Spring security and Struts 2

Question

I have a struts2 action with an @Secured({"ROLE_ADMIN"}) to secure the execute method. In the execute method i assign a message to a member variable of the action, then return SUCCESS and end up on the jsp page. On the page I retrieve the actions member variable with <sroperty.

private String greeting;

public String execute() throws Exception {
this.greeting="Hello";
return SUCCESS;
}

// getters and setters for greeting
...

<s:property value="greeting" />

The problem is when the secured annotation is present the jsp shows nothing for the member variable but when @Secured is removed the whole thing behaves properly and shows the message that was set into the member variable.

It appears that the actual security is working ok but when enabled via the annotation the member variable (or maybe the instance of the action) is not making its way onto the value stack.

I cant see any error messages.

Answer 1

You have to make sure that before the <s:property value="greeting" /> is executed, you have the "ROLE_ADMIN" present as a granted authority in the SecurityContextHolder.getContext().

Also, if you use the default "thread local" strategy of storing the security context, make sure the granted authorities are properly stored in each request thread. For example, if you store information about the user credentials in the http session, you need a HttpSessionContextIntegrationFilter set up.

As a last resort, if you have the possibility, you can do a step by step debug session in the Spring Security Interceptor you are using and check out what the problem is.