CODEWITHSUNDEEP
spring-security
Richard G
Richard G

Reputation: 5683

spring security not working on preAuthorize

Configuring Spring Security seems like such a dark art!

I am trying to implement method-level security. I have tried everything to get this method to fire it's preAuthorize.

Can anyone explain why the first method works fine and evaluates whatever expression is against it, but the second doesn't. In the logs I don't see any calls to the Security framework for that method (I've restarted the server maybe 20 times, and have tried various versions with and without any preAuthorize on the parent method)...

This is challenging, I've got no information to go by, no debug capability on the SPEL expression...I seem to be in this trial and error loop that's getting nowhere!

The second method is definitely entered because I can debug it and see the output in the logs.

 @PreAuthorize("hasAnyRole('ROLE_REGISTERED_CUSTOMER', 'ROLE_ADMIN')")
    public void updateAddress(CustomerAddress customerAddress) {

        logger.entry();

        geocodingService.geoCodeAddress(customerAddress);

        if (customerAddress.getId() != null)
        {
            CustomerAddress oldAddress = customerAddressRepository.findForReference(customerAddress.getId());
            updateExistingAddress(customerAddress, oldAddress);
            customerSearchService.reindexCustomer(oldAddress.getCustomer(), true);
        }else
        {
            updateNewAddress(customerAddress);
            customerSearchService.reindexCustomer(customerAddress.getCustomer(), true);
        }
        logger.exit();
    }

    /**
     * A secured method for updating the existing address.
     * @param newAddress the new address
     * @param oldAddress the existing database address
     */
    @PreAuthorize("denyAll")
    public void updateExistingAddress(CustomerAddress newAddress, CustomerAddress oldAddress)
    {
        logger.entry();

        logger.debug("Updating an existing address.");


        oldAddress.mergeEdit(newAddress);
        saveAddress(oldAddress);

        logger.exit();
    }

Upvotes: 0

Views: 666

Answers (1)

Rob Winch
Rob Winch

Reputation: 21720

As @M.Deinum stated proxies do get invoked with internal method calls. If you want this support you need to use AspectJ. You can find an example of using AspectJ in xml and java config within the samples.

Upvotes: 1

Related Questions