I would like to secure method in my managed session bean for specific role "ROLE_ADMIN"
config(applicationContext-security.xml):
<global-method-security pre-post-annotations="enabled" jsr250-annotations="enabled" secured-annotations="enabled"/>
    <http auto-config="true" use-expressions="true">
        <intercept-url pattern="/**" access="isAuthenticated()"/>
        <intercept-url pattern="/**" access="permitAll()"/>
        <form-login
         login-processing-url="/j_spring_security_check"
         login-page="/login.jsf"
         default-target-url="/main.jsf"
         authentication-failure-url="/login.jsf" />
    <session-management>
           <concurrency-control max-sessions="1" error-if-maximum-exceeded="false" />
    </session-management>
    </http>
    <authentication-manager alias="authenticationManager">
        <authentication-provider>
            <user-service>
                <user name="admin" password="admin" authorities="ROLE_USER, ROLE_ADMIN" />
                <user name="user1" password="user1" authorities="ROLE_USER" />
            </user-service>
        </authentication-provider>
    </authentication-manager>
    <beans:bean id="loggerListener" class="org.springframework.security.authentication.event.LoggerListener"/>
bean's secured method:
    @PreAuthorize("hasRole('ROLE_ADMIN')")
    public String buy() {
...
    }
When I logged in under user1 or as anonym and click "buy" button on web-page, it still redirected to the next page.
I expect that some access denied exception occurred, and it doesn't.
So, predicates can be written using SpEL (Spring Expression Language). The @PreAuthorize annotation checks the given expression before entering the method, whereas the @PostAuthorize annotation verifies it after the execution of the method and could alter the result.
Method-level security is implemented by placing the @PreAuthorize annotation on controller methods (actually one of a set of annotations available, but the most commonly used). This annotation contains a Spring Expression Language (SpEL) snippet that is assessed to determine if the request should be authenticated.
The difference between @Secured and @PreAuthorize are as follows : The main difference between @Secured and @PreAuthorize is that @PreAuthorize can work with Spring EL. We can access methods and properties of SecurityExpressionRoot while using @PreAuthorize but not with @Secured.
Annotation Type EnableGlobalMethodSecurity. Enables Spring Security global method security similar to the xml support. More advanced configurations may wish to extend GlobalMethodSecurityConfiguration and override the protected methods to provide custom implementations.
Remember to enable method level security on your applicationContext-security.xml:
<sec:global-method-security secured-annotations="enabled" />
If, insted you will use Pre or Post annotations, use:
<security:global-method-security pre-post-annotations="enabled"/>
For more on this, see:
http://forum.springsource.org/showthread.php?t=77862
Note: For annotations from jsr-250:
<sec:global-method-security jsr250-annotations="enabled" />
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With