Home/ Questions/Q 6129025
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-23T16:41:39+00:00

Consider this code: import java.util.Collections; import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.security.core.userdetails.User; public class SecureStuff { @PreAuthorize(#user.password

  • 0

Consider this code:

import java.util.Collections;

import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.core.userdetails.User;

public class SecureStuff {
    @PreAuthorize("#user.password == #oldPassword")
    public static void changePassword(User user, String oldPassword, String newPassword){
       System.out.print("Changing passwords ...");
    }

    public static void main(String[] args) {
        User joe = new User("Joe", "HansWurst", true, true, true, true, Collections.EMPTY_LIST);
        changePassword(joe, "HansWurst", "TeeWurst");
    }

}

I ran the code in STS (SpringSource Tool Suite) and it worked as expected. (It printed "Changing passwords ...".)
Then I renamed the password to something else, expecting the method call to fail now.

I have already added the line <global-method-security pre-post-annotations="enabled"/> to my applicationContext-security.xml configuration file.

What am I missing here?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team
    1. These annotations don’t work on static methods
    2. To make these annotations work you need to declare your object as a bean of the application context (the one with <global-method-security> element), and call the annotated method on the instance obtained from the context.

    Basically, these annotations are based on Spring AOP support and inherit all limitations of a proxy-based AOP. For better understanding you can take a look at the Spring AOP documentation.

    • 0