Reputation: 2086
How can I annotate a method with Spring Security so that a caller is required to have one of a list of roles?
I am using Java annotations to grant permissions to a particular method. So far I have not found a way to make my method accessible to multiple roles. Single role works fine with @Secured("ROLE_CUSTOMER"). Is there a way to do hasRole('role1','role2')?
Upvotes: 18
Views: 21458
Answers (4)
Reputation: 2086
Found an exact solution to the problem:
@PreAuthorize("hasAnyRole('ROLE_CUSTOMER','ROLE_OFFICEADMIN','ROLE_EMPLOYEE')")
Upvotes: 43
Reputation: 1260
The grails "Secured" annotation is different form the spring "Secured" annotation. Grails takes an array of strings. Spring takes a weird security expression language.
so:
import org.springframework.security.access.annotation.Secured;
@Secured('hasAnyRole([\'FOO-ROLE\'])')
or:
import grails.plugins.springsecurity.Secured;
@Secured(['FOO-ROLE'])
Upvotes: -2
Reputation: 5088
To make that happen I often use this
import this into your JSP
<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>
and know you can use this to handle security like in if taglib
<sec:authorize access="hasAnyRole('ROLE_USER','ROLE_ADMIN')"/>
There is also another one like this to not permit those... i think it's HasNoRole
Anyway this works !
Upvotes: 7
Related Questions
- @RolesAllowed doesn't work
- How to require multiple roles/authorities
- Spring security: How to make annotation based role specifications have precedence over pattern-based role specifications
- Are multiple roles allowed in the @Secured annotation with 'or' condition in Spring Security
- Add role to a method
- Modify behavior of Spring @RolesAllowed
- Spring security using model properties to apply roles
- Spring Security: conditional logic based on roles
- Setting user roles based on some kind of ownership in Spring Security
- Security annotation - can't secure