Assume I have two methods
@Secured("ROLE_ADMIN")
@RequestMapping(value = "/methodA", method = RequestMethod.GET)
public void MethodA(){
// code
}
and another method which calls the first method
@RequestMapping(value = "/MethodB", method = RequestMethod.GET)
public void MethodB(){
MethodA();
//code
}
If I login to the application with an authority ROLE_USER and tries accessing the URL /methodA I get an access denied exception – perfect! but if i access URL /methodB I don’t get an access denied exception even though i am accessing MethodA there with a ROLE_USERauthority. Is it supposed to work like that or am i doing something wrong.
PS: This isn’t a real time application scenario, but I was just playing around with the code.
This is because spring security works by proxying your secured classes. This means that it puts a wrapper around your existing class. This can either be a java.lang.Proxy if using an interface based proxy, or it can be a cglib enhanced subclass. I don’t want to go too heavily into that here though.
But the bottom line is that when an External caller calls one of your methods this is what happens:
It’s the Security interceptor that inspects the annotations and determines what security to apply. However, once you’re in the actual implementation class, you’re just calling methods without the proxy and security interceptor being involved, and thus no security checks.
As such, you need to protect your each entry point with the @Secured annotation that’s appropriate for it, and whatever it calls internally.