spring not enforcing method security annotations

Question

I'm some what lost as to why spring isn't enforcing the @Secured("ROLE_USER") on my service interface. My controllers are established using annotations.

An example of my service Interface

public interface MyServiceManager {

    @Secured("ROLE_USER")
    public void delete(int cid);

    @RolesAllowed({"ROLE_USER"})
    public Contact getContact(int contactId);
}

my security-context:

<global-method-security   secured-annotations="enabled" jsr250-annotations="enabled">
</global-method-security>

<http auto-config="true" >
    <intercept-url pattern="/secure/**" access="ROLE_SUPERVISOR" />
    <intercept-url pattern="/addcontact**" access="IS_AUTHENTICATED_REMEMBERED" />
    <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />

    <concurrent-session-control max-sessions="1"
        exception-if-maximum-exceeded="true"/>
    <form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?login_error=1"/>
    <logout logout-success-url="/welcome.do" logout-url="/logout"/>
</http>
    <authentication-provider>
    <password-encoder hash="md5"/>
    <user-service>
        <user name="rod" password="a564de63c2d0da68cf47586ee05984d7" authorities="ROLE_SUPERVISOR, ROLE_USER, ROLE_TELLER" />
    </user-service>
</authentication-provider>

Answer 1

I had this same problem. After I added:

<context:annotation-config />

in my spring-security.xml file it disappeared.

Hope this will help someone :)

Answer 2

In my case, the exact location of this statement:

<global-method-security secured-annotations="enabled" >

proved to be very important. Make sure that you put it after you declare which classes should be scanned and used as controllers.

<context:component-scan base-package="com.test.controller" />

This is the way to make sure that the @Secured annotations will also get into the game

Answer 3

Did you use something like this in your web.xml

<servlet>
    <servlet-name>name</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <init-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>/WEB-INF/spring/webmvc-config.xml</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
</servlet>

I'm not sure why, but if I use the DispatcherServlet I was not able to enforce Security annotations

Answer 4

I had this same problem. Using the information from Kent Lai's reply here, I was able to fix it.

I put the <global-method-security> element in my app-servlet.xml but kept the security definitions separate in security.xml, where web.xml has contextConfigLocation for app-servlet.xml and security.xml.

Works like a charm now!

Answer 5

After doing more research on this problem I came to the following conclusion/solution. I'm not sure if it's 100% correct..but it works.

I put all of my configuration in the dispatcher-servlet.xml file. So instead of having a disptacher-servlet.xml and application-context.xml. The dispatcher-servlet.xml is loaded by the application (contextConfigLocation). Within the dispatcher-servlet.xml I import my security-context.xml and datasource-context.xml. Afer that, everything works.

Answer 6

Try putting the annotations on the implementation class instead of the interface and see if that works. I ended up doing that on a recent project because I was also using the @Transactional attribute on my service layer, and the Spring docs recommend putting those on the class and not the interface. I don't know if the same issue might apply to @Secured, but I wanted to keep the annotations in the same place. See the Spring Docs

Regarding Kent Lai's answer...that is a good idea...make sure that your security config file is actually being included by Spring.

Answer 7

Do you have the statement

<global-method-security   secured-annotations="enabled" jsr250-annotations="enabled" />

in the same configuration file as the one you defined the MyServiceManager bean? I had the same problem until I turned on debug for org.springframework, and noticed that spring security was only applied on the same file as the ones where global-method-security was defined in.