Home/ Questions/Q 7055905
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-28T03:48:16+00:00

I’m making a Spring MVC web-app with some RESTfull resources as an API. I

  • 0

I’m making a Spring MVC web-app with some RESTfull resources as an API.

I need the RESTfull part to have some custom filters as I do not want any redirection and I want any exception to be translated with the corresponding HTTP error code and a basic JSON description.

On the other hand, the rest of the website have to be more common and redirect people when they are not logged in etc.

One more thing, I wish to use the @Secured annotations and a post-authentication in some case.

How do I define the multiple http namespaces correctly (on Spring 3.1)?

Here is my erroneous configuration:

    <global-method-security secured-annotations="enabled" />

<http pattern="/rest/**" authentication-manager-ref="authenticationManager" entry-point-ref="restAuthenticationEntryPoint">
    <form-login login-page="/rest/login" login-processing-url="/rest/postlogin"
        authentication-success-handler-ref="restAuthenticationSuccessHandler"
        authentication-failure-handler-ref="restAuthenticationFailureHandler"
        username-parameter="username" password-parameter="password" />
    <logout logout-url="/rest/logout" invalidate-session="true" />
</http>

<http pattern="/**" authentication-manager-ref="authenticationManager">
    <form-login login-page="/login" login-processing-url="/postlogin"
        username-parameter="username" password-parameter="password" />
    <logout />
</http>

The funny part is that this configuration works partially as I can login with /rest/login and I get the response from my custom success handler. I can also login from /login and I get the proper redirection to /. The logout are working both fine too.

Next, all the controllers beans have @Secured(“ROLE_USER”) in the secured methods. But all the secured methods don’t ever get secured. Why is that so?

    @Secured({"ROLE_USER"})
@RequestMapping(method = RequestMethod.GET, headers = { "Range" })
public @ResponseBody
HttpEntity<List<T>> list(@RequestHeader("Range") String range) {

I’ve read documentations everywhere and I’m more confused than ever.

  • Why are my methods not being secured?
  • Must the http namespace define an access so that the @Secured annotations work?
  • Are the http namespace overwriting my @Secured annotations? If it’s so, how can I define multiple “login pages” with custom filters and being able to use annotations?

Here are some facts:
* I’m using Spring and SpringSecurity 3.1
* I have a custom AuthenticationManager to retrieve user details from hibernate daos.
* Some controllers are extending an abstract class where the @Secured annotations lies. But it still doesn’t work for a simple controller.
* My controllers are discovered with a context:component-scan and a base-package.
* The security works fine with one http namespace.

please help, i’m getting mad with this!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Check out this answer about making sure the web context is visible to the global-method-security declaration and possibly using class proxying.

    To answer your other questions, no the http namespace shouldn’t affect the use of @Secured annotations, other than that the user is authenticated by the web part of the application and that information will be used by the method security interceptor when making an access decision. Unless you override it (using access-decision-manager-ref), method security will use a standard AccessDecisionManager which grants or denies access based on the roles a user has.

    • 0