PreAuthorize not working on Controller

Question

I'm trying to define access rules at method-level but it's not working what so ever.

SecurityConfiguration

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
    @Override
    public void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication().
                withUser("user").password("user").roles("USER").and().
                withUser("admin").password("admin").roles("ADMIN");
    }
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .authorizeRequests()
                .antMatchers("/v2/**").authenticated()
                .and()
                .httpBasic()
                .realmName("Secure api")
                .and()
                .csrf()
                .disable();
    }
}

ExampleController

@EnableAutoConfiguration
@RestController
@RequestMapping({"/v2/"})
public class ExampleController {
    @PreAuthorize("hasAuthority('ROLE_ADMIN')")
    @RequestMapping(value = "/home", method = RequestMethod.GET)
    String home() {
        return "Hello World";
    }
}

Whenever I try to access /v2/home using user:user it executes just fine, shouldn't it give me an Access Denied error due to 'user' not having ROLE_ADMIN?

I'm actually thinking of ditching access rules at method-level and stick to http() ant rules, but I have to know why it's not working for me.

score 79 · Answer 1 · edited Apr 09 '18 at 17:29

79

You have to add @EnableGlobalMethodSecurity(prePostEnabled = true) in your WebSecurityConfig.

You can find it here: http://www.baeldung.com/spring-security-expressions-basic

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

edited Apr 09 '18 at 17:29

rollstuhlfahrer

3,888
9
23
37

answered Feb 15 '18 at 14:22

Eric Zürcher

809
1
6
3

4

Also per previous commenter if putting pre/post on a controller method that does not implement an interface also add annotation property `proxyTargetClass = true` to `EnableGlobalMethodSecurity` – GameSalutes Jul 17 '18 at 03:24
1

Does not work for me unfortunately (see https://stackoverflow.com/questions/53125388/preauthorize-not-working-with-prepostenabled-true). – Stefan Falk Nov 02 '18 at 20:31

score 38 · Accepted Answer · answered Sep 07 '15 at 17:32

38

A common problem with using PrePost annotations on controllers is that Spring method security is based on Spring AOP, which is by default implemented with JDK proxies.

That means that it works fine on the service layer which is injected in controller layer as interfaces, but it is ignored on controller layer because controller generally do not implement interfaces.

The following is just my opinion:

prefered way: move the pre post annotation on service layer
if you cannot (or do not want to), try to have your controller implement an interface containing all the annotated methods
as a last way, use proxy-target-class=true

answered Sep 07 '15 at 17:32

Serge Ballesta

136,215
10
111
230

4

Thanks for the answer. I've tried using the annotation on a `CrudRepository` interface and it worked fine. Having an interface to each controller is kinda silly in my opinion as an interface isn't really necessary. `proxy-target-class=true` didn't make a difference, the annotations still doesn't work on controllers, however it caused a crash (while set to true) when having the annotation inside the repository interface (Cannot subclass com.sun.proxy). Anyway I think I'm going to stick to rules in the security config, and maybe use PreAuth on some of my repositories. – prettyvoid Sep 08 '15 at 07:45
2

One other thing that I noticed, I've seen examples where the @PreAuthorize was used in a `class` instead of an `interface` and it's supposed to be working.. I wonder why it works for them but not for me. – prettyvoid Sep 08 '15 at 09:29
1

Enable Aop in application context – Mradul Pandey Jun 02 '16 at 14:11
Adding the interface fixed it for me, but another project doesn't have interfaces, and the controller methods are protected. There must be some other configuration that they're using that I'm not. – Kieveli Jun 02 '16 at 17:29
I am facing the same issue but opposite. @PreAuthorize works normal on controller layer but not on service layer. Do you know why? – An Nguyen Jul 14 '16 at 14:54
1

I had weird problems using @PreAuthorize on Controller: some applications works well and some applications don't. – Dherik Jan 26 '18 at 14:58
2

has this been changed by now? Because the prePost annotations work absolutely fine on my controllers without implementing any interface or allowing target class proxying – Wecherowski Aug 29 '20 at 15:20

score 17 · Answer 3 · answered Jul 15 '19 at 17:00

17

put @EnableGlobalMethodSecurity(prePostEnabled = true) into MvcConfig class (extends WebMvcConfigurerAdapter) instead of (extends WebSecurityConfigurerAdapter).

Like below example:-

@EnableGlobalMethodSecurity(prePostEnabled = true)
public class MvcConfiguration extends WebMvcConfigurerAdapter {

answered Jul 15 '19 at 17:00

stanicmail

723
6
18

it worked for me, but can't image why – Stanislau Listratsenka Jun 01 '22 at 15:28

score 14 · Answer 4 · answered Mar 02 '16 at 23:03

14

I had a similar problem and the following solved it:

1) I had to make my method public (i.e. make your method home() public)

2) I have to use hasRole instead of hasAuthority

answered Mar 02 '16 at 23:03

Horowitzathome

319
3
11

I had the same issue and making the methods public solved it! – Rudolf Schmidt May 02 '16 at 10:06
1

making the controller methods public solved it for me. – Piyush Dec 04 '17 at 19:58
Changing the method from private to public worked for me. – AreUMinee Oct 10 '20 at 18:49

score 7 · Answer 5 · answered Aug 31 '17 at 11:16

7

There are two different ways to use this, one is to prefix and one is not. And you maybe change @PreAuthorize("hasAuthority('ROLE_ADMIN')") to @PreAuthorize("hasAuthority('ADMIN')") will be ok.

next is @PreAuthorize source code.

private String defaultRolePrefix = "ROLE_";
public final boolean hasAuthority(String authority) {
    return hasAnyAuthority(authority);
}

public final boolean hasAnyAuthority(String... authorities) {
    return hasAnyAuthorityName(null, authorities);
}

public final boolean hasRole(String role) {
    return hasAnyRole(role);
}

public final boolean hasAnyRole(String... roles) {
    return hasAnyAuthorityName(defaultRolePrefix, roles);
}

answered Aug 31 '17 at 11:16

beautifulcode

344
3
5

and this source should be added where and how does my controller access it ? – valik Jan 08 '18 at 04:36
The problem of the ExampleController, only changed ROLE_ADMIN to ADMIN – beautifulcode Nov 27 '18 at 02:41
I tried as you suggested it works fine, but what is the correct way of implementing `hasRole` clause like `@PreAuthorize("hasRole('ADMIN')")` – Arshad Ali Mar 15 '20 at 05:57

score 3 · Answer 6 · answered Jul 14 '17 at 12:52

3

For making it working on controller layer. I had to put @EnableAspectJAutoProxy on my configuration class. Example :

@Configuration
@EnableWebMvc
@EnableAspectJAutoProxy
@ComponentScan(basePackages = { "com.abc.fraud.ts.userservices.web.controller" })
public class WebConfig extends WebMvcConfigurerAdapter{

}

answered Jul 14 '17 at 12:52

kripal kashyav

31
2

1

mine worked without this @EnableAspectJAutoProxy I just used @PreAuthorize("hasAuthority('ADMIN')") – valik Jan 08 '18 at 04:46
1

why is that? @kripal kashyav – valik Jan 08 '18 at 04:46

score 3 · Answer 7 · edited Dec 28 '20 at 17:48

3

My Controller`s methods were private they need to be public.

edited Dec 28 '20 at 17:48

Sabito 錆兎 stands with Ukraine

3,250
7
26
49

answered Oct 28 '19 at 16:15

Georgi Peev

642
1
11
19

i 'm trying this for past one month , everything is correct , expect this public one ..hell of a learning. Finally found the problem. thanks @georgi Peev – anavaras lamurep Jun 24 '21 at 21:31

score 3 · Answer 8 · answered Jun 14 '21 at 02:40

I was facing the same issue while trying to authorize AD Group of user these steps worked for me

@EnableGlobalMethodSecurity(prePostEnabled = true) on class which is annotated with @EnableWebSecurity
Created custom(GroupUserDetails) UserDetails which will have userName and authorities and return the instance of GroupUserDetails from custome UserDetailsService
Annotate controller method with @PreAuthorize("hasAuthority('Group-Name')")

score 1 · Answer 9 · answered Jun 26 '18 at 16:44

1

If you have a xml context file for your security beans and a separate one for your web/servlet context, than you als need to add:

<security:global-method-security pre-post-annotations="enabled"/>

to your web-context.xml / servlet context. Its not enough to just add it in the security context xml.

Its not inherited in child contexts.

HTH

answered Jun 26 '18 at 16:44

Chris

14,919
18
71
74

OP did it already using `@EnableGlobalMethodSecurity(prePostEnabled = true)` – Krzysztof Skrzynecki Aug 12 '19 at 14:48

score 1 · Answer 10 · answered Dec 28 '20 at 17:46

1

your request method is protected by default. So they can scan it. Set it public!!!

answered Dec 28 '20 at 17:46

Vo Nhu Khang

21
2

score 1 · Answer 11 · answered Aug 19 '21 at 02:46

1

I change the controller menthod from private to public .it's work .you can try it .

answered Aug 19 '21 at 02:46

Ants-double

21
3

PreAuthorize not working on Controller

11 Answers11

Linked