Home/ Questions/Q 8893911
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-14T23:21:57+00:00

I’m trying to secure one method invocation of my RESTful web service using Spring

  • 0

I’m trying to secure one method invocation of my RESTful web service using Spring Security via annotations. I’ve faced a strange behavior when placing @Secured annotation on my method prevent login form to be redirected to, instead I get 403 response immediately.

I’m placing below my configuration, may be you could explain to me what is wrong ?

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
         xmlns:beans="http://www.springframework.org/schema/beans"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://www.springframework.org/schema/beans
       http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
       http://www.springframework.org/schema/security
       http://www.springframework.org/schema/security/spring-security-3.1.xsd">

<global-method-security secured-annotations="enabled" />

<http auto-config="true">
    <http-basic/>
    <form-login/>

    <!-- With the following line login form is shown -->
    <!--<intercept-url pattern="/rest/secured/" access="ROLE_USER"/>-->

</http>

<authentication-manager alias="myAuthenticationManager">
    <authentication-provider>
        <user-service>
            <user name="user" password="user" authorities="ROLE_USER"/>
        </user-service>
    </authentication-provider>
</authentication-manager>

</beans:beans>

This is my service interface:

@Produces({"application/xml"})
public interface KinoteatrService
{
    @GET
    @Path("/secured")
    @Secured("ROLE_USER")
    String testSecuredMethod();
}

And this is an implementation:

@Path("/")
public class KinoteatrServiceImpl implements KinoteatrService
{
    @Override
    public String testSecuredMethod() {
        return "<html><body>Success, timestamp: " + new Date() + "</body></html>";
    }
}

I’ve tried to investigate the cause and enabled DEBUG level of logging, this is what I’ve got… I’m not sure I read the log correctly but it seems it says that client is already registered as ANONYMOUS so it immediately throws 403 error code.

2012-11-12 15:00:56,545 DEBUG [phase.PhaseInterceptorChain] : Invoking handleMessage on interceptor org.apache.cxf.ws.policy.PolicyInInterceptor@55d0f2b6
2012-11-12 15:00:56,545 DEBUG [phase.PhaseInterceptorChain] : Invoking handleMessage on interceptor org.apache.cxf.transport.https.CertConstraintsInterceptor@78e9282b
2012-11-12 15:00:56,545 DEBUG [phase.PhaseInterceptorChain] : Invoking handleMessage on interceptor org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor@6c29b061
2012-11-12 15:00:56,547 DEBUG [utils.JAXRSUtils] : Trying to select a resource class, request path : /secured/
2012-11-12 15:00:56,547 DEBUG [utils.JAXRSUtils] : Trying to select a resource operation on the resource class com.kinoteatr.ua.service.KinoteatrServiceImpl
...
...
2012-11-12 15:00:56,558 DEBUG [utils.JAXRSUtils] : Resource operation testSecuredMethod on the resource class com.kinoteatr.ua.service.KinoteatrServiceImpl has been selected
2012-11-12 15:00:56,559 DEBUG [interceptor.JAXRSInInterceptor] : Request path is: /secured/
2012-11-12 15:00:56,559 DEBUG [interceptor.JAXRSInInterceptor] : Request HTTP method is: GET
2012-11-12 15:00:56,559 DEBUG [interceptor.JAXRSInInterceptor] : Request contentType is: */*
2012-11-12 15:00:56,559 DEBUG [interceptor.JAXRSInInterceptor] : Accept contentType is: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
2012-11-12 15:00:56,559 DEBUG [interceptor.JAXRSInInterceptor] : Found operation: testSecuredMethod
2012-11-12 15:00:56,559 DEBUG [phase.PhaseInterceptorChain] : Invoking handleMessage on interceptor org.apache.cxf.interceptor.OneWayProcessorInterceptor@2221deec
2012-11-12 15:00:56,559 DEBUG [phase.PhaseInterceptorChain] : Invoking handleMessage on interceptor org.apache.cxf.interceptor.ServiceInvokerInterceptor@8eeb6be
2012-11-12 15:00:56,561 DEBUG [aopalliance.MethodSecurityInterceptor] : Secure object: ReflectiveMethodInvocation: public java.lang.String com.kinoteatr.ua.service.KinoteatrServiceImpl.testSecuredMethod(); target is of class [com.kinoteatr.ua.service.KinoteatrServiceImpl]; Attributes: [ROLE_USER]
2012-11-12 15:00:56,561 DEBUG [aopalliance.MethodSecurityInterceptor] : Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
2012-11-12 15:00:56,562 DEBUG [vote.AffirmativeBased] : Voter: org.springframework.security.access.vote.RoleVoter@13961789, returned: -1
2012-11-12 15:00:56,562 DEBUG [vote.AffirmativeBased] : Voter: org.springframework.security.access.vote.AuthenticatedVoter@62e32d6a, returned: 0
2012-11-12 15:00:56,563 DEBUG [support.DefaultListableBeanFactory] : Returning cached instance of singleton bean 'cxf'
2012-11-12 15:00:56,566 DEBUG [phase.PhaseInterceptorChain] : Invoking handleMessage on interceptor org.apache.cxf.interceptor.OutgoingChainInterceptor@701f7886
2012-11-12 15:00:56,566 DEBUG [interceptor.OutgoingChainInterceptor] : Interceptors contributed by bus: [org.apache.cxf.interceptor.LoggingOutInterceptor@315b222e, org.apache.cxf.ws.policy.PolicyOutInterceptor@56211352]
2012-11-12 15:00:56,566 DEBUG [interceptor.OutgoingChainInterceptor] : Interceptors contributed by service: []
2012-11-12 15:00:56,566 DEBUG [interceptor.OutgoingChainInterceptor] : Interceptors contributed by endpoint: [org.apache.cxf.interceptor.MessageSenderInterceptor@65640d91, org.apache.cxf.transport.common.gzip.GZIPOutInterceptor@bb6de98]
2012-11-12 15:00:56,566 DEBUG [interceptor.OutgoingChainInterceptor] : Interceptors contributed by binding: [org.apache.cxf.jaxrs.interceptor.JAXRSOutInterceptor@12cfd32a]
2012-11-12 15:00:56,567 DEBUG [phase.PhaseInterceptorChain] : Chain org.apache.cxf.phase.PhaseInterceptorChain@a4553e4 was created. Current flow:
    setup [PolicyOutInterceptor]
    prepare-send [MessageSenderInterceptor, GZIPOutInterceptor]
    pre-stream [LoggingOutInterceptor]
    marshal [JAXRSOutInterceptor]

2012-11-12 15:00:56,567 DEBUG [phase.PhaseInterceptorChain] : Invoking handleMessage on interceptor org.apache.cxf.ws.policy.PolicyOutInterceptor@56211352
2012-11-12 15:00:56,567 DEBUG [policy.PolicyOutInterceptor] : No binding operation info.
2012-11-12 15:00:56,567 DEBUG [phase.PhaseInterceptorChain] : Invoking handleMessage on interceptor org.apache.cxf.interceptor.MessageSenderInterceptor@65640d91
2012-11-12 15:00:56,567 DEBUG [phase.PhaseInterceptorChain] : Adding interceptor org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor@43300672 to phase prepare-send-ending
2012-11-12 15:00:56,567 DEBUG [phase.PhaseInterceptorChain] : Chain org.apache.cxf.phase.PhaseInterceptorChain@a4553e4 was modified. Current flow:
   setup [PolicyOutInterceptor]
   prepare-send [MessageSenderInterceptor, GZIPOutInterceptor]
   pre-stream [LoggingOutInterceptor]
   marshal [JAXRSOutInterceptor]
   prepare-send-ending [MessageSenderEndingInterceptor]

2012-11-12 15:00:56,567 DEBUG [phase.PhaseInterceptorChain] : Invoking handleMessage on interceptor org.apache.cxf.transport.common.gzip.GZIPOutInterceptor@bb6de98
2012-11-12 15:00:56,567 DEBUG [gzip.GZIPOutInterceptor] : Response role, checking accept-encoding
2012-11-12 15:00:56,567 DEBUG [gzip.GZIPOutInterceptor] : Accept-Encoding header: [gzip,deflate,sdch]
2012-11-12 15:00:56,567 DEBUG [gzip.GZIPOutInterceptor] : gzip permitted: YES
2012-11-12 15:00:56,567 DEBUG [phase.PhaseInterceptorChain] : Invoking handleMessage on interceptor org.apache.cxf.interceptor.LoggingOutInterceptor@315b222e
2012-11-12 15:00:56,567 DEBUG [phase.PhaseInterceptorChain] : Invoking handleMessage on interceptor org.apache.cxf.jaxrs.interceptor.JAXRSOutInterceptor@12cfd32a
2012-11-12 15:00:56,567 DEBUG [phase.PhaseInterceptorChain] : Invoking handleMessage on interceptor org.apache.cxf.interceptor.MessageSenderInterceptor MessageSenderEndingInterceptor@43300672
2012-11-12 15:00:56,567 INFO  [interceptor.LoggingOutInterceptor] : Outbound Message
---------------------------
ID: 2
Response-Code: 403
Content-Type: text/xml
Headers: {Date=[Mon, 12 Nov 2012 13:00:56 GMT], Content-Length=[0]}
--------------------------------------
2012-11-12 15:00:56,567 DEBUG [gzip.GZIPOutInterceptor] : Message is smaller than compression threshold, not compressing.
2012-11-12 15:00:56,567 DEBUG [context.HttpSessionSecurityContextRepository] : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2012-11-12 15:00:56,567 DEBUG [servlet.ServletController] : Finished servicing http request on thread: Thread[http-bio-8080-exec-64,5,main]
2012-11-12 15:00:56,567 DEBUG [access.ExceptionTranslationFilter] : Chain processed normally
2012-11-12 15:00:56,567 DEBUG [context.SecurityContextPersistenceFilter] : SecurityContextHolder now cleared, as request processing completed
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Login page is shown only for secured urls but not for secured methods

    Secured method is an additional layer for securing your application and it requires the user to be already authenticated. Therefore you have to use intersept-url … to display login page.

    P.S. Just in case. As described in Spring Security documentation:

    The annotated methods will only be secured for instances which are defined as Spring beans (in the same application context in which method-security is enabled). If you want to secure instances which are not created by Spring (using the new operator, for example) then you need to use AspectJ.

    • 0