution. I'm not sure if it's 100% correct..but it works.

I put all of my configuration in the dispatcher-servlet.xml file. So instead of having a disptacher-servlet.xml and application-context.xml. The dispatcher-servlet.xml is loaded by the application (contextConfigLocation). Within the dispatcher-servlet.xml I import my security-context.xml and datasource-context.xml. Afer that, everything works.

solution4
 2  2009-02-19 21:06:08

I had this same problem. Using the information from Kent Lai's reply here, I was able to fix it.

I put the <global-method-security> element in my app-servlet.xml but kept the security definitions separate in security.xml , where web.xml has contextConfigLocation for app-servlet.xml and security.xml .

Works like a charm now!

solution5
 1  2010-12-23 10:58:08

Did you use something like this in your web.xml 

<servlet>
    <servlet-name>name</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <init-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>/WEB-INF/spring/webmvc-config.xml</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
</servlet>

I'm not sure why, but if I use the DispatcherServlet I was not able to enforce Security annotations

solution6
 1  2009-02-07 03:05:30

Try putting the annotations on the implementation class instead of the interface and see if that works. I ended up doing that on a recent project because I was also using the @Transactional attribute on my service layer, and the Spring docs recommend putting those on the class and not the interface. I don't know if the same issue might apply to @Secured, but I wanted to keep the annotations in the same place. See the Spring Docs

Regarding Kent Lai's answer...that is a good idea...make sure that your security config file is actually being included by Spring.

solution7
 0  2015-04-22 12:59:14

I had this same problem. After I added: 

<context:annotation-config />

in my spring-security.xml file it disappeared.

Hope this will help someone :)

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Adding additional Spring Security method annotations Spring Security - how I can enable Method Security annotations? Security Method Annotations with Java Configuration and Spring Security 3.2 Can not get the @Secured Method Security annotations working in Spring Security Enforcing a throw statement for a method using annotations Ordering of Spring Security annotations ignored Security annotations in spring mvc Spring annotations for factory method Spring method annotations null Spring Security Oauth: migration from xml to annotations
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM