0

Possible Duplicate:
Can Spring Security use @PreAuthorize on Spring controllers methods?

Here is my configuration: pom.xml

<!-- Spring Security -->
<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-config</artifactId>
    <version>${spring-security.version}</version>
    <scope>compile</scope>
</dependency>
<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-taglibs</artifactId>
    <version>${spring-security.version}</version>
    <scope>compile</scope>
</dependency>
<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-web</artifactId>
    <version>${spring-security.version}</version>
    <scope>compile</scope>
</dependency>

<!-- AOP dependency -->
<dependency>
    <groupId>cglib</groupId>
    <artifactId>cglib</artifactId>
    <version>2.2</version>
</dependency>
<!-- end of Spring Security -->

here is security.xml -> 

    <!-- secured-annotations = (@Secured("ROLE_ADMIN")) -->
    <!-- jsr250-annotations = (@RunAs @RolesAllowed @PermitAll @DenyAll @DeclareRoles) -->
    <!-- pre-post-annotations = @PreAuthorized("hasAuthority('ROLE_ADMIN')") -->

<global-method-security secured-annotations="disabled"
                        jsr250-annotations="disabled"
                        pre-post-annotations="enabled"/>

<http       auto-config='true' 
            disable-url-rewriting="true" 
            access-denied-page="/WEB-INF/jsp/errors/accessDenied.jsp">


    <anonymous granted-authority="ROLE_ANONYMOUS" key="anonymous"/>


    <logout logout-url="/logout.do" logout-success-url="/" />

    <form-login always-use-default-target="false" 
        authentication-failure-url="/?authfailed=true" 
        default-target-url="/person"
        login-page="/" 
        login-processing-url="/login"
        username-parameter="username" 
        password-parameter="password" 
         />

      <remember-me key="rememberMe" services-ref="rememberMeService"/>
</http>

When I try run any controller like ->

@RequestMapping("/person") public class PersonController {

@RequestMapping("")
    @PreAuthorize("hasAuthority('ROLE_ADMIN')")
public String root() {
    doStuff();
    return "redirect:/person/home";
}

with any different role, I got right result. so @PreAuthorize("hasAuthority('ROLE_ADMIN')") annotation is not working.

No compilation mistakes, no runtime exceptions.

Thanks.

Community
  • 1
  • 1
user618526
  • 1
  • " your controller is likely situated in servlet context, while the method interceptor declared in the root context" - please explain better - what you actually mean? – user618526 Aug 07 '12 at 07:35
  • 1
    http://stackoverflow.com/questions/3652090/difference-between-applicationcontext-and-spring-servlet-xml-in-spring method interceptors (spring AOP) work only in bounds of the contexts where they were declared – Boris Treukhov Aug 07 '12 at 08:16
  • do you have the spring-aop dependency ? – Simeon Aug 08 '12 at 10:19

0 Answers0