<http >
<intercept-url pattern="/a.jsp" access="hasRole('ROLE_X')"/>
</http>
in spring security3.0.7 or 3.1
it is Ok. only 'ROLE_X' can see a.jsp page.
but:
<global-method-security >
<protect-pointcut expression="execution(* test.Test.o1*(..))" access="hasRole('ROLE_X')"/>
</global-method-security>
it is not working,eneryone can use the method test.Test.o1~~
when pre-post-annotations="enabled"
#PreAuthorize("hasRole('ROLE_X')")
it is also not working,eneryone can use the method test.Test.o1~~
i'm so sad~~
any advise or used 'global-method-security' demo , ths.
You need to place this annotation in servlet config.
http://static.springsource.org/spring-security/site/faq/faq.html#faq-method-security-in-web-context
See also:
Can Spring Security use #PreAuthorize on Spring controllers methods?
Related
I am using spring security and have an auth-ref-handler. Inside of it I need to get a property yet that property is not getting set. If I do the same code in my spring MVC controller REST handler method, it works?
spring-security.xml
<context:property-placeholder location="file:/TcatServer6/myapp/properties/myapp/myapp.properties" />
<beans:bean id="adsh" class="com.mycompany.security.ADAuthenticationSuccessHandler"/>
<http auto-config="true">
<intercept-url pattern="/agent/**" access="ROLE_AGENT" />
<intercept-url pattern="/supervisor/**" access="ROLE_SUPERVISOR" />
<form-login
login-page="/r/views/login.html"
authentication-failure-url="/r/views/loginfailed.html"
authentication-success-handler-ref="adsh"
/>
<logout logout-success-url="/logout" />
</http>
In ADAuthenticationSuccessHandler:
#Autowired
#Value("${acr_url}")
private String acrURL;
I have the EXACT same code in one of my spring MVC controllers and it works! In my AuthenticationSuccessHandler it always gets null?
Spring is turning out to be a configuration nightmare with all these things working inconsistently.
Update: Based on the feedback and my test, I think this may be a bug in Spring. Try it for yourself. Just try to get a property out of a property file using the #Autowire or #Value annotations within a Spring AuthenticationSuccessHandler in your spring-security.xml...can someone else try it and see if they get similar results?
I'm using Spring Framework 4.0.0 GA and Spring Security 3.2.0 GA. I have applied security to all methods of all classes in a package using a point cut expression as follows.
<global-method-security secured-annotations="enabled" pre-post-annotations="enabled" proxy-target-class="false">
<protect-pointcut expression="execution(* admin.dao.*.*(..))" access="ROLE_ADMIN"/>
</global-method-security>
All methods of all classes defined in the package admin.dao would only be accessed by the user whose authority is ROLE_ADMIN.
Is it now possible to override this security constraint in some method(s) of some class in this package?
I need to give an anonymous access to some methods in some class under this package (which is already secured).
In JAAS, this can be achieved by using the javax.annotation.security.PermitAll annotation above the method in question which will override any global constraints (constraints applied class level, for example).
I have tried with #Secured(value = "permitAll") and #Secured(value = "isAnonymous()") above the method in question but none of them worked.
Try the following:
<global-method-security secured-annotations="enabled" pre-post-annotations="enabled" proxy-target-class="false">
<protect-pointcut expression="execution(* admin.your.permit.all.dao.*.*(..))"
access="permitAll"/>
<protect-pointcut expression="execution(* admin.dao.*.*(..))" access="ROLE_ADMIN"/>
</global-method-security>
make sure to put the protect-pointcutpermitAll entry first, in this case order is important.
I want to integrate LDAP in my spring application.
Requirement:- On request it should divert to my login page then ask for user/password. Then on submit it should authentication from LDAP.
Thanks
There is a special project in Spring called Spring Security for this purpose. The core functionality is built as a set of servlet API filters. There are multiple connectors for user's database (LDAP, DB, Active Directory, etc.) Here you can see how to add a basic conf. Your conf may looks like this:
<http use-expressions="true">
<intercept-url pattern="/**" access="isAuthenticated()" />
<form-login />
<logout />
</http>
Note that I prefer SpEL expressions for security rules. And here you can see how to add LDAP.
Hope it helps.
Along with that you also need other LDAP configuration like this
<ldap-server url="ldap://localhost:10389/dc=example,dc=com" />
<authentication-manager alias="authenticationManager"
erase-credentials="true">
<ldap-authentication-provider
user-dn-pattern="uid={0},ou=people" group-search-base="ou=groups"
group-search-filter="(members={0})">
</ldap-authentication-provider>
</authentication-manager>
Here is the Spring Security intercept-url configuration:
<intercept-url pattern="/**.html"
access="ROLE_USER" requires-channel="https" />
I want to make requires-channel="any" for local environment.
Is it possible to add absolute URL in the pattern?
You can use Spring bean definition profiles to achieve that.
<beans profile="local">
</beans>
It's a new feature. Take a look at the entry in Spring Source blog: http://blog.springsource.com/2011/02/11/spring-framework-3-1-m1-released/
i've a service ,
<bean id="myservicie" class="org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter">
<property name="service" ref="aService"/>
<property name="serviceInterface" value="com.statestr.oms.fx.ws.service.IService"/>
</bean>
inside this aservice,
#Secured ({"ROLE_USER"})
private void mythod(),
but it's not working,
however, if i move this method to another bean, say, mybean,the security annotation will work,
i've enabled both in the configuration like below, can anyone help? thx.
<global-method-security secured-annotations="enabled" access-decision-manager-ref="accessDecisionManager">
<protect-pointcut expression="execution(* *..com.statestr.oms.service.impl.*Mybean*.*(..))" access="ROLE_USER"/>
<protect-pointcut expression="execution(* *..com.statestr.oms.service.impl.*Service*.*(..))" access="ROLE_USER"/>
</global-method-security>
I guess it is because your application uses Spring Proxy AOP. And this AOP Style has no influence if the method is invoked directly (from the same bean). And I think that is what you do, because the method you mentioned is a private method.
So what you can do is:
use AspectJ (I strongly recommend it),
put the #Secured annotation to a method that is invoked from outside of the bean
Anyway your configuration looks a bit strange - why do you use #Secured AND <protect-pointcut... for the same Class? One of them should be enough.