I am trying to make work Jersey 3.1.1 with Spring AOP 6.0.13 for Spring security.
When I add authorization for my JAX-RS resource using authorize() method then authorize() is ignored (not called). However, authorize() can be set to be called for any Spring controller and then everything works without any problems.
This my code.
@Configuration
@EnableWebSecurity(debug = true)
@EnableMethodSecurity
public class SecurityConfig {
@Bean
@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
public Advisor authorize() {
JdkRegexpMethodPointcut pattern = new JdkRegexpMethodPointcut();
pattern.setPattern("com.example.FooResource.*");// IT DOESN'T WORK
//pattern.setPattern("com.example.MyMvcController.*");// IT WORKS
AuthorizationManager<MethodInvocation> rule = (AuthorizationManager) authorizationManager;
AuthorizationManagerBeforeMethodInterceptor interceptor =
new AuthorizationManagerBeforeMethodInterceptor(pattern, rule);
interceptor.setOrder(AuthorizationInterceptorsOrder.PRE_AUTHORIZE.getOrder() - 1);
return interceptor;
}
....
}
@Path("/foo")
@Service
public class FooResource {
@Autowired
private Bar bar;
@GET
@Produces(MediaType.TEXT_HTML)
@Path("/temp")
public String temp(@Context HttpServletRequest req) {
System.out.println(this.bar.returnString());
return "<body>Hello! This is temp rest</body>";
}
}
Is this a bug or expected behavior? Can Spring AOP 6 be used with JAX-RS (Jersey 3) resources?
Comment From: snicoll
Spring AOP does not differentiate between components but it could be that your setup is such that it is not advised due to early initialization problem. We can't say for sure based on a code snippet that does not compile. If you want support, please take the time to build a small sample that we can run to reproduce the problem. You can attach a zip to this issue or push the code to a separate GitHub repository.