Nitin
Reputation: 11
CustomPermissionEvaluator is not getting invoked in Spring 3.1
I have implemented a Custom PermissionEvaluator and configured it as follows
<security:http access-denied-page="/" auto-config="true" use-expressions="true">
<security:anonymous />
<security:form-login always-use-default-target="false" default-target-url="/people/login/redirect" login-page="/people/login" login-processing-url="/people/login/submit" password-parameter="password" username-parameter="emailAddress" />
<security:logout delete-cookies="true" invalidate-session="true" logout-success-url="/people/login/redirect" logout-url="/people/logout" />
</security:http>
<security:authentication-manager erase-credentials="false">
<security:authentication-provider ref="authenticationProvider" />
</security:authentication-manager>
<security:global-method-security jsr250-annotations="enabled" pre-post-annotations="enabled" secured-annotations="enabled" >
<security:expression-handler ref="expressionHandler"/>
</security:global-method-security>
<bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
<property name="permissionEvaluator" ref="appPermissionEvaluator"/>
</bean>
<bean class="com.web.security.ApplicationPermissionEvaluator" id="appPermissionEvaluator" />
Then I applied hasPermissionCheck on one method on one of my ControllerClass as follows
@PreAuthorize("hasPermission(#accountCode, 'AdministerPosition')")
@RequestMapping(method = RequestMethod.GET, value = "/cloud/{account}/position")
public String list(@PathVariable String account, @RequestParam(required = false, value = URLParameter.ACCOUNT_CODE) final String accountCode, final Model model) {
}
Here in this case I never get a control in my ApplicationPermissionEvaluator class.
I found that always DenyAllPermissionEvaluator gets executed in my case with following error message
DenyAllPermissionEvaluator - Denying user ****** permission 'AdministerPosition'
Please advice me on this asap. I am really stuck on this.
Upvotes: 1
Views: 707
Answers (1)
kabal
Reputation: 2145
The way to get this working is to configure <security:global-method-security ..> in your spring mvc context, not the main context
i.e. in here mvc-servlet-context.xml
<servlet>
<servlet-name>appServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:META-INF/spring/mvc-servlet-context.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
Upvotes: 1
Related Questions
- Spring Security custom PermissionEvaluator
- Spring Security custom PermissionEvaluator configurations does not work properly
- Why my custom PermissionEvaluator isn't invoked?
- Spring Security not using custom UserDetaisService
- Spring security hasPermission is not working
- Why is my custom authentication not working in Spring Security 3?
- Custom permission evaluator for spring security throws ClassCastException
- Spring + Spring Security + hasPermission Not working
- Custom Permission Evaluator is not getting invoked : Spring security 3.2
- Why is my custom PermissionEvaluator not working?