Spring Security and AspectJ Neo4j Repository Autowiring

Question

I have an application which we are trying to protect our service layer with an authorization check to ensure that the authorized user has the appropriate permission to perform an update. Our first simple rule is that the owner of the object can update the object, so the security check compares the logged in user against the owner of the object. Unfortunately, this is not working because the object is stored in a Neo4j graph database which uses AspectJ to generate the repository level objects. When I try to build the application having the service layer protected with @PreAuthorize I get an error saying that in the AutoWire chain it cannot AutoWire the Neo4j repository object... which makes sense to me because the object being AutoWired is really an interface that AspectJ builds into an object for our use.

I tried updating to Spring-Security 3.1.0, I have aspectj-autoproxy set, and I tried adding in type="aspectj" attribute into my global-method-security definition, but the compiler flags 'type' as an invalid property and I still get the AutoWiring problem.

After reviewing the model a bit more, I'm a little concerned that this approach is doomed to fail. The various controllers and other business logic units call the service layer directly which I believe will end up by-passing the spring-security proxy objects altogether.

Is there a way to use Neo4j repositories objects which are auto-generated from AspectJ as data repositories in the spring-security checks?

Is there a way to protect the service layer using spring-security? Or will direct calls to the service layer bypass the security layer altogether?

Answer 1

user1557993,

There is a section in the manual about this, have you had a look?

http://static.springsource.org/spring-data/data-graph/snapshot-site/reference/html/#tutorial_security

Regards,

Lasse