@PreAuthorize not working correctly

Question

My controller:

@RequestMapping("/createchar")
@PreAuthorize("hasRole('ROLE_USER')")
public String createCharacter(Map<String, Object> map, Principal principal) {

spring-security.xml

<global-method-security pre-post-annotations="enabled"
    proxy-target-class="true" />
...
<intercept-url pattern="/game*" access="ROLE_USER" />
    <form-login login-page="/account/login" ...

Page is always loaded, even after redeploying the application. I haven't even logged in. Why it doesn't redirect it to login page?

If you need any more info, feel free to ask.

score 2 · Answer 1 · edited May 23 '17 at 10:24

The controller beans typically reside inside the servlet context, so they are not affected neither by the AOP declarations nor by the bean post processors in the root application context.

Difference between applicationContext.xml and spring-servlet.xml in Spring Framework

I believe that proxying the controller classes is not a good idea, see Spring-MVC Problem using @Controller on controller implementing an interface - so I prefer to avoid using AOP on controller classes to avoid surprises - and use it only on service/DAO beans i.e. the beans in the root application context.

In this case you should use intercept-url approach for the web pages.

@Jaanus I really hope it clarified a bit, if you have any further questions feel free to ask — Boris Treukhov, Dec 29 '12 at 22:31

score 2 · Answer 2 · answered Aug 02 '13 at 16:11

Being on the internship I faced the same problem. It took me and my teammates 2 days of cranching Spring Security source codes. However, today we were told that the reason of not even seeing any exceptions are "OP mechanisms", which was mentioned earlier. The reason is the proxy class must be created.

Spring Proxy Mechanisms So all we needed to do in our particular situation is to add

<aop:config proxy-target-class="true" />

to the app-servlet.xml

If you try to debug your code and look for methods that are invoked by Spring you may solve even similar problems (as the real cause may be different) but it is a great challenge for your patience.

Hope this will help you and others.

I wish I could upvote this more, you have saved us sooo much time — chrismarx, Aug 28 '13 at 20:18

score 1 · Answer 3 · answered May 01 '14 at 22:45

I was facing the same issue. My problem solved when i moved the below element from applicationContext.xml to *-servlet.xml (my dispatcher's configuration xml).

<security:global-method-security secured-annotations="enabled"/>

You have to include this element on your dispatcher's xml NOT on your application's xml.
Spring FAQ

@PreAuthorize not working correctly

3 Answers3