CODEWITHSUNDEEP
javaspringspring-securityspring-security-acl
Videanu Adrian
Videanu Adrian

Reputation: 970

spring security permission programatic check

I have in place a spring security ACL system, and it seems to work fine, only that I `m not sure how should I perform a permission check programmatically.
My app is split into 3 layers (View,Service(Business),DAO) and I want to perform the auth in the Service layer. So, for a method that take as an argument a domain object : 

@PreAuthorize("hasPermission(#proj,'write'")
public Project updateProject(Project proj) {
 .............
}

the problem is solved with annotations.
But for a method that take as an argument an object that does not have an acl on it I have to programmatically check if user has permission.
Let`s say i have an object ProjectWrapper: 

public class ProjectWrapper {

    private Project project;    
    private Something something;
    // setters and getters here 
}

so now my Service method received this type of argument: 

public Project updateProject(ProjectWapper projWrapp) {

   Project p = projWrapp.getProject();
   // before performing any operation on project I need to know if current user has neccessary permissions on this object 
  // ??? how do i check that ?

}

Do i need to use AclService to perform that ? just like when I need to create/update a permission, or is there an cleaner/nicer possibility ?
The same question for deleteProject(Long id) methods,as first i have to get the object from db to check if the current user has delete permission.

Upvotes: 0

Views: 2030

Answers (1)

pgiecek
pgiecek

Reputation: 8200

Method security annotations support Spring EL expressions. In case of your wrapper class, you can use it as follows.

@PreAuthorize("hasPermission(#projectWrapper.project, 'write'")
public Project updateProject(ProjectWrapper projectWrapper) {
    // body omitted
}

And if you have just an object identifier instead of the actual object, you can use pattern below. 

@PreAuthorize("hasPermission(#id, 'my.package.Project' 'delete'")
public void deleteProject(Long id) {
    // body omitted
}

You may need to adjust default configuration (e.g. strategy to retrieve object identity and the like) to meet you requirements. See org.springframework.security.acls.AclPermissionEvaluator class for more details.

Upvotes: 1

Related Questions