Reputation: 3517
Combining @Secured and @PreAuthorize annotation on one method
I have the following service method in my application:
@Override
@Secured({Authority.ACCESS_FUNDING})
@PreAuthorize("hasPermission(principal, 'MODIFY')")
public FundingAllocation newFundingAllocation(FundingAllocationForm fundingAllocationForm) {
return newFundingAllocation(fundingAllocationForm, null);
}
But I noticed that the @Secured annotation is getting ignored, and only @PreAuthorize check is performed.
I have the following spring security config:
<security:global-method-security secured-annotations="enabled" pre-post-annotations="enabled">
<security:expression-handler ref="securityExpressionHandler"/>
</security:global-method-security>
Does anybody knows if its even possible to combine to annotations on one method?
Upvotes: 3
Views: 2962
Answers (2)
Reputation: 5833
With the @PreAuthorize and @PostAuthorize you can combine expressions with and and or operators.
@Override
@PreAuthorized("hasAuthority('ACCESS_FUNDING') and hasPermission(principal, 'MODIFY')")
public FundingAllocation newFundingAllocation(FundingAllocationForm fundingAllocationForm) {
return newFundingAllocation(fundingAllocationForm, null);
}
Hopefully this is helpful.
http://docs.spring.io/spring-security/site/docs/current/reference/html/el-access.html
Upvotes: 4
Reputation: 15479
As per the Javadoc on DelegatingMethodSecurityMetadataSource it will use the first source of metadata it finds. So it is not intended to mix the two. The rationale is also explained in https://github.com/spring-projects/spring-security/issues/2116
The official docs also state:
You can enable more than one type of annotation in the same application, but only one type should be used for any interface or class as the behaviour will not be well-defined otherwise. If two annotations are found which apply to a particular method, then only one of them will be applied.
So just don't do it and write the correct expression in your @PreAuthorize:
@PreAuthorized("hasAuthority('ACCESS_FUNDING') and hasPermission(principal, 'MODIFY')")
as jmw5598's answer suggests.
Upvotes: 5
Related Questions
- @PreAuthorize not working when a secured method is called from another secured method in same class
- Spring Security: method is not secured with @PreAuthorize annotation
- Using class level @PreAuthorized annotations alongside method level @PreAuthorzied annotations
- @PreAuthorize annotation not working spring security
- Spring Security error when annotating with @Preauthorize multiple controllers
- Can I use the Spring Security @PreAuthorize on my own annotations?
- @PreAuthorize does not work with method security rules and method parameters
- @PreAuthorize on a nested method in Spring controller
- @PreAuthorization annotation with custom method doesn't work
- Is it possible to add @Secured or @PreAuthorized annotations on an entire class