Security annotation @PreAuthorize doesn't take effect in @Controller, only in @Service with Spring Security 3.2.5

Question

As the title implies.

Bellow is my spring security configuration:

@Configuration
@EnableGlobalMethodSecurity(proxyTargetClass = true, prePostEnabled = true)
@EnableWebMvcSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private AbstractAuthenticationProcessingFilter userPassAuthFilter;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.
                authorizeRequests()
                .anyRequest().authenticated()
                .and()
                .csrf().disable();
        http.addFilterBefore(userPassAuthFilter, BasicAuthenticationFilter.class)
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    }

}

And my controller:

@RestController
@Transactional
public class RoleController {

    @Autowired
    private UserBusinessService userBusinessService

    @RequestMapping(value = "/api/list_users", method = RequestMethod.GET)
    @PreAuthorize("hasRole('N123ORMAL_ROLE1')")
    public Iterable listUsers() {
        return userBusinessService.getAllUsers();
    }

}

Having this, when trying to access /api/list_users with a user that doesn't have specified role, it can get it, without any problem. Even logs are perfect, without noticing anything. When move @PreAuthorize in userBusinessService at getAllUsers(), it work's as expected: error is thrown in logs and Access denied is returned.

Can anybody help me on get the @PreAuthorize annotation working for @Controller the same as for @Service?

Answer 1

I had a similiar issue with @Transactional and @PostFilter. The problem was an aop advice ordering problem.

This question helped me in that regard: Order of Spring @Transactional and Spring Security @PreAuthorize

I hope it helps to resolve your issue.