StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO@PreAuthorize does not work with method security rules and method parameters
text
Body
copied!<p>I am adding Spring Security to one Spring project. The architecture of the system is REST and user can access to different resources.</p> <p>I would like to give access to personal information to administrators and users that are owners of this information. I have started simple: filtering user profile like this:</p> <p>In my <strong>service layer</strong> I wanted to use method annotations and include method parameters..</p> <pre><code>@PreAuthorize("hasRole('ROLE_ADMIN') or principal.userId == #id") public Usuario getUser(int id) throws DAOException { ... } </code></pre> <p>But this is not working at all. Any user can see all profiles (admins and all users also) when this URL is requested (<strong>Web layer</strong>):</p> <pre><code>@RequestMapping(value="/user/{uid}", method=RequestMethod.GET) public ModelAndView getUser(@PathVariable int uid) throws DAOException { userDAO = new UsuarioJPADAO(); userService.setUsuarioDAO(userDAO); return new ModelAndView("user", "user", userService.getUser(uid)); } </code></pre> <p>Here is my <code>security.xml</code></p> <pre class="lang-xml prettyprint-override"><code><?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">  <global-method-security pre-post-annotations="enabled"/> <http auto-config="true" use-expressions="true"> <intercept-url pattern="/css/**" access="permitAll" /> <intercept-url pattern="/images/**" access="permitAll" /> <intercept-url pattern="/js/**" access="permitAll" /> <intercept-url pattern="/favicon.ico" access="permitAll" /> <intercept-url pattern="/login" access="permitAll" /> <intercept-url pattern="/users" access="hasRole('ROLE_ADMIN')" /> <intercept-url pattern="/users/page/*" access="hasRole('ROLE_ADMIN')" /> <intercept-url pattern="/customers" access="hasRole('ROLE_ADMIN')" /> <intercept-url pattern="/employees" access="hasRole('ROLE_ADMIN')" /> <intercept-url pattern="/search/*" access="hasRole('ROLE_ADMIN')" /> <intercept-url pattern="/*" access="hasAnyRole('ROLE_ADMIN, ROLE_EMPLOYEE, ROLE_PARTNER, ROLE_USER')" /> <intercept-url pattern="/*/*" access="hasAnyRole('ROLE_USER, ROLE_ADMIN')" /> <intercept-url pattern="/*/*/*" access="hasAnyRole('ROLE_USER, ROLE_ADMIN')" /> <intercept-url pattern="/*/*/*/*" access="hasAnyRole('ROLE_USER, ROLE_ADMIN')" /> <intercept-url pattern="/*/*/*/*/*" access="hasAnyRole('ROLE_USER, ROLE_ADMIN')" /> <intercept-url pattern="/*/*/*/*/*/*" access="hasAnyRole('ROLE_USER, ROLE_ADMIN')" /> <intercept-url pattern="/*/*/*/*/*/*/*" access="hasAnyRole('ROLE_USER, ROLE_ADMIN')" /> <form-login login-page="/login" login-processing-url="/doLogin" authentication-failure-url="/login?error" username-parameter="username" password-parameter="password" default-target-url="/default" /> <logout invalidate-session="true" logout-success-url="/login?logout" logout-url="/logout"/> </http> <authentication-manager> <authentication-provider user-service-ref="UsuarioService"> </authentication-provider> </authentication-manager> </code></pre> <p></p> <p>I have checked <a href="http://www.packtpub.com/spring-security-3-1/book" rel="nofollow noreferrer">Spring Security 3.1 book</a> and apparently my configuration is as book suggests. I have read other Stack Overflow posts (<a href="https://stackoverflow.com/questions/14260135/spring-how-to-protect-restful-private-resources">here</a> and <a href="https://stackoverflow.com/questions/14185070/spring-securityintercept-url-pattern-access-id-1?lq=1">here</a>) but I had no luck.</p> <p><strong>Update:</strong> Added <code>application-context.xml</code></p> <pre class="lang-xml prettyprint-override"><code><?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p" xmlns:aop="http://www.springframework.org/schema/aop" xmlns:tx="http://www.springframework.org/schema/tx" xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:security="http://www.springframework.org/schema/security" xmlns:context="http://www.springframework.org/schema/context" xmlns:jee="http://www.springframework.org/schema/jee" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.1.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.1.xsd http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.1.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"> <context:annotation-config /> <context:component-scan base-package="com.pe.fs" /> <mvc:annotation-driven /> <mvc:resources mapping="/**" location="/" /> <mvc:interceptors> <bean class="org.springframework.web.servlet.i18n.LocaleChangeInterceptor"> <property name="paramName" value="lang" /> </bean> </mvc:interceptors>  <bean id="jpaDataSource" class="oracle.jdbc.pool.OracleDataSource" destroy-method="close" p:driverType="oracle.jdbc.OracleDriver" p:user="**********" p:password="**********" p:uRL="jdbc:oracle:thin:@localhost:1521:XE" /> <bean id="entityManagerFactory" class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean"> <property name="persistenceXmlLocation" value="classpath*:META-INF/persistence.xml"></property> <property name="persistenceUnitName" value="freesunPU" /> <property name="dataSource" ref="jpaDataSource" /> <property name="jpaVendorAdapter"> <bean class="org.springframework.orm.jpa.vendor.EclipseLinkJpaVendorAdapter"> <property name="showSql" value="false" /> </bean> </property> <property name="loadTimeWeaver"> <bean class="org.springframework.instrument.classloading.InstrumentationLoadTimeWeaver"/> </property> </bean> <bean id="transactionManager" class="org.springframework.orm.jpa.JpaTransactionManager" p:entityManagerFactory-ref="entityManagerFactory" /> <tx:annotation-driven mode="aspectj"/> <context:load-time-weaver aspectj-weaving="autodetect" /> </code></pre> <p></p> <p><strong>Update:</strong> I have added <code>spring-security-aspects</code> to POM and no changes. Other changes suggested in answers have been tested with but annotations such <code>@PreAuthorize</code> are still not working. Cna this be a problem between contexts? Can be the usage of aspectJ the reason?</p> <p>What am I doing wrong?</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload