Spring-Security 3/Spring MVC and the dreaded @Secured/RequestMapping

Question

i had lots of problems adding Secured annotations to my Controllers.

it turns out letting my Controller implement an InitializingBean was a bad idea.

public class MyController implements InitializingBean {

    @Secured(value="ROLE_ADMIN")
    @RequestMapping(method = RequestMethod.GET, value = "/{id}/edit")
    public String getView(Model model, @PathVariable("id") long id) {
        return "some view";
    }
}

this failed with:

WARN PageNotFound:962 - No mapping found for HTTP request with URI[...]

removing the @Secured Annotation would work, but obviously i didn't want to do that. after lots of wasted time on the net i noticed the last difference beetween a working and a non working controller was that it implemented the InitializingBean Interface. And now this works like a charm:

public class MyController{

    @Secured(value="ROLE_ADMIN")
    @RequestMapping(method = RequestMethod.GET, value = "/{id}/edit")
    public String getView(Model model, @PathVariable("id") long id) {
        return "some view";
    }
}

Can anyone help me understand that behaviour?

Answer 1

This happens because access to the annotations is lost when security aspect is applied using JDK dynamic proxy, which happens by default when advised bean implements any interfaces.

To solve this problem, you should tell Spring Security to apply target-class-based proxies only, using <global-method-security proxy-target-class = "true" ...> ... (<aop:config proxy-target-class = "true" /> works too).

More about AOP proxies here.