PreAuthorize annotation doesn't work with jersey

Question

I'm trying to secure a jersey service using spring security annotations without any luck.

I've added this section to web.xml:

<servlet>
    <servlet-name>Jersey REST Service</servlet-name>
    <servlet-class>org.glassfish.jersey.servlet.ServletContainer</servlet-class>
    <init-param>
        <param-name>jersey.config.server.provider.packages</param-name>
        <param-value>com.test.proj.ui.web.rest;com.fasterxml.jackson.jaxrs</param-value>
    </init-param>
    <init-param>
        <param-name>javax.ws.rs.Application</param-name>
        <param-value>com.test.commons.ui.web.jersey.RestApplication</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
</servlet>

Also enabled the pre-post-annotations using this on applicationContext:

<global-method-security secured-annotations="enabled" pre-post-annotations="enabled" />

And this is my service class:

@Component
@Path("/user/{uid: .*}")
public class UserResource {
    @GET
    @Produces(MediaType.APPLICATION_JSON)
    @PreAuthorize("hasRole('ROLE_MANAGE_USER')")
    public Response getUserDetail(@PathParam("uid") String uid) {
        return "Hi, this is a test";
    }
}

Spring security works well in authentication but the authorization doesn't work as expected and ignores the PreAuthorize annotation without any error or log.

I'm using Spring 3.2.4 and Spring Security 3.2.1 and Jersy 2.6.

any idea?

thanks

Answer 1

The spring component scan wasn't configured correctly! To solve the problem, only add component scan correctly and it works.

Answer 2

We were facing exactly the same problem. On the business layer @PreAuthorize annotation worked but on the REST resource didn't. The side effect of this situation was that Spring bean injection didn't work as well. Everything without any error.

The 100% working solution was to use RESTEasy instead of Jersey. They are quite similar so it was not much work.