Can Spring Security use @PreAuthorize on Spring controllers methods?
+2
A:
Yes, it works fine.
You need <security:global-method-security pre-post-annotations="enabled" /> in ...-servlet.xml. It also requires CGLIB proxies, so either your controllers shouldn't have interfaces, or you should use proxy-target-class = true.
axtavt
2010-06-21 19:07:14
I put that in my spring security application context (I already had it actually) but Spring does not do anything with controllers using @Controller. Do I have to do anything special to get this to work above and beyond what you said?In
egervari
2010-06-21 19:49:01
I said, `global-method-security` should be in DispatcherServlet's context (`...-servlet.xml`) not in "spring security application context".
axtavt
2010-06-21 20:01:21
Thanks! I didn't move it because I couldn't see why it would make a difference since it gets merged... I guess it didn't ;) Works now!
egervari
2010-06-21 20:26:02
They are not merged. `DispatcherServlet`'s context is a child context of the `ContextLoaderListener`'s one. So they have different AOP configurations and therefore require different occurences of `<global-method-security>`.
axtavt
2010-06-21 20:52:42