CODEWITHSUNDEEP
springsecurityspring-mvcspring-security
Tiny
Tiny

Reputation: 27909

How to override security access in Spring?

I'm using Spring Framework 4.0.0 GA and Spring Security 3.2.0 GA. I have applied security to all methods of all classes in a package using a point cut expression as follows.

<global-method-security secured-annotations="enabled" pre-post-annotations="enabled" proxy-target-class="false">
    <protect-pointcut expression="execution(* admin.dao.*.*(..))" access="ROLE_ADMIN"/>
</global-method-security>

All methods of all classes defined in the package admin.dao would only be accessed by the user whose authority is ROLE_ADMIN.

Is it now possible to override this security constraint in some method(s) of some class in this package?

I need to give an anonymous access to some methods in some class under this package (which is already secured).

In JAAS, this can be achieved by using the javax.annotation.security.PermitAll annotation above the method in question which will override any global constraints (constraints applied class level, for example).

I have tried with @Secured(value = "permitAll") and @Secured(value = "isAnonymous()") above the method in question but none of them worked.

Upvotes: 0

Views: 331

Answers (1)

Angular University
Angular University

Reputation: 43117

Try the following:

<global-method-security secured-annotations="enabled" pre-post-annotations="enabled" proxy-target-class="false">
    <protect-pointcut expression="execution(* admin.your.permit.all.dao.*.*(..))" 
          access="permitAll"/>
    <protect-pointcut expression="execution(* admin.dao.*.*(..))" access="ROLE_ADMIN"/>
</global-method-security>

make sure to put the protect-pointcutpermitAll entry first, in this case order is important.

Upvotes: 2

Related Questions