Reputation: 391
Multiple roles using @PreAuthorize
To check multiple roles has the method level access
I have used @PreAuthorize annotation to check the role
@PreAuthorize("hasRole(\"" + AuthoritiesConstants.USER + "\",)" )
How to check multiple roles using @PreAuthorize annotaion?
Upvotes: 25
Views: 46087
Answers (5)
Reputation: 373
SecurityExpressionOperations interface in package org.springframework.security.access.expression; contains all the authorization-related methods.
Below are the most useful methods for authentication.
boolean hasRole(String role);
boolean hasAnyRole(String... roles)
boolean isAuthenticated();
boolean hasPermission(Object target, Object permission);
boolean hasPermission(Object targetId, String targetType, Object permission);
Upvotes: 3
Reputation: 1
I believe the best option is to use @PreAuthorize("hasAnyRole()")
In this case I suppose @PreAuthorize("hasAnyRole(AuthoritiesConstants.USER, AuthoritiesConstants.ADMIN)")
Upvotes: 0
Reputation: 919
@PreAuthorize("hasAnyRole('ROLE_ADMIN', 'ROLE_USER')")
hasAnyRole()
When you need to support multiple roles, you can use the hasAnyRole() expression.
@PreAuthorize("hasAnyRole('ADMIN','DB-ADMIN')")
https://docs.spring.io/spring-security/site/docs/3.0.x/reference/el-access.html https://www.appsdeveloperblog.com/spring-security-preauthorize-annotation-example/
Upvotes: 37
Reputation: 689
You can create a custom annotation to validate many roles and conditions. P.e.:
@Retention(RetentionPolicy.RUNTIME)
@PreAuthorize("hasRole(T(com.bs.dmsbox.api.constants.RoleConstants).ROLE_AGENT) " +
"|| hasRole(T(com.bs.dmsbox.api.constants.RoleConstants).ROLE_ADMIN)" +
"|| (hasRole(T(com.bs.dmsbox.api.constants.RoleConstants).ROLE_CUSTOMER) && #userId == principal.username)")
public @interface IsAuthenticatedAsAgentOrCustomerIsUserId {
}
Then, you can use this annotation as below:
@IsAuthenticatedAsAgentOrCustomerIsUserId
Folder findByUserIdAndType(@Param("userId") String userId, @Param("typeId") FolderType id);
This annotation validate that user logged as role AGENT or ADMIN. If user has role CUSTOMER validate if userId parameter is equals to user logged
Upvotes: 33
Reputation: 7521
Simply combine roles by using && or || in SpEL expressions
@PreAuthorize("hasRole('" + AuthoritiesConstants.USER + "')" +
" && hasRole('" + AuthoritiesConstants.ADMIN + "')" )
Upvotes: 14
Related Questions
- spring boot @PreAuthorize hasAuthority and hasRole
- Spring Security @PreAuthorize not seeing Role on incoming Request
- JHipster with @PreAuthorize always allow access
- jhipster fine grain authorization, remove ROLE based authorization
- Jhipster new Roles - Full authentication is required
- Spring Security @PreAuthorize - Restrict certain roles by using Spring EL
- Using ROLES in jhipster?
- Setting up new default Roles in jhipster
- How can I check what roles @PreAuthorize is looking at?
- Can't get @PreAuthorize to work with role hierarchies