You're correct in that it'll work with the lookup-method or the ApplicationContextAware approach [1]. Neither of these two options are great. The ApplicationContextAware approach pollutes the source with Spring and the lookup-method has the air of dark magic to it. I realize the "proxification" is what's making the Transactional and PreAuthorize work but changing my services to be abstract classes and specifying a method name in the Spring config to override is a little unnerving.
Do you think it's worth updating the exiting spring example in CXF to demonstrate the lookup-method? I'll get around to adding an issue and a patch for it if you agree. [1] http://docs.spring.io/spring/docs/current/spring-framework-reference/htmlsingle/#beans-factory-method-injection On Mon, Mar 16, 2015 at 5:14 PM, Sergey Beryozkin <[email protected]> wrote: > I vaguely recall you need to introduce a Spring lookup method property > pointing to a subresource locator method for SpringSecurity to proxify it... > > Cheers, Sergey > > On 16/03/15 17:57, Mark Ford wrote: > >> I'm using Spring Security with annotations. I have the following config >> enabled in my context: >> >> <sec:global-method-security pre-post-annotations="enabled"/> >> >> As a result, all of my JAX-RS service interfaces annotated with >> PreAuthorize pass through Spring Security and all is well. However, I'm >> not >> able to get the PreAuthorize annotations on my sub-resources to fire. I >> suspect that this is because the sub-resources are created on the fly from >> their parent resource and thus do not get the benefit of Spring's security >> proxy. >> >> CXF-2709 [1] described a very similar issue and is marked as closed but I >> don't see an example of how to get this to work. I followed the >> CustomJAXRSInvoker [2] example and effectively recreated portions of >> Spring >> Security in my own custom invoker. While this works, it doesn't seem like >> the right approach. It would be great if the spring-security example [3] >> was updated slightly to show a security annotation on a sub-resource. >> >> My current workaround is as follows: >> - comment out the global-method-security element because the JAXRS Invoker >> is going to be doing this work for resource and sub-resources >> - configure a custom subclass of JAXRSInvoker as the jaxrs:invoker for the >> container >> - have the invoker delegate to an instance of a >> PreInvocationAuthorizationAdviceVoter in pretty much the same way as is >> done in Spring Security. >> - this custom invoker will be invoked for every resource *and* >> sub-resource. >> >> Thanks in advance for any feedback. Seems like I'm missing something basic >> here. >> >> >> [1] https://issues.apache.org/jira/browse/CXF-2709 >> [2] >> http://svn.apache.org/repos/asf/cxf/trunk/systests/jaxrs/ >> src/test/java/org/apache/cxf/systest/jaxrs/CustomJAXRSInvoker.java >> [3] >> http://svn.apache.org/repos/asf/cxf/trunk/distribution/ >> src/main/release/samples/jax_rs/spring_security/ >> >> > > -- > Sergey Beryozkin > > Talend Community Coders > http://coders.talend.com/ > > Blog: http://sberyozkin.blogspot.com >
