1

As it seems that Spring Security forum is not giving much support, I'm forced to ask the same question here as well. I'm building a web application using Spring 3.0.6 and Spring Security 3.0.7, but there's a problem that's driving me insane. Method protection annotations just don't work. I'm protecting the method on my service interface this way:

public interface AlbumGenreService {

     @PreAuthorize("hasRole('ROLE_ADMIN')")
     public void deleteGenre(Integer genreId);
}

and then invoking the method in the controller:

@RequestMapping(value="/genres/delete/{genreId}")
public String deleteGenre(@PathVariable("genreId") Integer genreId, Model model) {

     albumGenreService.deleteGenre(genreId);

     return "redirect:/genres/view";
}

When I log in with ROLE_USER role and try to delete the genre, the access to the protected method is granted and the genre is deleted.

My configuration is as follows:

web.xml

<servlet>
   <servlet-name>dispatcher</servlet-name>
   <servlet-class>org.springframework.web.servlet.DispatcherSe rvlet</servlet-class>
   <init-param>
     <param-name>contextConfigLocation</param-name>
     <param-value>/WEB-INF/applicationContext.xml</param-value>
   </init-param>
   <load-on-startup>1</load-on-startup>
</servlet>

<servlet-mapping>
    <servlet-name>dispatcher</servlet-name>
    <url-pattern>/</url-pattern>
</servlet-mapping>

<filter>
    <filter-name>sitemesh</filter-name>
    <filter-class>com.opensymphony.module.sitemesh.filter.Page Filter</filter-class>
</filter>

<filter-mapping>
    <filter-name>sitemesh</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>


<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFil terProxy</filter-class>
</filter>
<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>


<context-param>
   <param-name>contextConfigLocation</param-name>
   <param-value>/WEB-INF/securityApplicationContext.xml</param-value>
</context-param>

<listener>
   <listener-class>org.springframework.web.context.ContextLoade rListener</listener- class>
</listener>

securityApplicationContext.xml

<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schem...-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.4.xsd">

<security:global-method-security pre-post-annotations="enabled" secured-  annotations="enabled" jsr250-annotations="enabled"/>

<security:http auto-config="true" use-expressions="true">
   <security:intercept-url pattern="/genres/create" access="hasRole('ROLE_ADMIN')"/>
   <security:intercept-url pattern="/*" access="hasAnyRole('ROLE_ADMIN','ROLE_USER')"/>
</security:http>

<security:authentication-manager alias="authenticationManager">
  <security:authentication-provider>
     <security:user-service>
     <security:user name="user1" password="user1" authorities="ROLE_USER"/>
     <security:user name="admin" password="admin" authorities="ROLE_ADMIN"/>
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>

Hope you could help me to figure out what's going wrong. Thanks.

Nedo
  • 627
  • 1
  • 10
  • 20
  • See http://stackoverflow.com/questions/6651119/secured-does-not-work-in-controller-but-intercept-url-seems-to-be-working-fine – axtavt Nov 03 '11 at 11:10
  • axtavt is rigth, add to "applicationContext.xml" and remove the security filter from the web.xml – Ralph Nov 03 '11 at 11:34
  • include tag in applicationContext.xml? What are you talking about? Maybe you mean import tag? – Vyacheslav Jan 15 '13 at 12:34

0 Answers0