0

I have a spring-boot web application that declares some security through this class:

 @Configuration
 @EnableWebSecurity
 @Order(Ordered.LOWEST_PRECEDENCE - 50) // needs to be after SpringBootAuthenticationConfigurerAdapter to register default in memory user
 public class StorefrontSecurityConfig extends GlobalAuthenticationConfigurerAdapter {

     @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER - 1)
     @Configuration
     public static class MyStorefrontSecurityConfig extends WebSecurityConfigurerAdapter {
       .....
     }

and it all works fine. I also add these annotations to some of my service methods:

@PreAuthorize("hasPermission(#entity, 'APPROVE') or hasPermission(#entity, 'ADMINISTRATION') or hasRole('ROLE_ADMINGROUP')")
void approve(final EntityModificationEntityDefinition entity);

@PreAuthorize("hasPermission(#entity, 'APPROVE') or hasPermission(#entity, 'ADMINISTRATION') or hasRole('ROLE_ADMINGROUP')")
void reject(final EntityModificationEntityDefinition entity);

and for now they don't do much - which is perfectly fine. But now I create jar file with the following configuration:

@Configuration
@EnableGlobalMethodSecurity(securedEnabled = true, jsr250Enabled = true, prePostEnabled = true)
public class PersonalizationConfig extends GlobalMethodSecurityConfiguration {

private final Logger LOG = LogManager.getLogger(getClass());

/* Global Method Security */

@Override
public AccessDecisionManager accessDecisionManager() {
    final List<AccessDecisionVoter<? extends Object>> accessDecisionVoters = new ArrayList<>();
    accessDecisionVoters.add(new RoleVoter());
    accessDecisionVoters.add(new AuthenticatedVoter());
    accessDecisionVoters.add(new PreInvocationAuthorizationAdviceVoter(preInvocationAuthorizationAdvice()));

    final UnanimousBased accessDecisionManager = new UnanimousBased(accessDecisionVoters);
    accessDecisionManager.setAllowIfAllAbstainDecisions(true);

    return accessDecisionManager;
}

@Override
protected MethodSecurityExpressionHandler createExpressionHandler() {
    return this.defaultMethodSecurityExpressionHandler();
}

This jar has a spring.factories file in META-INF so that being a spring-boot application the @Configuration is loaded. Now I expect when I include this jar in the classpath to have the @PreAuthorize annotations to start working. However what I see is that AbstractSecurityExpressionHandler is invoked and it calls the abstract method createSecurityExpressionRoot(authentication, invocation); which always goes to DefaultWebSecurityExpressionHandler and never to the DefaultMethodSecurityExpressionHandler. I can see the DefaultMethodSecurityExpressionHandler is constructed when my application starts, so I'm really not sure what happens here.

EDIT: Here's my spring.factories file: org.springframework.boot.autoconfigure.EnableAutoConfiguration=com.nemesis.platform.module.personalization.core.config.PersonalizationConfig

Petar Tahchiev
  • 4,336
  • 4
  • 35
  • 48
  • I tried adding the `@EnableGlobalMethodSecurity` annotation on the different classes, but it just doesn't seem to work - my methods are invoked always and none of the method security logic is invoked. – Petar Tahchiev Mar 11 '16 at 20:08
  • Do you see that your PersonalizationConfig is invoked? What does your spring.factories look like? What is the package for PersonalizationConfig? – Rob Winch Mar 11 '16 at 21:19
  • Yes, `PersonalizationConfig` is invoked. I've added the spring.factories file above. I have overriden the `createExpressionHandler` method to register my custom `AclPermissionEvaluator`. The problem is that this method is never called. It should be called from `getExpressionHandler`, but that method has a null-check, and the expressionHandler is never null, so my `createExpressionHandler` method is never called. – Petar Tahchiev Mar 12 '16 at 09:29
  • Sorry my bad - I had the expressionHandler declared as a bean, so it is instantiated and autowired and that's why it is never null. So in my case I don't need to override the `createExpressionHandler`. But the problem is still there - none of the method security logic is invoked, and I don't know where to start debugging it. – Petar Tahchiev Mar 12 '16 at 09:55
  • Are your services that are annotated Spring Beans? – Rob Winch Mar 12 '16 at 20:50

0 Answers0