Home/ Questions/Q 9134841
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-17T08:44:04+00:00

I’m using Spring security 3.2.0 with the same version of the Spring framework. Spring

  • 0

I’m using Spring security 3.2.0 with the same version of the Spring framework. Spring security works well in my project. In order to protect methods in my DAO classes (and others), I want to use the following pointcut approach (in the spring-security.xml file).

<global-method-security>
    <protect-pointcut expression="execution(*controller.*.*(..))" access="ROLE_ADMIN"/>
</global-method-security>

I expect the pointcut expression as specified to protect all the methods in all classes inside the controller package and to be accessed only by the users who have the authority ROLE_ADMIN as specified.

But when I try to use this expression, the process terminates with following exception on saving my spring-security.xml file.

PropertyAccessException 1:
org.springframework.beans.MethodInvocationException: Property
‘pointcutMap’ threw exception; nested exception is
java.lang.IllegalArgumentException: Pointcut is not well-formed:
expecting ‘name pattern’ at character position 26
execution(controller..*(..))
^

I’m trying to follow the approach as specified by the reference document in the Adding Security Pointcuts using protect-pointcut sub-section of the 3.4.1 The <global-method-security> Element section.

What is correct expression syntax in this scenario?

EDIT:

Adding Security Pointcuts using protect-pointcut

The use of protect-pointcut is particularly powerful, as it allows you to apply security to many beans with only a simple declaration. Consider the following example:

<global-method-security>
    <protect-pointcut expression="execution(* com.mycompany.*Service.*(..))" access="ROLE_USER"/>
</global-method-security>

This will protect all methods on beans declared in the application context whose classes are in the com.mycompany package and whose class names end in “Service”. Only users with the ROLE_USER role will be able to invoke these methods. As with URL matching, the most specific matches must come first in the list of pointcuts, as the first matching expression will be used. Security annotations take precedence over pointcuts.

Copy & pasted the section explained in the reference document (as someone may find it to be tedious to scroll the document).

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Try with this expression : 

    <protect-pointcut expression="execution(* your.package.controller.*.*(..))" access="ROLE_ADMIN"/>
    • 0