Reputation: 1562
Spring security @PreAuthorize hasRole() properties injection
Assuming that my Spring Security and properties are configured properly, I would like to use role name from property like
@PreAuthorize("hasRole('${role.rolename}')")
public void method() {}
I have tried like in above code sample but it does not work (it takes '${role.rolename}' String as role to compare)
If I switch to
@PreAuthorize("hasRole('ROLE_ADMIN')")
public void method() {}
it works just fine. My motivation to such usage is better flexibility in application tests on various environments.
Upvotes: 9
Views: 13837
Answers (3)
Reputation: 3657
Building on other answers here, one thing that tripped me up was not setting the context on the OAuth2MethodSecurityExpressionHandler.
Make sure that in your MethodSecurityConfig you're loading the context for the answers above to work.
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {
@Autowired
private ApplicationContext context;
@Override
protected MethodSecurityExpressionHandler createExpressionHandler() {
OAuth2MethodSecurityExpressionHandler handler = new OAuth2MethodSecurityExpressionHandler();
handler.setApplicationContext(context);
return handler;
}
}
Then you can successfully access
@PreAuthorize("hasRole(@environment.getProperty('role.rolename')")
public void method() {}
Upvotes: 0
Reputation: 817
I've found that you can just grab the propertyResolver and pull values directly from that, instead of writing your own class as was suggested by @Maksym.
Exammple:
@PreAuthorize("hasRole(@environment.getProperty('role.rolename')")
public void method() {}
Upvotes: 2
Reputation: 7817
Try to remove '' signs:
@PreAuthorize("hasRole(${role.rolename})")
public void method() {}
EDIT. I am sure that there is a better way, but as a workaround you can call some method on some bean:
@Component("appVariablesHolder")
public class AppVariablesHolder {
@Value("${role.rolename}")
private String someRole;
public String getSomeRole() {
return this.someRole;
}
}
@PreAuthorize("hasRole(@appVariablesHolder.getSomeRole())")
public void method() {}
Upvotes: 15
Related Questions
- Spring security use hasPermission within PreAuthorize with only one parameter
- spring boot @PreAuthorize hasAuthority and hasRole
- How does Spring Security hasRole with PreAuthorize works under the hood?
- How to use hasRole in Spring Security?
- Spring security - @PreAuthorize not working
- Spring Security: method is not secured with @PreAuthorize annotation
- From where hasRole from @PreAuthorize take its values in Spring?
- Spring Security: @PreAuthorized("hasAuthority()") Not Being Checked
- @PreAuthorize Security role annotation
- Can't get @PreAuthorize to work with role hierarchies