diff --git a/docs/faq/src/docbook/faq.xml b/docs/faq/src/docbook/faq.xml index 6f0bae095f..f4b2db7995 100644 --- a/docs/faq/src/docbook/faq.xml +++ b/docs/faq/src/docbook/faq.xml @@ -326,14 +326,23 @@ element to my application context but if I add security annotations to my Spring MVC controller beans (Struts actions etc.) then they don't seem to have an effect. - The application context which holds the Spring MVC beans for the - dispatcher servlet is a child application context of the main application - context which is loaded using the - ContextLoaderListener you define in your - web.xml. The beans in the child context are not - visible in the parent context so you need to either move the - <global-method-security> declaration to the web context or moved the - beans you want secured into the main application context. + In a Spring web application, the application context which + holds the Spring MVC beans for the dispatcher servlet is often separate from the main + application context. It is often defined in a file called + myapp-servlet.xml, where myapp is the name + assigned to the Spring DispatcherServlet in web.xml. + An application can have multiple DispatcherServlets, each with its own + isolated application context. The beans in these child contexts are not + visible to the rest of the application. The parent application context is + loaded by the ContextLoaderListener you define in your + web.xml and is visible to all the child contexts. This parent context is + usually where you define your security configuration, including the + <global-method-security> element). As a result + any security constraints applied to methods in these web beans will not be enforced, + since the beans cannot be seen from the DispatcherServlet context. + You need to either move the <global-method-security> + declaration to the web context or moved the beans you want secured into the main + application context. Generally we would recommend applying method security at the service layer rather than on individual web controllers.