Reputation: 1724
Why @PostFilter don't work sometimes in Spring Security service?
I'm using spring security in my project. I have a service as follow:
public interface A {
@PostFilter("hasPermission(filterObject, 'read')")
List<MyEntity> method1();
@PostFilter("hasPermission(filterObject, 'read')")
List<MyEntity> method2();
}
In Implementation method1() I use method2(), But PostFilter in method2() don't work in this state.
Why?
Upvotes: 0
Views: 729
Answers (1)
Reputation: 16644
Your observation is correct.
To process security annotations, Spring uses proxies. A proxy is a dynamically generated class that is put between the caller and the actual implementation. So when you use interface A you are not actually invoking your implementation directly, but a security layer.
By default Spring uses interface proxies; the proxy implements the interface in question. That means the the security is only invoked when you use A as an interface. The security is not enforced when a method is invoked from the implementation class itself, because the implementation does not know of the proxy.
By using class proxies, the security annotations can work when a method is invoked from the class itself, because then the proxy extends the implementation. However, still only annotations on public methods work.
For a more in-depth explanation of proxies, see Proxying mechanisms in Spring framework manual.
Upvotes: 3
Related Questions
- What's the difference between @Component, @Repository & @Service annotations in Spring?
- Difference between Role and GrantedAuthority in Spring Security
- Using Spring Security ACL with Spring Data REST
- How to implement Spring Security @PostFilter for different types when using OAuth
- How to respond with an HTTP 400 error in a Spring MVC @ResponseBody method returning String
- Handle spring security authentication exceptions with @ExceptionHandler
- Should spring security method level annotations be applied at the controller layer or the service layer?
- Spring security annotations don't work on service layer