Spring security authrorize based on input parameter criteria

java spring security spring-security authorization
10,305

Yes, you can. Parameters can be accessed as Spring EL variables. In fact the reference manual gives several examples which use method parameters. The class needs to be compiled with debug symbols present (which is usually the case).

Note that the annotation value is a single expressions string:

"(hasRole('BOOK_AIR') and #bookinType == 'AIR') or (hasRole('BOOK_BUS') and #bookinType='BUS')"

In practice, using complicated expressions is rather error-prone. You could also use a simpler expression, something like

"@accessChecker.check('book', #bookinType)"

Where accessChecker is a bean in your application context with a "check" method which returns true or false depending on whether the supplied operation information is allowed (you can check the current user's roles by accessing the security context yourself - you'll find that discussed elsewhere on SO).

You could also look into writing your own AccessDecisionManager or AccessDecisionVoter and plugin the functionality there, but that requires more internal knowledge.

Share:
10,305

Related videos on Youtube

Sourabh Girdhar
Author by

Sourabh Girdhar

Updated on September 15, 2022

Comments

  • Sourabh Girdhar
    Sourabh Girdhar over 1 year

    I have a scenario where I need to authorize user based on combination of his permission and input parameter passed.

    this is the current scenario 

    public void bookTicket(String bookingType)
    {
    if (bookingType == "AIR"){
         bookAirTicket();
    }else{
         bookBusTicket();
    }
    }


@PreAuthorize("hasRole('BOOK_AIR')")
private void bookAirTicket(){
}

@PreAuthorize("hasRole('BOOK_BUS')")
private void bookBusTicket(){
}

    Can we have some thing like

    @PreAuthorize(("hasRole('BOOK_AIR')" AND bookinType='AIR') OR ("hasRole('BOOK_BUS')"  AND bookinType='BUS'))
public void bookTicket(String bookingType)
    {
    if (bookingType == "AIR"){
         bookAirTicket();
    }else{
         bookBusTicket();
    }
    }

    Basically I need authorization based in input parameters

    Thanks

  • Anand Rockzz
    Anand Rockzz almost 5 years
    the advice on how error-prone Spring EL is and how to avoid it, is invaluable. +10 for that! thnx

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Spring Boot Security redirect after successful login - undefined
How to integrate Spring Security and Struts2
Spring-Security: Return Status 401 When AuthenticationManager Throws BadCredentialsException
How to interpret hasPermission in spring security?
Spring Security custom UserDetailsService and custom User class
SecurityContextHolder.getContext().getAuthentication() returning null
Spring Security - Access is denied (user is not anonymous) spring-security-core-4.0.3.RELEASE
Spring Security, Method Security annotation (@Secured ) is not working (java config)
antMatchers Spring Security pattern with changeable URL user ID
JAAS for human beings