2

I have a question regarding a Spring mechanism. Here is the Scenario:

I have an abstract Controller class that has some dependencies injected by the @Resource Annotation. A Subclass contains the @RequestMapping Annotation for handling the Request. Until now everything worked fine and all dependencies got injected.

Now I am trying to introduce Spring Security into our project but when I try to use @PreAuthorize I get NullPointerException in some @ModelAttribute methods because the dependency injection fails now. I found out, that Spring makes a proxy class of my Controller but somehow does not inject all dependencies.

Maybe I am missing a configuration to tell Spring that the proxies have to use the dependencies of the target or that it should inject all dependencies into the proxy itself.

If somebody has an idea I would be happy to hear it.

M. Deinum
  • 115,695
  • 22
  • 220
  • 224
Quorgel
  • 25
  • 5

1 Answers1

0

if you want to use preauthorize annotation then the best part is to use them in service layer not in the controller. This is also documented here http://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/faq.html#faq-method-security-in-web-context "Generally we would recommend applying method security at the service layer rather than on individual web controllers"

If you want to protect urls (ie requestmapping defined in controllers) the best way is using the intercept-url patterns as described in this url http://docs.spring.io/spring-security/site/docs/4.0.x/reference/html/core-web-filters.html#filter-security-interceptor

If you still want to use preauthorize in the controller then you can follow these instructions (that already exist here Securing controller method with @RolesAllowed and @PreAuthorize)

To use PreAuthorize and JSR-250 annotations, you must

  • annotate you spring security configuration class with : @EnableGlobalMethodSecurity(prePostEnabled = true, jsr250Enabled = true)
  • if you use anywhere else in your application Spring AOP with JDK proxies, make all controller classes in which you want to use method security implement interfaces declaring all protected methods
  • if you use anywhere else in your application Spring AOP with CGLIB proxies, add proxyTargetClass = true to @EnableGlobalMethodSecurity : @EnableGlobalMethodSecurity(prePostEnabled = true, jsr250Enabled = true, proxyTargetClass = true)
  • if you want to use CGLIB proxies with Spring version under 3.2, add CGLIB library to your classpath (CGLIB classes are included in Spring 3.2+) avoid mixing CGLIB and JDK proxying as it is not recommended by Spring documentation : Multiple sections are collapsed into a single unified auto-proxy creator at runtime, which applies the strongest proxy settings that any of the sections (typically from different XML bean definition files) specified. This also applies to the and elements. To be clear: using 'proxy-target-class="true"' on , or elements will force the use of CGLIB proxies for all three of them.

Hope this helps

Community
  • 1
  • 1
Periklis Douvitsas
  • 2,431
  • 1
  • 13
  • 14