ObjectHunter
Hunting and gathering in the JEE landscape

I am Frank, a freelance Java developer specialized in backend development from south western germany.

Spring-MVC, the @Secured Annotation and dynamic proxying

posted by fas on 2010-03-26 . Tagged as spring, spring-security, programming, java, jee

When I recently tried to have a annotated web service authorize against spring-security using @Secured annotations I ran into some trouble. Let's consider this class:

@Controller
public class TestController{
    @Secured("ROLE_ADMIN")
    @RequestMapping(value="/test",method=RequestMethod.GET)
    public String getView(){
        return "viewname";
    }
}


this will actually work fine with spring-security and the framework will authorize against the defined user service.

But what happens when we let TestController implement InitializingBean?

@Controller
public class TestController implements InitializingBean{
    @Secured("ROLE_ADMIN")
    @RequestMapping(value="/test",method=RequestMethod.GET)
    public String getView(){
        return "viewname";
    }
    
    private void afterPropertiesSet(){
        ... some implementaion
    }
}


There seems to arise a problem with JDK dynamic proxying which seems to be unable to cope with having a secured controller implement InitializingBean. This problem manifested itself through this rather unhelpful error message:

"No mapping found for HTTP request with URI [/test] in DispatcherServlet with name 'test'"


Well what to do? I chose the pragmatic way and didn't implement Initializingbean. But you could rather use @PostConstruct-Annotation from JSR-250 to check your beans after they have been created by the framework or use CGLIB proxying.

Tags: spring, spring-security, programming, java, jee