1

I'm using Spring Security 4.1.0 for security of my java web application. I use @PostAuthorize annotation for get method as follow:

Interface: 

@PreAuthorize("hasAuthority('get')")
@PostAuthorize("hasPermission(returnObject, 'read')")
MyEntity get(Serializable id);

And get implemntation method is as follow:

@Override
@Transactional
public MyEntity get(Serializable id)
{
   MyEntity record = dao.get(id);
   System.out.println(record.getId() + " : " + record.getName());
   return record;
}

In web.xml I set sessionConfig as follow:

<session-config>
     <session-timeout> 10 </session-timeout>
</session-config>

User login to application and call get method. User don't send a request to server in 3 minutes later. He send another request to cal get method. response is 403 Access Denied, After this User send another same request Immediately, But response is 200 OK. See this Requests:
403 Response:
enter image description here

And 200 Response: enter image description here

Tomcat console logs in 2 case as follow:

538 : MyEntity 2

Whats the problem?

Is it a spring security bug?

Morteza Malvandi
  • 1,656
  • 7
  • 30
  • 73
  • shouldn't `@PreAuthorize("hasAuthority('get')")` fail without a session? – zapl May 26 '16 at 05:37
  • All requests send after user login, then `@PreAuthorize("hasAuthority('get')")` is not the problem. – Morteza Malvandi May 26 '16 at 05:41
  • @zapl there's a JSESSIONID there present and it is the same in both requests – micklesh May 26 '16 at 05:42
  • yes, but with a timeout of 10 seconds and 3 minutes of inactivity, shouldn't the server treat that session as invalid, therefore no longer granting you anything? session id is sent client side. Edit: oops, 10 minutes. I misunderstood your problem. – zapl May 26 '16 at 05:49
  • timeout is not 10 seconds, it is 10 minutes. – Morteza Malvandi May 26 '16 at 05:52
  • Do you have spring security settings elsewhere defined? I had a similar problem where `@PreAuthorize` didn't work. In my configuration i had to annotate `@EnableGlobalMethodSecurity(prePostEnabled = true)` so `@PreAuthorize` would work. – John Smith May 26 '16 at 08:16
  • I defined `` – Morteza Malvandi May 26 '16 at 08:25

0 Answers0