jump to navigation

Spring Method Security May 13, 2009

Posted by Phill in Spring.
trackback

Another quick post. I have been using Spring Security to secure methods in a desktop application. It was a bit tricky to configure because Spring Security is based on web applications, but actually it’s not much of a problem.

However, I kept getting AccessDeniedExceptions for authenticated users. It seems that all voters had abstained, which I found puzzling because the RoleVoter should have allowed the method call.

Anyway, it turns out that the RoleVoter has a built-in role prefix (“ROLE_”) which was causing problems, as ours have a different prefix.

In order to change this you will need to code the AccessDecisionManager yourself:


<bean id="accessDecisionManager" class="org.springframework.security.vote.AffirmativeBased">
<property name="decisionVoters">
	<list>
 <bean class="org.springframework.security.vote.RoleVoter">
<property name="rolePrefix" value="MY_PREFIX_" />
 </bean>
 </list>
 </property>
 </bean>

<security:global-method-security
 secured-annotations="enabled" access-decision-manager-ref="accessDecisionManager" />

Advertisements
%d bloggers like this: