spring-projects-issues
commented
13 years ago Torben Knerr said:
Also, the jsr 250 specification does not mention whether the @RolesAllowed, @PermitAll and @DenyAll annotations are limited to public methods and types, or whether they apply to private / protected / package protected methods and types as well.
Do you have an answer to that?
Torben Knerr (Migrated from SEC-1671) said:
With the spring-security-aspects 3.0.5.RELEASE the AnnotationSecurityAspect only defines pointcuts for @Secured, @PreAuthorize, @PostAuthorize, etc., but support for the JSR250 annotations (@RolesAllowed etc.) is missing. As a result you can not transparently switch between Spring AOP and AspectJ (mode="aspectj") when using JSR 250 annotations.
Attached is a preliminary implementation of Jsr250AnnotationSecurityAspect.aj.
As Jsr250MethodSecurityMetadataSource.java only supports @RolesAllowed, @DenyAll and @PermitAll (but not @RunAs and @DeclareRoles) until now the pointcuts are defined only for the prior annotations. Also note that it is based in javax.annotation:jsr250-api:1.0, which does not allow for @DenyAll on a type (has been corrected in 1.1 maintenance release of the specification, but I couldn't find it in the maven repository).
Not sure though whether it makes sense to put the jsr250-related aspects into a separate .aj file or add it to the existing AnnotationSecurityAspect.aj.
Feedback and reviews are welcome.