Reputation: 3381
Spring security @PreAuthorize SecurityExpressionRoot or PermissionEvaluator
Spring Security @PreAuthorize takes in a lot of expressions, but how does it decide the class of the method in the expression, for e.g
@PreAuthorize("hasRole()") is from SecurityExpressionRoot and @PreAuthorize("hasPermission()") is from PermissionEvaluator class. How does it decide which class instance to use?
I'm not very familiar Spring AOP so not able to dig in lot.
Upvotes: 3
Views: 1746
Answers (1)
Reputation: 22742
The hasPermission expression is also evaluated against SecurityExpressionRoot, but the latter delegates to a PermissionEvaluator. You can see this easily if you have a look at the SecurityExpressionRoot source.
By default, permission expressions are automatically denied, but setting a different instance controls the way the hasPermission expression behaves.
Upvotes: 4
Related Questions
- How to disable/ ignore @PreAuthorize in a Spring Boot application
- Security config when using @PreAuthorize
- Can Spring Security use @PreAuthorize on Spring controllers methods?
- Spring Security @PreAuthorize or @PreFilter
- Spring Security: Deny access to controller methods, if @PreAuthorize annotation is missing
- Spring Security Preauthentication Config
- Spring Security @PreAuthorize with application itself as user
- Spring Security @PreAuthorize on controllers
- Bypass Spring Security @preauthorize
- Spring Security Pre-authentication without authorization