Disable Spring AOP MethodSecurityInterceptor when using AspectJ CTW -
i have project uses spring security , making of aspectj compile time weaving (ctw) weave in spring-security-aspects
. allows me use annotations such @preauthorize
in non-spring managed classes (which works fine) i'm having problems spring managed classes now.
i have controller (annotated @controller
) method:
@requestmapping("/test") @preauthorize("hasrole('user')") public string test() { return "test"; }
this seem work fine except spring still seems proxying controller bean , hitting methodsecurityinterceptor
. means hasrole()
method gets hit twice, once proxy , second time aspectj woven code.
i using @enableautoconfiguration
, have global method security enabled @enableglobalmethodsecurity(prepostenabled = true, mode = advicemode.aspectj)
. suspect in configuration messing things up, bit more knowledge of spring security or spring aop know might going on here?
the controller has been woven aspectj code it's visible in (decompiled) class file:
joinpoint var5 = factory.makejp(ajc$tjp_2, this, this, test, model); annotationsecurityaspect var10000 = annotationsecurityaspect.aspectof(); object[] var6 = new object[]{this, search, model, var5}; return (string)var10000.ajc$around$org_springframework_security_access_intercept_aspectj_aspect_annotationsecurityaspect$1$c4d57a2b(new testcontroller$ajcclosure5(var6), var5);
this partial stack trace may explain what's going on, when methodsecurityinterceptor has done it's work , calls mi.proceed()
hit aspectj code weaved in method body.
at org.springframework.security.access.intercept.aopalliance.methodsecurityinterceptor.invoke(methodsecurityinterceptor.java:64) @ org.springframework.aop.framework.reflectivemethodinvocation.proceed(reflectivemethodinvocation.java:179) @ org.springframework.aop.framework.cglibaopproxy$dynamicadvisedinterceptor.intercept(cglibaopproxy.java:653) @ com.example.controller.testcontroller$$enhancerbyspringcglib$$3e3715a5.test(<generated>:-1) @ sun.reflect.nativemethodaccessorimpl.invoke0(nativemethodaccessorimpl.java:-1) @ sun.reflect.nativemethodaccessorimpl.invoke(nativemethodaccessorimpl.java:62) @ sun.reflect.delegatingmethodaccessorimpl.invoke(delegatingmethodaccessorimpl.java:43) @ java.lang.reflect.method.invoke(method.java:483) @ org.springframework.web.method.support.invocablehandlermethod.doinvoke(invocablehandlermethod.java:221) @ org.springframework.web.method.support.invocablehandlermethod.invokeforrequest(invocablehandlermethod.java:137) @ org.springframework.web.servlet.mvc.method.annotation.servletinvocablehandlermethod.invokeandhandle(servletinvocablehandlermethod.java:111) @ org.springframework.web.servlet.mvc.method.annotation.requestmappinghandleradapter.invokehandlemethod(requestmappinghandleradapter.java:799) @ org.springframework.web.servlet.mvc.method.annotation.requestmappinghandleradapter.handleinternal(requestmappinghandleradapter.java:728) @ org.springframework.web.servlet.mvc.method.abstracthandlermethodadapter.handle(abstracthandlermethodadapter.java:85) @ org.springframework.web.servlet.dispatcherservlet.dodispatch(dispatcherservlet.java:959) @ org.springframework.web.servlet.dispatcherservlet.doservice(dispatcherservlet.java:893) @ org.springframework.web.servlet.frameworkservlet.processrequest(frameworkservlet.java:969) @ org.springframework.web.servlet.frameworkservlet.doget(frameworkservlet.java:860) @ javax.servlet.http.httpservlet.service(httpservlet.java:622) @ org.springframework.web.servlet.frameworkservlet.service(frameworkservlet.java:845) @ javax.servlet.http.httpservlet.service(httpservlet.java:729) @ org.apache.catalina.core.applicationfilterchain.internaldofilter(applicationfilterchain.java:291) @ org.apache.catalina.core.applicationfilterchain.dofilter(applicationfilterchain.java:206) @ org.apache.tomcat.websocket.server.wsfilter.dofilter(wsfilter.java:52) @ org.apache.catalina.core.applicationfilterchain.internaldofilter(applicationfilterchain.java:239) @ org.apache.catalina.core.applicationfilterchain.dofilter(applicationfilterchain.java:206) @ org.springframework.web.servlet.resource.resourceurlencodingfilter.dofilterinternal(resourceurlencodingfilter.java:51) @ org.springframework.web.filter.onceperrequestfilter.dofilter(onceperrequestfilter.java:107) @ org.apache.catalina.core.applicationfilterchain.internaldofilter(applicationfilterchain.java:239) @ org.apache.catalina.core.applicationfilterchain.dofilter(applicationfilterchain.java:206) @ org.springframework.boot.actuate.autoconfigure.endpointwebmvcautoconfiguration$applicationcontextheaderfilter.dofilterinternal(endpointwebmvcautoconfiguration.java:233) @ org.springframework.web.filter.onceperrequestfilter.dofilter(onceperrequestfilter.java:107) @ org.apache.catalina.core.applicationfilterchain.internaldofilter(applicationfilterchain.java:239) @ org.apache.catalina.core.applicationfilterchain.dofilter(applicationfilterchain.java:206) @ org.springframework.boot.actuate.trace.webrequesttracefilter.dofilterinternal(webrequesttracefilter.java:102) @ org.springframework.web.filter.onceperrequestfilter.dofilter(onceperrequestfilter.java:107) @ org.apache.catalina.core.applicationfilterchain.internaldofilter(applicationfilterchain.java:239) @ org.apache.catalina.core.applicationfilterchain.dofilter(applicationfilterchain.java:206) @ org.springframework.security.web.filterchainproxy$virtualfilterchain.dofilter(filterchainproxy.java:316) @ org.springframework.security.web.access.intercept.filtersecurityinterceptor.invoke(filtersecurityinterceptor.java:126) @ org.springframework.security.web.access.intercept.filtersecurityinterceptor.dofilter(filtersecurityinterceptor.java:90) @ org.springframework.security.web.filterchainproxy$virtualfilterchain.dofilter(filterchainproxy.java:330) @ org.springframework.security.web.access.exceptiontranslationfilter.dofilter(exceptiontranslationfilter.java:114) @ org.springframework.security.web.filterchainproxy$virtualfilterchain.dofilter(filterchainproxy.java:330) @ org.springframework.security.web.session.sessionmanagementfilter.dofilter(sessionmanagementfilter.java:122) @ org.springframework.security.web.filterchainproxy$virtualfilterchain.dofilter(filterchainproxy.java:330) @ org.springframework.security.web.authentication.anonymousauthenticationfilter.dofilter(anonymousauthenticationfilter.java:111) @ org.springframework.security.web.filterchainproxy$virtualfilterchain.dofilter(filterchainproxy.java:330) @ org.springframework.security.web.servletapi.securitycontextholderawarerequestfilter.dofilter(securitycontextholderawarerequestfilter.java:168) @ org.springframework.security.web.filterchainproxy$virtualfilterchain.dofilter(filterchainproxy.java:330) @ org.springframework.security.web.savedrequest.requestcacheawarefilter.dofilter(requestcacheawarefilter.java:48) @ org.springframework.security.web.filterchainproxy$virtualfilterchain.dofilter(filterchainproxy.java:330) @ org.springframework.security.web.authentication.www.basicauthenticationfilter.dofilterinternal(basicauthenticationfilter.java:213) @ org.springframework.web.filter.onceperrequestfilter.dofilter(onceperrequestfilter.java:107) @ org.springframework.security.web.filterchainproxy$virtualfilterchain.dofilter(filterchainproxy.java:330) @ org.springframework.security.web.authentication.logout.logoutfilter.dofilter(logoutfilter.java:120) @ org.springframework.security.web.filterchainproxy$virtualfilterchain.dofilter(filterchainproxy.java:330) @ org.springframework.security.web.header.headerwriterfilter.dofilterinternal(headerwriterfilter.java:64) @ org.springframework.web.filter.onceperrequestfilter.dofilter(onceperrequestfilter.java:107) @ org.springframework.security.web.filterchainproxy$virtualfilterchain.dofilter(filterchainproxy.java:330) @ org.springframework.security.web.context.securitycontextpersistencefilter.dofilter(securitycontextpersistencefilter.java:91) @ org.springframework.security.web.filterchainproxy$virtualfilterchain.dofilter(filterchainproxy.java:330) @ org.springframework.security.web.context.request.async.webasyncmanagerintegrationfilter.dofilterinternal(webasyncmanagerintegrationfilter.java:53) @ org.springframework.web.filter.onceperrequestfilter.dofilter(onceperrequestfilter.java:107) @ org.springframework.security.web.filterchainproxy$virtualfilterchain.dofilter(filterchainproxy.java:330) @ org.springframework.security.web.filterchainproxy.dofilterinternal(filterchainproxy.java:213) @ org.springframework.security.web.filterchainproxy.dofilter(filterchainproxy.java:176) @ org.apache.catalina.core.applicationfilterchain.internaldofilter(applicationfilterchain.java:239) @ org.apache.catalina.core.applicationfilterchain.dofilter(applicationfilterchain.java:206) @ org.springframework.web.filter.hiddenhttpmethodfilter.dofilterinternal(hiddenhttpmethodfilter.java:77) @ org.springframework.web.filter.onceperrequestfilter.dofilter(onceperrequestfilter.java:107) @ org.apache.catalina.core.applicationfilterchain.internaldofilter(applicationfilterchain.java:239) @ org.apache.catalina.core.applicationfilterchain.dofilter(applicationfilterchain.java:206) @ org.springframework.web.filter.characterencodingfilter.dofilterinternal(characterencodingfilter.java:85) @ org.springframework.web.filter.onceperrequestfilter.dofilter(onceperrequestfilter.java:107) @ org.apache.catalina.core.applicationfilterchain.internaldofilter(applicationfilterchain.java:239) @ org.apache.catalina.core.applicationfilterchain.dofilter(applicationfilterchain.java:206) @ org.springframework.boot.actuate.autoconfigure.metricsfilter.dofilterinternal(metricsfilter.java:68) @ org.springframework.web.filter.onceperrequestfilter.dofilter(onceperrequestfilter.java:107) @ org.apache.catalina.core.applicationfilterchain.internaldofilter(applicationfilterchain.java:239) @ org.apache.catalina.core.applicationfilterchain.dofilter(applicationfilterchain.java:206) @ org.apache.catalina.core.standardwrappervalve.invoke(standardwrappervalve.java:219) @ org.apache.catalina.core.standardcontextvalve.invoke(standardcontextvalve.java:106) @ org.apache.catalina.authenticator.authenticatorbase.invoke(authenticatorbase.java:502) @ org.apache.catalina.core.standardhostvalve.invoke(standardhostvalve.java:142) @ org.apache.catalina.valves.errorreportvalve.invoke(errorreportvalve.java:79) @ org.apache.catalina.core.standardenginevalve.invoke(standardenginevalve.java:88) @ org.apache.catalina.connector.coyoteadapter.service(coyoteadapter.java:518) @ org.apache.coyote.http11.abstracthttp11processor.process(abstracthttp11processor.java:1091) @ org.apache.coyote.abstractprotocol$abstractconnectionhandler.process(abstractprotocol.java:668) @ org.apache.tomcat.util.net.nioendpoint$socketprocessor.dorun(nioendpoint.java:1521) @ org.apache.tomcat.util.net.nioendpoint$socketprocessor.run(nioendpoint.java:1478) - locked <0x1e9e> (a org.apache.tomcat.util.net.niochannel) @ java.util.concurrent.threadpoolexecutor.runworker(threadpoolexecutor.java:1142) @ java.util.concurrent.threadpoolexecutor$worker.run(threadpoolexecutor.java:617) @ org.apache.tomcat.util.threads.taskthread$wrappingrunnable.run(taskthread.java:61) @ java.lang.thread.run(thread.java:745)
there issue not honoring aspectj configuration when using namespace of java based configuration. has been resolved current (4.0.2) version of spring security.
see sec-3045 more information.
Comments
Post a Comment