1

I'm using Spring 4.x and trying to get @PreAuthorize to work, but for some reason the program continues without an exception as if there was no @PreAuthorize. I've read the documentation and I've looked at other posts here, but to no avail and have no idea where I'm going wrong as there is no errors being reported.

I have the following configurations:

@EnableGlobalMethodSecurity(securedEnabled=true, prePostEnabled = true, proxyTargetClass = true)
public class WorkInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {

      @Override
      protected Class<?>[] getRootConfigClasses() {

          return new Class<?>[] { RootConfig.class };
      }

      @Override
      protected Class<?>[] getServletConfigClasses() {
        return new Class<?>[] { WebConfig.class };
      }

      @Override
      protected String[] getServletMappings() {
        return new String[] { "/" };
      }
}

And..

@EnableGlobalMethodSecurity(securedEnabled=true, prePostEnabled = true, proxyTargetClass = true)
public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {

...

}

and in my controller:

  @PreAuthorize("#username == authentication.name")
  @RequestMapping(value="/{username}", method=GET)
  public String viewPrivateProfile(@P("username") @PathVariable String username, Model model) {

      logger.debug("Debug: Entered Private Profile!");

      return "privateprofile";
  }

In the logs, it shows that @PreAuthorize has been found:

16:41:43.018 [localhost-startStop-1] DEBUG o.s.s.a.p.PrePostAnnotationSecurityMetadataSource - @org.springframework.security.access.prepost.PreAuthorize(value=#username == authentication.name) found on specific method: public java.lang.String com.work.personnel.ViewController.viewPrivateProfile(java.lang.String,org.springframework.ui.Model)

So, if I login as 'bob', I can also view 'mike's private profile by going to the following link:

http://localhost:8080/workarea/profile/private/mike

What could I have possibly done wrong when all my other Security features, such as, authorizeRequests().antMatchers(...), etc. work as expected?

Cem
  • 65
  • 1
  • 7
  • Are you sure that `@PreAuthorize` works on controllers at all? I'm suggesting to prove that first. Here is a related question: http://stackoverflow.com/questions/3087548/can-spring-security-use-preauthorize-on-spring-controllers-methods – Slava Semushin Jun 29 '16 at 12:02
  • Thanks for your comment. Yes, @PreAuthorize can work on controllers (and as indicated in the link that you provided). As I'm using Spring 4.x, CGLIB is automatically added and I've also tried adding proxyTargetClass = true parameter to EnableGlobalMethodSecurity – Cem Jun 29 '16 at 16:09
  • ..but for some reason it appears that my `@PreAuthorize` is not working or is not being validated – Cem Jun 29 '16 at 16:25
  • May be because you're using custom `@P` annotation? Is it possible? Did you try to modify condition to test what exactly part doesn't work? For example, will it work with `#username == 'test'`/`#username == null`/`authentication.name == 'test'`? – Slava Semushin Jun 29 '16 at 21:55
  • Yep, I've tried `#username == null`, etc and i've also tried it without the `@P` annotation, but no results. It appears that `@PreAuthorize` doesn't do any validation, as if it's not there. – Cem Jun 30 '16 at 13:59
  • 1
    Because the configuration that has `@EnableGlobalMethodSecurity` is loaded by the `ContextLoaderListener` and your controllers are loaded/handled by the `DispatcherServlet`. When using AOP this will only be applied to beans in the same application context and not in root / child contexts. Define a configuration for `@EnableGlobalMethodSecurity` in the config that is loaded by the `DispatcherServlet` and also be sure to enable class based proxies! Getting AOP to work on controllers can be a challenge... – M. Deinum Jul 04 '16 at 09:35
  • I've now added `@EnableGlobalMethodSecurity(securedEnabled=true, prePostEnabled = true, proxyTargetClass = true)` to my class that extends `AbstractAnnotationConfigDispatcherServletInitializer` to have it defined in the `DispatcherServlet` and I've also added the attribute `proxyTargetClass = true` to enable class based proxies, but it's still not doing the verification (as if there is no `@PreAuthrorize`). Note: I have updated my question to add the newly configured class that extends `AbstractAnnotationConfigDispatcherServletInitializer`. Is there anything else that you can suggest? Thanks – Cem Jul 04 '16 at 12:12
  • @M. Deinum I've tried other bits and pieces, but still hitting that wall. Do you have any other suggestions for me to try? Thanks in advanced. – Cem Jul 05 '16 at 10:54
  • Adding it to that class will do exactly nothing. You have to add it to a `@Configuration` class. I strongly suggest a read of the documentation instead of doing trial and error and ask question, do some reading. – M. Deinum Jul 05 '16 at 10:58
  • @M. Deinum Please be assured that I've read the docs and also the posts here (which demonstrates the XML config rather than the Java config). The code I provided was a snippet and I thought that it was obvious that was preceded with `@Configuration` as I wrote: 'I have the following configurations'. Anyway, I have given your first comment a vote as I believe you have put me into the right direction (thank you), but at present it appears that I have run out of ideas and may give up. All I can think of there must be ONE thing that I have missed which is required for Java config, but what? Thanks – Cem Jul 06 '16 at 12:36
  • Read my comment... Adding the annotation to the initializer is going to do nothing, nothing and gain nothing... That annotation has to be put on an class annotated with `@Configuration` as mentioned ... – M. Deinum Jul 06 '16 at 13:34

0 Answers0