Skip to content

mgr32/spring-security-method-security-issue

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
.mvn/wrapper
.mvn/wrapper
 
 
src
src
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
mvnw
mvnw
 
 
mvnw.cmd
mvnw.cmd
 
 
pom.xml
pom.xml
 
 

Repository files navigation

This project shows the breaking change for handling @RolesAllowed annotation between the legacy method security implementation (@EnableGlobalMethodSecurity) and the new one (@EnableMethodSecurity).

It has two endpoints (SecuredController) protected with basic authentication (user guest pass guest):

  • GET /rolesAllowed_GUEST - protected with @RolesAllowed("GUEST"),
  • GET /rolesAllowed_ROLE_GUEST - protected with @RolesAllowed("ROLE_GUEST").

There are two Spring profiles available:

  • legacyMethodSecurity - using @EnableGlobalMethodSecurity(jsr250Enabled = true),
  • newMethodSecurity - using @EnableMethodSecurity(jsr250Enabled = true).

And two test classes running basic auth request to both endpoints:

  • LegacyMethodSecurityTest - activating profile legacyMethodSecurity, working OK for bot endpoints,
  • NewMethodSecurityTest - activating profile newMethodSecurity, working OK for /rolesAllowed_GUEST, but not for /rolesAllowed_ROLE_GUEST.

To run the tests from command line (4 tests passing, 1 failing - NewMethodSecurityTest>AbstractMethodSecurityTest.rolesAllowed_ROLE_GUEST):

./mvnw test

About

No description, website, or topics provided.

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages