dimanche 22 février 2015

Using EnableGlobalMethodSecurity does not seem to have an effect

I have a spring controller where I have a method meant to be accessed by admin users:



@Controller
@RequestMapping("/*")
public class HomeController {
@RequestMapping(value = "addset", method = RequestMethod.GET, consumes = "application/json")
@Secured("ROLE_ADMIN")
public @ResponseBody Message addSet() {

    return new Message(100, "Congratulations!", "Set added");
}
}


My Applicaton.java is as follows:



@Configuration
@ComponentScan
@EnableAutoConfiguration
@EnableGlobalMethodSecurity(securedEnabled = true)
public class Application {

public static void main(String[] args) {
    SpringApplication.run(Application.class, args);
}


@Bean
public ApplicationSecurity applicationSecurity() {
    return new ApplicationSecurity();
}

@Order(Ordered.HIGHEST_PRECEDENCE)
@Configuration
protected static class AuthenticationSecurity extends
        GlobalAuthenticationConfigurerAdapter {

    @Autowired
    private CustomUserDetailsService users;

    @Override
    public void init(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(users);
    }
}


protected static class ApplicationSecurity extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // @formatter:off
        http
                .csrf().disable()
                .authorizeRequests()
                .antMatchers("/signup","/about").permitAll()
                .anyRequest().authenticated()
                .and()
                .httpBasic().and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.ALWAYS);

        // @formatter:on
    }

}


}


However, I am able to access the method from general users as well. The EnableGlobalMethodSecurityis not having any effect. I suspect it is because the annotation is over the Application class which has a different scope that the HomeController class. If I try to move the annotation over the HomeController class then I get an error:



Error creating bean with name 'methodSecurityInterceptor' defined in class path resource [org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfiguration.class]: Instantiation of bean failed; nested exception is org.springframework.beans.factory.BeanDefinitionStoreException: Factory method [public org.aopalliance.intercept.MethodInterceptor org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration.methodSecurityInterceptor() throws java.lang.Exception] threw exception; nested exception is org.springframework.beans.factory.BeanCurrentlyInCreationException: Error creating bean with name 'methodSecurityInterceptor': Requested bean is currently in creation: Is there an unresolvable circular reference?


The entire error is at: http://ift.tt/1B3UjF8


I am not sure why the circular reference is happening. Also, is the annotation ineffective because of its incorrect placing as I suspect?


Publié par à
Libellés :

Aucun commentaire:

Enregistrer un commentaire

Inscription à : Publier les commentaires (Atom)