0

I am trying to add control authorization in some methods using @PreAuthorize("hasRole('ADMIN')").

Methods belong to a simple class DaoImpl implementing an interface DAO, I add this

@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true) to my security config class.

for me it doesn't work, is it logic or I miss something?

mosab
  • 207
  • 1
  • 4
  • 13
  • Not sure what you mean by simple class. Is the object instance (in your case daoImpl) on which you are calling the method with `@PreAuthorize` annotation a spring bean? if it is a spring bean then yes it is likely to work but if it is a standard java object which you create instance with `new` keyword then no it wouldn't work. – madteapot Sep 16 '21 at 09:41

1 Answers1

1

The answer is no.

Spring can only enforce annotations on classes it is aware of. To make spring aware of instantiated classes it needs to either instantiate them itself, which means the class needs to be annotated with one of springs lifecycle annotations ex. @Component, @Service @RestController, or you need to instantiate them yourself and hand them over to the spring context. This can for instance be done by using the new keyword in a @Bean annotated function in a @Configuration annotated class and then return the newly created class from the @Bean annotated function.

If you create the class yourself by using the new keyword just randomly in your application, spring will have no awareness of the class and hence has no ability to intercept function calls using spring AOP and in turn enforce annotations on them like for instance @PreAuthorize

Toerktumlare
  • 12,548
  • 3
  • 35
  • 54