spring not enforcing method security annotations

Question

I\'m some what lost as to why spring isn\'t enforcing the @Secured(\"ROLE_USER\") on my service interface. My controllers are established using annotations.

An exam

Answer 1

Try putting the annotations on the implementation class instead of the interface and see if that works. I ended up doing that on a recent project because I was also using the @Transactional attribute on my service layer, and the Spring docs recommend putting those on the class and not the interface. I don't know if the same issue might apply to @Secured, but I wanted to keep the annotations in the same place. See the Spring Docs

Regarding Kent Lai's answer...that is a good idea...make sure that your security config file is actually being included by Spring.

Answer 2

After doing more research on this problem I came to the following conclusion/solution. I'm not sure if it's 100% correct..but it works.

I put all of my configuration in the dispatcher-servlet.xml file. So instead of having a disptacher-servlet.xml and application-context.xml. The dispatcher-servlet.xml is loaded by the application (contextConfigLocation). Within the dispatcher-servlet.xml I import my security-context.xml and datasource-context.xml. Afer that, everything works.

Answer 3

In my case, the exact location of this statement:

<global-method-security secured-annotations="enabled" >

proved to be very important. Make sure that you put it after you declare which classes should be scanned and used as controllers.

<context:component-scan base-package="com.test.controller" />

This is the way to make sure that the @Secured annotations will also get into the game

Answer 4

I had this same problem. After I added:

<context:annotation-config />

in my spring-security.xml file it disappeared.

Hope this will help someone :)

Answer 5

Do you have the statement

<global-method-security   secured-annotations="enabled" jsr250-annotations="enabled" />

in the same configuration file as the one you defined the MyServiceManager bean? I had the same problem until I turned on debug for org.springframework, and noticed that spring security was only applied on the same file as the ones where global-method-security was defined in.

Answer 6

Did you use something like this in your web.xml

<servlet>
    <servlet-name>name</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <init-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>/WEB-INF/spring/webmvc-config.xml</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
</servlet>

I'm not sure why, but if I use the DispatcherServlet I was not able to enforce Security annotations