CODEWITHSUNDEEP
spring-mvcspring-security
AndrejDelany
AndrejDelany

Reputation: 423

@PreAuthorize beeing ignored by Spring

I'm using Spring Security for Role-Checking in my WebApp.

spring-security-config.xml

    <http auto-config="true" authentication-manager-ref="adminAuthMgr">
        <intercept-url pattern="/admin/**"
                       access="hasAuthority('PERM_ACCESS_ADMIN_AREA')" />

        <form-login login-page="/login" default-target-url="/admin/dashboard"
                    authentication-failure-url="/login?error"
                    username-parameter="username" password-parameter="password"
                    login-processing-url="/j_spring_security_check" />

        <logout logout-url="/j_spring_security_logout"
                logout-success-url="/login?logout" />
        <csrf />
    </http>

    <global-method-security pre-post-annotations="enabled"/>

    <authentication-manager alias="adminAuthMgr">
        <authentication-provider
            user-service-ref="liveUserDetailsService">
            <password-encoder hash="bcrypt" />
        </authentication-provider>
    </authentication-manager>

The hasAuthority('PERM_ACCESS_ADMIN_AREA') statement to secure the admin/* path is working.

In *.jsp files, <sec:authorize access="hasAuthority('PERM_MANAGE_USER')"> is working as well.

But when trying to secure a method, it is not working and access is granted to everyone, who has the defined PERM_ACCESS_ADMIN_AREA role (defined in xml above). The additional requirement in the annotation is ignored:

    @PreAuthorize("hasAuthority('PERM_CORRECT_EXAMS')")
    @RequestMapping("/admin/correction")
    public AdminModelAndView index() { ...

Does anyone have an idea, why the annotation is ignored?

<servlet>
        <servlet-name>spring-mvc-servlet</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <init-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>/WEB-INF/spring-mvc-config.xml</param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
        <async-supported>true</async-supported>
    </servlet>

spring-mvc-config.xml

<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:context="http://www.springframework.org/schema/context"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:mvc="http://www.springframework.org/schema/mvc"
    xsi:schemaLocation="
        http://www.springframework.org/schema/beans     
        http://www.springframework.org/schema/beans/spring-beans.xsd
        http://www.springframework.org/schema/mvc 
        http://www.springframework.org/schema/mvc/spring-mvc.xsd
        http://www.springframework.org/schema/context 
        http://www.springframework.org/schema/context/spring-context.xsd ">

    <context:component-scan base-package="de.paluno.live" />

    <global-method-security pre-post-annotations="enabled"/>

    <bean
        class="org.springframework.web.servlet.view.InternalResourceViewResolver">
        <property name="viewClass"
            value="org.springframework.web.servlet.view.JstlView" />
        <property name="prefix" value="/WEB-INF/views/jsp/" />
        <property name="suffix" value=".jsp" />
    </bean>

    <bean id="multipartResolver"
        class="org.springframework.web.multipart.commons.CommonsMultipartResolver">
        <property name="maxUploadSize" value="100000" />
    </bean>

    <mvc:resources mapping="/resources/**" location="/resources/" />

    <mvc:annotation-driven />

    <mvc:interceptors>
        <bean
            class="org.springframework.web.servlet.i18n.LocaleChangeInterceptor">
            <property name="paramName" value="language" />
        </bean>
    </mvc:interceptors>
</beans>

Upvotes: 0

Views: 1368

Answers (1)

AndrejDelany
AndrejDelany

Reputation: 423

Thanks to M. Deinum, who helped to figure out the answer.

Solution:

spring-security-config.xml

<global-method-security pre-post-annotations="enabled"/>

spring-mvc-config.xml

<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:context="http://www.springframework.org/schema/context"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:mvc="http://www.springframework.org/schema/mvc"
       xmlns:security="http://www.springframework.org/schema/security"
       xsi:schemaLocation="
        http://www.springframework.org/schema/beans     
        http://www.springframework.org/schema/beans/spring-beans.xsd
        http://www.springframework.org/schema/mvc 
        http://www.springframework.org/schema/mvc/spring-mvc.xsd
        http://www.springframework.org/schema/context 
        http://www.springframework.org/schema/context/spring-context.xsd
        http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
        http://www.springframework.org/schema/security
        http://www.springframework.org/schema/security/spring-security.xsd">

    <security:global-method-security pre-post-annotations="enabled"/>

Upvotes: 1

Related Questions