@Secured annotations not working in AspectJ Mode with Autoproxy

Question

I\'m trying to get my Spring MVC app to play nice with Spring @Secured annotations and AspectJ auto-proxying but it doesn\'t seem to be proxying or recognising my @Secured a

Answer 1

To expand a bit on @axtavt's answer, the mode="aspectj" option in global-method-security specifically requires that your code has been woven with the AnnotationSecurityAspect from the spring-security-aspects module.

There's some sample code which demonstrates it in use. It just consists of a secured bean and some Junit test, but the code is compiled with the AspectJ compiler. The application context also shows how simple it is compared with what was required before namespace support was added (the commented out beans).

Answer 2

When using AOP with Spring you can choose between two implementations of AOP:

• Spring AOP implementation doesn't require weaving, but it's only applicable to beans managed by Spring and have some limitations

• AspectJ AOP implementation can work for all objects and doesn't have limitations of Spring AOP, but requires compile-time or load-time weaving

mode="aspectj" tells Spring to use AspectJ for AOP implementation, therefore security aspect won't work without weaving in your case.

The term "AspectJ auto-proxying" has nothing to do with using AspectJ as AOP implementation - it's a feature that allows you to use AspectJ API (rather than implementation) with Spring AOP.

So, in your case you can use Spring AOP implementation, because controller is a Spring bean, therefore you should remove mode="aspectj". Also note that your controller should have no-arguments constructor - it's one of the limitations of Spring AOP.