Spring Expression Language (SpEL) in Spring Security to compare object use equals() or ==?

Question

Spring Expression Language (SpEL) in Spring Security to compare object use equals() or ==?

For example(method equals () is not called!):

class SecurityObject {      
   public boolean equals(Object obj) {
  //...
   }
 }

@PreAuthorize(" #secObject == #otherSecObject ") 
public void securityMethod(SecurityObject secObject, SecurityObject otherSecObject) {                        
   //...        
}

This is normal!? I need to use @PreAuthorize(" #secObject.equals(#otherSecObject) ") everywhere?

UPDATE

Why in first case Spring Security calling .equals(), and the second not?

      //TestObject 

      public class TestObject {

      private static final Logger log = LoggerFactory.getLogger(TestObject.class);

      private Long id;

      public TestObject(Long id) {
           this.id = id;
      }

       @Override
       public int hashCode() {
           int hash = 7;
           hash = 71 * hash + Objects.hashCode(this.id);
           return hash;
       }

       @Override
       public boolean equals(Object obj) {

       log.info("equals");

       if (obj == null) {
          return false;
       }

       if (getClass() != obj.getClass()) {
         return false;
       }
       final TestObject other = (TestObject) obj;
       if (!Objects.equals(this.id, other.id)) {
         return false;
       }
      return true;
  }               
}

//TestService

@PreAuthorize(" #one == #two ")
public String testEqualsInAnnotation(Long one, Long two) {        
    //...
}

@Override
@PreAuthorize(" #one == #two ")
public String testEqualsInAnnotation(TestObject one, TestObject two) {
    //...
}

//Test

    log.info("for Long");
    Long one = new Long(500);
    Long two = new Long(500);        

    log.info("one == two: {}", (one==two)? true : false); // print false
    log.info("one equals two: {}", (one.equals(two))? true : false); // print true

    testService.testEqualsInAnnotation(one, two); //OK

    log.info("for TestObject");

    TestObject oneObj = new TestObject(new Long(500));
    TestObject twoObj = new TestObject(new Long(500));              

    log.info("oneObj == twoObj: {}", (oneObj==twoObj)? true : false); // print false
    log.info("oneObj equals twoObj: {}", (oneObj.equals(twoObj))? true : false); // print true

    testService.testEqualsInAnnotation(oneObj, twoObj); // AccessDeniedException: Access is denied

UPDATE 2

equals() never invoked at all

           package org.springframework.expression.spel.ast;

           import org.springframework.expression.EvaluationException;
           import org.springframework.expression.spel.ExpressionState;
           import org.springframework.expression.spel.support.BooleanTypedValue;

/**
 * Implements equality operator.
 *
 * @author Andy Clement
 * @since 3.0
 */
public class OpEQ extends Operator {

    public OpEQ(int pos, SpelNodeImpl... operands) {
        super("==", pos, operands);
    }

    @Override
    public BooleanTypedValue getValueInternal(ExpressionState state) throws EvaluationException {
        Object left = getLeftOperand().getValueInternal(state).getValue();
        Object right = getRightOperand().getValueInternal(state).getValue();
        if (left instanceof Number && right instanceof Number) {
            Number op1 = (Number) left;
            Number op2 = (Number) right;
            if (op1 instanceof Double || op2 instanceof Double) {
                return BooleanTypedValue.forValue(op1.doubleValue() == op2.doubleValue());
            } else if (op1 instanceof Long || op2 instanceof Long) {
                return BooleanTypedValue.forValue(op1.longValue() == op2.longValue());
            } else {
                return BooleanTypedValue.forValue(op1.intValue() == op2.intValue());
            }
        }
        if (left!=null && (left instanceof Comparable)) {
            return BooleanTypedValue.forValue(state.getTypeComparator().compare(left, right) == 0);
        } else {
            return BooleanTypedValue.forValue(left==right);
        }
    }

}

Answer 1

You may have discovered this already, since it is in the OpEq code in 'Update 2' of the original post, but...

The comparison operators lt < gt > le <= ge >= eq == ne != are based on java's Comparable interface.

So, if you've got a custom type that you want to be able to compare using == or != in SpEL expressions, then you could write it to implement Comparable. Of course, then you'll have to figure out some sane rule to decide which object is before the other when they're not equivalent.

That said, I can't find anything in Spring's current documentation indicating this.

Answer 2

rdm, I think you have to use permission evaluator to evaluate the expressions. I don't think you have really injected/passed values for the objects in the following expression.

@Override
@PreAuthorize(" #one == #two ")
public String testEqualsInAnnotation(TestObject one, TestObject two) {
    //...

I tried to do the same thing, but I failed to pass values, hence couldn't able to evaluate the expressions. My suggestion is to implement your custom permission evaluator for the above expression, and inject/pass values from the evaluator. To generalize my idea, my suspect is the objects are null, that is why you couldn't able to evaluate it. Please let us know if you can really pass values of the objects inside here : @PreAuthorize(" #one == #two ")

Added:

I am using permission evaluator to evaluate expressions under @PreAuthorize(...) annotation. Because I couldn't able to pass values to the parameters as I explained above. If it is possible to pass/inject values, it will be good to reduce complexity that can come from using permission evaluator.

rdm or others, can you point me how to pass the values for the parameters under @PreAuthorize(...) if possible?

Sorry for asking another question on rdm's post, and thank you in advance for your help!.

Answer 3

As per spEL documentation, You need to create ExpressionParser instance, create an Expression instance and get the value like below

String name = "Nikola Tesla";
Expression exp = parser.parseExpression("name == 'Nikola Tesla'");
boolean result = exp.getValue(Boolean.class); 

result evaluates to 'true'. That says when we need to compare any two objects, then we need to override the equals() method and pass the two objects in to parser#parseExpression("obj1 == obj2") and then call the exp#getValue(Boolean.class) to evaluate. In the similar way, the Expression instance can also have expression string containing Obj1.equals(Obj2) for checking the equality. so, both the ways of checking equality are possible with spEL.