How to create custom methods for use in spring security expression language annotations

by

None of the mentioned techniques will work anymore. It seems as though Spring has gone through great lengths to prevent users from overriding the SecurityExpressionRoot.

EDIT 11/19/14 Setup Spring to use security annotations:

<beans ... xmlns:sec="http://www.springframework.org/schema/security" ... >
...
<sec:global-method-security pre-post-annotations="enabled" />

Create a bean like this:

@Component("mySecurityService")
public class MySecurityService {
    public boolean hasPermission(String key) {
        return true;
    }
}

Then do something like this in your jsp:

<sec:authorize access="@mySecurityService.hasPermission('special')">
    <input type="button" value="Special Button" />
</sec:authorize>

Or annotate a method:

@PreAuthorize("@mySecurityService.hasPermission('special')")
public void doSpecialStuff() { ... }

Additionally, you may use Spring Expression Language in your @PreAuthorize annotations to access the current authentication as well as method arguments.

For example:

@Component("mySecurityService")
public class MySecurityService {
    public boolean hasPermission(Authentication authentication, String foo) { ... }
}

Then update your @PreAuthorize to match the new method signature:

@PreAuthorize("@mySecurityService.hasPermission(authentication, #foo)")
public void doSpecialStuff(String foo) { ... }

More Related Contents:

  1. Spring Security : Multiple HTTP Config not working
  2. Filter invoke twice when register as Spring bean
  3. How to fix role in Spring Security?
  4. Spring security CORS Filter
  5. When using Spring Security, what is the proper way to obtain current username (i.e. SecurityContext) information in a bean?
  6. Configuring Spring Security 3.x to have multiple entry points
  7. How to disable spring security for particular url
  8. Difference between Role and GrantedAuthority in Spring Security
  9. Disable Spring Security for OPTIONS Http Method
  10. How to disable ‘X-Frame-Options’ response header in Spring Security?
  11. How to enable HTTP response caching in Spring Boot
  12. RESTful Authentication via Spring
  13. HttpSecurity, WebSecurity and AuthenticationManagerBuilder
  14. Spring webSecurity.ignoring() doesn’t ignore custom filter
  15. Multiple WebSecurityConfigurerAdapter in spring boot for multiple patterns
  16. Unit testing with Spring Security
  17. spring web, security + web.xml + mvc dispatcher + Bean is created twice
  18. Spring Security, secured and none secured access
  19. Spring Security 5 : There is no PasswordEncoder mapped for the id “null”
  20. How to apply Spring Security filter only on secured endpoints?
  21. Spring Security multiple url ruleset not working together
  22. JAAS for human beings
  23. How to use new PasswordEncoder from Spring Security
  24. Spring security added prefix “ROLE_” to all roles name?
  25. Why this Spring application with java-based configuration don’t work properly
  26. How do I add method based security to a Spring Boot project?
  27. Spring REST security – Secure different URLs differently
  28. What does Cookie CsrfTokenRepository.withHttpOnlyFalse () do and when to use it?
  29. disabling spring security in spring boot app [duplicate]
  30. Custom Authentication Manager with Spring Security and Java Configuration

Leave a Comment