I'm using Spring MVC to expose RESTful services. I already enabled authentication via HTTPBasicAuthentication, and using <security:http>
i can control which roles can access urls.
Now I want to use @Secured
annotation. I tried to add it to Controller methods but it doesn't work. It simply does nothing.
Here is my Controller
class:
@Controller
@RequestMapping("/*")
public class HomeController {
private static final Logger logger = LoggerFactory.getLogger(HomeController.class);
private static final String USERS = "/users";
private static final String USER = USERS+"/{userId:.*}";
@RequestMapping(value=USER, method=RequestMethod.GET)
@Secured(value = {"ROLE_ADMIN"})
public @ResponseBody User signin(@PathVariable String userId) {
logger.info("GET users/"+userId+" received");
User user= service.getUser(userId);
if(user==null)
throw new ResourceNotFoundException();
return user;
}
}
This is my security-context.xml
:
<http auto-config='true'>
<intercept-url pattern="/**" access="ROLE_USER"/>
</http>
<global-method-security secured-annotations="enabled" />
<authentication-manager>
<authentication-provider>
<user-service>
<user name="[email protected]" password="admin"
authorities="ROLE_USER, ROLE_ADMIN" />
<user name="[email protected]" password="pswd"
authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
And my root-context.xml
:
<context:component-scan base-package="org.mypackage" />
<import resource="database/DataSource.xml"/>
<import resource="database/Hibernate.xml"/>
<import resource="beans-context.xml"/>
<import resource="security-context.xml"/>
All works fine, but If I add @Secured
, it simply does nothing: I can access secured method with [email protected] also, which hasn't ROLE_ADMIN privileges.
I already tried to move <security:global-method-security>
to root-context.xml
, it doesn't work. I also tried to secure the same method via <security:http>
tag, it works fine, but I want to use @Secured
annotation.
Thank you.
EDIT:
I've also a servlet-context.xml
and a controllers.xml
config file in the appServlet subdirectory.
Here is servlet-context.xml
:
<mvc:resources mapping="/resources/**" location="/resources/" />
<beans:bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<beans:property name="prefix" value="/WEB-INF/views/" />
<beans:property name="suffix" value=".jsp" />
</beans:bean>
<beans:import resource="controllers.xml" />
And controllers.xml
:
<context:component-scan base-package="org.mose.emergencyalert.controllers" />
<beans:bean id="multipartResolver" class="org.springframework.web.multipart.commons.CommonsMultipartResolver" />
<beans:bean id="homeController" class="org.mose.emergencyalert.controllers.HomeController"/>
Solved, I added <global-method-security>
tag in servlet-context.xml
, instead of security-context.xml
.
Here is the new security-context.xml
:
<annotation-driven />
<security:global-method-security secured-annotations="enabled"/>
<resources mapping="/resources/**" location="/resources/" />
<beans:bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<beans:property name="prefix" value="/WEB-INF/views/" />
<beans:property name="suffix" value=".jsp" />
</beans:bean>
NB: now Eclipse warns me at the <security:global-method-security>
line: "advises org.mypackage.HomeController.signin(String,
Principal)
", proving that @Secured
is now working.
SOLVED
Add this tag to your config file that contain ViewResolve config :
dispatcher's xml NOT on your application's xml
<security:global-method-security pre-post-annotations="enabled" secured annotations="enabled">
tuto
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With