I'm using Spring Security with annotations. I have the following config enabled in my context:
<sec:global-method-security pre-post-annotations="enabled"/> As a result, all of my JAX-RS service interfaces annotated with PreAuthorize pass through Spring Security and all is well. However, I'm not able to get the PreAuthorize annotations on my sub-resources to fire. I suspect that this is because the sub-resources are created on the fly from their parent resource and thus do not get the benefit of Spring's security proxy. CXF-2709 [1] described a very similar issue and is marked as closed but I don't see an example of how to get this to work. I followed the CustomJAXRSInvoker [2] example and effectively recreated portions of Spring Security in my own custom invoker. While this works, it doesn't seem like the right approach. It would be great if the spring-security example [3] was updated slightly to show a security annotation on a sub-resource. My current workaround is as follows: - comment out the global-method-security element because the JAXRS Invoker is going to be doing this work for resource and sub-resources - configure a custom subclass of JAXRSInvoker as the jaxrs:invoker for the container - have the invoker delegate to an instance of a PreInvocationAuthorizationAdviceVoter in pretty much the same way as is done in Spring Security. - this custom invoker will be invoked for every resource *and* sub-resource. Thanks in advance for any feedback. Seems like I'm missing something basic here. [1] https://issues.apache.org/jira/browse/CXF-2709 [2] http://svn.apache.org/repos/asf/cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/CustomJAXRSInvoker.java [3] http://svn.apache.org/repos/asf/cxf/trunk/distribution/src/main/release/samples/jax_rs/spring_security/
