I'm attempting to use Spring Security's @Secured method-level annotation in
my project. Everything works fine in a sample Spring-only project, but the
@Secured annotations appear to be ignored in my CXF project (I'm using
JAX-RS and @Path method-level annotations).
For now I'm using a form-based login; my authentication provider works
properly and users are assigned GrantedAuthority roles, but all users are
able to access my @Secured method/page regardless of their roles.
I've looked to Spring forums for help, but no luck so far. Does anything
look completely off-base?
------- cxf.xml -------
<jaxrs:server id="services" address="/">
<jaxrs:serviceBeans>
<ref bean="myBean"/>
</jaxrs:serviceBeans>
</jaxrs:server>
<bean id="myBean" class="com.company.service.MyService"/>
------- applicationContext-security.xml -------
<global-method-security secured-annotations="enabled"
jsr250-annotations="enabled"/>
<http auto-config="true">
<intercept-url pattern="/**" access="ROLE_USER"/>
</http>
<authentication-provider user-service-ref="myUserDetailsService"/>
<beans:bean id="myUserDetailsService"
class="com.metova.service.web.auth.AuthenticationDetailsService"/>
------- MyService.java -------
public class MyService{
@GET
@Path( "/myService/{id}.xml" )
@ProduceMime( "application/xml" )
@Secured( "ROLE_ADMINISTRATOR" )
public Object getMyObject( @PathParam( "id" )
String codeModuleName ) {
// do stuff.
}
}
Thank you for your time!
- Dave
--
View this message in context:
http://www.nabble.com/Spring-Security-annotations-in-CXF--tp20823712p20823712.html
Sent from the cxf-user mailing list archive at Nabble.com.
