CODEWITHSUNDEEP
springsecurityspring-mvcspring-security
user689842
user689842

Reputation:

Spring Security annotations not consistent?

I noticed that on my code, I can successfully annotate methods on services classes (@Service) with both @Secured("ROLE_ADMIN") and @RolesAllowed("ROLE_ADMIN"). It works. Though, when I move the same annotations to the controller classes (@Controller) only @Secured gets activated whereas @RolesAllowed is ignored. I configured my root applicationContext with

<security:global-method-security 
          jsr250-annotations="enabled" 
          secured-annotations="enabled"/>

Why isn't @RollesAllowed applicable to controller classes while @Secured is?

Upvotes: 0

Views: 507

Answers (2)

Shaun the Sheep
Shaun the Sheep

Reputation: 22742

Mixing different annotations isn't guaranteed to produce consistent behaviour.

From the manual:

You can enable more than one type of annotation in the same application, but only one type should be used for any interface or class as the behaviour will not be well-defined otherwise. If two annotations are found which apply to a particular method, then only one of them will be applied.

Upvotes: 0

user689842
user689842

Reputation:

The reason why @RolesAllowed was working in the Service level (but not in Controllers) was due to a misconfiguration on my part. To make it work, I had to declare the global-method-security in the same configuration file (context) where my Controllers are scanned for. For example:

<context:component-scan base-package="mrpomario.springcore.mvc.controller"/>
<security:global-method-security 
          jsr250-annotations="enabled" 
          secured-annotations="enabled"/>

Upvotes: 1

Related Questions