1

I'm using Spring security 3.2.0 with the same version of the Spring framework. Spring security works well in my project. In order to protect methods in my DAO classes (and others), I want to use the following pointcut approach (in the spring-security.xml file).

<global-method-security>
    <protect-pointcut expression="execution(*controller.*.*(..))" access="ROLE_ADMIN"/>
</global-method-security>

I expect the pointcut expression as specified to protect all the methods in all classes inside the controller package and to be accessed only by the users who have the authority ROLE_ADMIN as specified.

But when I try to use this expression, the process terminates with following exception on saving my spring-security.xml file.

PropertyAccessException 1: org.springframework.beans.MethodInvocationException: Property 'pointcutMap' threw exception; nested exception is java.lang.IllegalArgumentException: Pointcut is not well-formed: expecting 'name pattern' at character position 26 execution(controller..*(..)) ^

I'm trying to follow the approach as specified by the reference document in the Adding Security Pointcuts using protect-pointcut sub-section of the 3.4.1 The <global-method-security> Element section.

What is correct expression syntax in this scenario?

EDIT:

Adding Security Pointcuts using protect-pointcut

The use of protect-pointcut is particularly powerful, as it allows you to apply security to many beans with only a simple declaration. Consider the following example:

<global-method-security>
    <protect-pointcut expression="execution(* com.mycompany.*Service.*(..))" access="ROLE_USER"/>
</global-method-security>

This will protect all methods on beans declared in the application context whose classes are in the com.mycompany package and whose class names end in "Service". Only users with the ROLE_USER role will be able to invoke these methods. As with URL matching, the most specific matches must come first in the list of pointcuts, as the first matching expression will be used. Security annotations take precedence over pointcuts.

Copy & pasted the section explained in the reference document (as someone may find it to be tedious to scroll the document).

Tiny
  • 27,221
  • 105
  • 339
  • 599

1 Answers1

5

Try with this expression : 

<protect-pointcut expression="execution(* your.package.controller.*.*(..))" access="ROLE_ADMIN"/>
Jean-Philippe Bond
  • 10,089
  • 3
  • 34
  • 60
  • Unfortunately, It yields the same exception - `...Pointcut is not well-formed: expecting 'name pattern' at character position 29 execution(* ..controller.*.*(..))`. – Tiny Jan 16 '13 at 20:06
  • try the updated version ;o, If it is not working, can you post the package of one of your controller? – Jean-Philippe Bond Jan 16 '13 at 20:09
  • Yes, this worked - `execution(* controller.*.*(..))` and the security constraints are applied to all methods in all the classes inside that package. But I'm not sure why does it require a space between `*` and `controller`? Thank a lot. – Tiny Jan 16 '13 at 20:19
  • 1
    It need a space because the first * it's for the return value of the method. You need an expression for the return value and the method signature. – Jean-Philippe Bond Jan 16 '13 at 20:31
  • Thanks for the clarification. Irrelevant to the concrete question - the package named `controller` in my application holds the DAOs and not Spring controllers - the document says - *The annotated methods will only be secured for instances which are defined as Spring beans (in the same application context in which method-security is enabled). If you want to secure instances which are not created by Spring (using the new operator, for example) then you need to use AspectJ.* Future visitors should not be confused. – Tiny Jan 16 '13 at 20:36