Spring 3 @Secured

I wanted to use the security annotation for my controllers and needed to do some searching to figure out how to get it to work.

Our application has a lot of legacy Spring 2.0 code so sometimes I am not sure how it will workout to mix the different ways to do things.

In my experimentation I was able to add security with the good old way:

<http auto-config="true">
    <intercept-url pattern="/something/protected**" access="ROLE_ADMIN">
    <... more config...>

As much as this was working I wanted the new annotation way in my controller code more than this xml configuration.

After reading a few articles I understood that I needed to add this line:

<global-method-security secured-annotations="enabled"/>

But it only works if it is within the same file where I have my other annotation scanning done for the application:

<!– @MVC –>
<context:component-scan base-package=”com.cinq.test”/>

I have a separate file for my security configuration but if I inserted the global-method-security configuration in there Spring would not apply my security annotation. A couple of answers on Stack Overflow mentioned that it needed to be in the same configuration file as the component-scan to work and as soon as I did this modification it started to work. So my main servlet xml configuration looks something like:

<?xml version=”1.0″ encoding=”UTF-8″?>
<beans xmlns=”http://www.springframework.org/schema/beans&#8221;
default-autowire=”byName” default-init-method=”init”>

<!– @MVC –>
<context:component-scan base-package=”com.cinq.test”/>
<context:component-scan base-package=”com.cinq.something”/>
<!– Security Annotation –>
<sec:global-method-security secured-annotations=”enabled”/>

My controller can now use this type of code:

public class SomethingController {
    private ModelObject modelObject;
    public String transferForm(Model model){
        // We need the list of sites
        ArrayList<String> sites = new ArrayList<String>();
        for ( ModelObject oneofthem : modelObjectDao.findAll()) {
        model.addAttribute("sites", sites);
       return "/WEB-INF/views/Transfer/form.jsp";
    @RequestMapping(value="/confirmation", method=RequestMethod.POST)
    public String confirmation(@RequestParam("site") String site, @RequestParam("date") String date, @RequestParam("requester") String requester) {

        return "/WEB-INF/views/schemaTransfer/confirmation.jsp";

The URL calls will return a 403 if your credentials don’t have the ROLE_TRANSFER as an assigned role.

I like this simple way of annotating the behavior you want from your controller. Less file to maintain makes it easier for me to understand what behavior to expect from the code.

Published by


Java developper that loves photography and an excellent espresso

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s