2

I have a Jersey application that is using Jesery-SpringServlet. In addition I am trying to use Spring security to secure the webapp. Specifically i'm using the @Secured and @PreAuthorize annotations to secure a web resource method however, anytime I apply this or any other spring security annotation the autowired fields fail to be autowired.

I'm using Jersey 1.7 with Jersey-Spring servlet + spring 3.1.2 security. I'm also using the spring-security custom-filter. I have implemented the userDetailsService and setup the necessary spring beans to wire it into the preAuthProvider. As you can see from the code below i have provided some dummy users and roles.

Everything loads up okay and all beans autowired as expected. However, in the JerseyServiceTest class below, the myService field is null when the @PreAuthorize annotation is applied to the getInfo() method. It works fine when I remove the @PreAuthorize annotation:

Please help me resolve this. below are my files:

security-config.xml:

<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:context="http://www.springframework.org/schema/context"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:aop="http://www.springframework.org/schema/aop"
    xmlns:tx="http://www.springframework.org/schema/tx"
    xmlns:security="http://www.springframework.org/schema/security"

    xsi:schemaLocation="
        http://www.springframework.org/schema/beans 
        http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
        http://www.springframework.org/schema/context 
        http://www.springframework.org/schema/context/spring-context-3.1.xsd
        http://activemq.apache.org/schema/core
        http://activemq.apache.org/schema/core/spring-core-3.1.xsd
        http://www.springframework.org/schema/tx 
        http://www.springframework.org/schema/tx/spring-tx-3.1.xsd
        http://www.springframework.org/schema/aop
        http://www.springframework.org/schema/aop/spring-aop-3.1.xsd
        http://www.springframework.org/schema/security
        http://www.springframework.org/schema/security/spring-security-3.1.xsd">



        <context:annotation-config/>

    <context:component-scan base-package="com.*" />



    <security:global-method-security
    pre-post-annotations="enabled">
    <security:expression-handler ref="expressionHandler" />
</security:global-method-security>

    <bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
    </bean>


    <security:http use-expressions="true" auto-config="true" create-session="stateless">
     <security:custom-filter position="PRE_AUTH_FILTER" ref="siteminderFilter" />
    <security:intercept-url pattern="/resources/batchstatus/criteria" access="ROLE_App_user"/>   -->

 </security:http>

  <bean id="siteminderFilter" class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
    <property name="principalRequestHeader" value="SM_USER"/>
    <property name="authenticationManager" ref="authenticationManager" />
    <property name="exceptionIfHeaderMissing" value="false" />
  </bean>

  <bean id="preauthAuthProvider"
              class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
    <property name="preAuthenticatedUserDetailsService">
      <bean id="userDetailsServiceWrapper"
          class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
        <property name="userDetailsService" ref="userDetailsService"/>
      </bean>
    </property>
   </bean>

    <security:authentication-manager alias="authenticationManager">
      <security:authentication-provider ref="preauthAuthProvider" />
    </security:authentication-manager>
</beans>

Snippet of my contextInitializer class:

  context.setConfigLocations(new String[] {
                "/WEB-INF/spring/Application-config.xml",
                "/WEB-INF/spring/security-config.xml"});
    }
.....

JerseyServiceTest: 

...    
@Component

@Path("/test")

@Component
public class JerseyServiceTest {

    @Autowired
    private MyService myService;

    @GET

    @Produces(MediaType.APPLICATION_JSON)

   @PreAuthorize("hasRole('ROLE_App_user')")

    public final getInfo(){
   ... do something 

    }
...

UserDetailsService: 

@Service("userDetailsService")
public class UserRoleFetchService implements UserDetailsService {

    GrantedAuthority ga = new GrantedAuthorityImpl("ROLE_App_user");
    GrantedAuthority ga1 = new GrantedAuthorityImpl("ROLE_App_user1");
    Collection<GrantedAuthority> gas = new ArrayList<GrantedAuthority>();


    @Override
    public UserDetails loadUserByUsername(String userName)
            throws UsernameNotFoundException, DataAccessException {
        gas.add(ga);
        gas.add(ga1);

    UserDetails user = new User(userName, "password", gas); 


    return user;
    }   
}

web.xml :

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">
  <display-name>Jersey-Test</display-name>
  <welcome-file-list>
  <welcome-file>index.html</welcome-file>
  </welcome-file-list>

  <context-param>

    <param-name>contextInitializerClasses</param-name>

    <param-value>mypackage.myContextInitializerClass</param-value>

  </context-param>

  <filter>

    <filter-name>springSecurityFilterChain</filter-name>

    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>

  </filter>

  <filter-mapping>

    <filter-name>springSecurityFilterChain</filter-name>

    <url-pattern>/*</url-pattern>

  </filter-mapping>


  <filter-mapping>

     <filter-name>springSecurityFilterChain</filter-name>

    <url-pattern>/resources/*</url-pattern>

  </filter-mapping>

  <listener>

    <listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>

  </listener>

  <listener>

    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>

  </listener>


  <servlet>

    <servlet-name>jersey-servlet</servlet-name>

    <servlet-class>com.sun.jersey.spi.spring.container.servlet.SpringServlet</servlet-class>

    <init-param>

        <param-name>com.sun.jersey.config.property.packages</param-name>

        <param-value>managed</param-value>

    </init-param>

    <init-param>

        <param-name>com.sun.jersey.api.json.POJOMappingFeature</param-name>

        <param-value>true</param-value>

    </init-param>

    <load-on-startup>1</load-on-startup>

  </servlet>

  <servlet-mapping>

    <servlet-name>jersey-servlet</servlet-name>

    <url-pattern>/resources/*</url-pattern>

  </servlet-mapping>

</web-app>

I can't post too much details due to company restrictions.

talonmies
  • 70,661
  • 34
  • 192
  • 269
ranman
  • 21
  • 1
  • 5

0 Answers0