Reputation: 3753
Handling complex authorization in spring security
I have a spring MVC web app using pre- and post- authorization method annotations.
I have a particular method in one of my services that needs to apply much more complex authorization logic.
I notice there's a PermissionsEvaluator interface, but that appears to be intended for a more global approach to permissions rather than per-module. I suppose one could write an implementation that delegated to module-specific PermissionsEvaluators, but that seems like a lot of work.
Additionally, I'd be doubling up on a lot of effort. The authorization decision is based on intermediate state during the actual processing. If I used the PreAuthorize mechanism, I'd be generating that state once for authorization, then again "for realsies".
Is there a standard spring exception I can throw from my service layer directly? Is there some other approach I should consider?
Upvotes: 3
Views: 436
Answers (1)
Reputation: 16604
Consider using AccessDeniedException. It is thrown internally by Spring Security when a pre- or post-condition evaluates to false. By default it generates a 403 Forbidden page.
Upvotes: 4
Related Questions
- Spring security Role based HTTP request Authorization
- Implementing Authorization in Spring
- Spring Security authenticate logic
- Spring security access with multiple roles
- Spring security Dynamic authorization
- Authorization and Authentication with Spring Security
- Custom authorization depending on user property
- Implementing A Controller for Authorization
- Criteria based authorization check with spring security?
- Spring Security: Advice needed on how to handle GrantedAuthority