3

Colleagues, In the spring security documentation I met following notion:

If you want to secure instances which are not created by Spring (using the new operator, for example) then you need to use AspectJ.

Could anybody please show me workable example of such usage. The best case if this is done with help of static weaving.

Thank you in advance!

Charles
  • 50,943
  • 13
  • 104
  • 142
Dewfy
  • 23,277
  • 13
  • 73
  • 121
  • Spring Roo does a nice job of integrating AspectJ into a standard Spring project layout. Spring Security integrates easily into that too. Not sure if my suggestion serves your needs, but you could slap together a sample Roo project to see how they all play together. – Marc Apr 10 '12 at 14:19
  • @Marc don't understand what is the relation between RAD console and pure technical question **how to do smth...** – Dewfy Apr 10 '12 at 14:47
  • I don't know exactly how to do this, which is why I didn't post an actual "answer." I'm telling you how you might get a good example though, and that would be to use Roo to quickly generate your very own working AspectJ configured example that follows standard Spring-recommended conventions. And then you could study it for some direction. If you don't like that suggestion, you may feel free to wait for a better ANSWER. – Marc Apr 10 '12 at 14:55
  • @Marc looks like Roo uses 'standard' approach - when bean resolved from spring context, but not with `new operator` – Dewfy Apr 10 '12 at 15:43
  • okay. My only experience using AspectJ is in the context of Roo, so I thought maybe that'd help you get a clean example. Sounds like you're looking for something a little more specific though, so I'm sorry if I led you astray with that. – Marc Apr 10 '12 at 15:48

1 Answers1

4

There is an Aspectj sample in the Spring Security codebase. It compiles against the spring-security-aspects module and then uses:

<global-method-security secured-annotations="enabled" mode="aspectj" />

to enable secured annotations. The code is very simple - it is really just a set of JUnit tests. If you take a look, you'll see that these include tests for both Spring-bean instances and instances created using the new operator.

If you want to know how spring-security-aspects works, check out the aspect source.

Shaun the Sheep
  • 22,353
  • 1
  • 72
  • 100
  • @Luke_Taylor it is great that exactly you response on this. Yesterday I've spend a lot of time staring you code/test in spring. Let me clarify question: when I'm compiling by bean with `ajc` and decompile it back I cannot see changes that have to match `private pointcut executionOfPrePostAnnotatedMethod() : execution(* *(..)) && (@annotation(PreAuthorize)`. Applying my own aspect works well. – Dewfy Apr 11 '12 at 07:30
  • also my spring prevent me from specifying `mode="aspectj"` – Dewfy Apr 11 '12 at 07:45
  • You haven't said which version you are using. `mode="aspectj"` is available in the current minor versions of both 3.0 and 3.1. I can't really comment on how you're using `ajc` and your observations with it - I don't know what's happening there. The sample I pointed you to should provide a good starting point for building working code which is compiled against the aspects module using `ajc`. I would try adding your classes to that and add another JUnit test method using your code. – Shaun the Sheep Apr 12 '12 at 12:52
  • I've just take latest 3.1 spring security, just copied AnnotationSecurityAspectTests into my project. All tests are failed so LTW has not been applied. I have placed my example to http://dl.dropbox.com/u/71145662/ssec.zip . Just for example - if you uncomment app.SAspect then at least cont.SecuredAction will react and disable @Secured annotated method – Dewfy Apr 12 '12 at 16:20
  • 1
    @LukeTaylor, the link for the AspectJ example now gives a 404 -- and it would be useful to have, if there is an updated address. – Erica Kane Jun 03 '16 at 22:54