DEVHIDE
Login Or Sign up

Expression in annotation using fields of class in Spring Security

1.6k Views Asked by At

I use method level security. In class I annotated some methods, expressions use fields of this class. But I see SpEL exceptions, that I can't reference them. Here is part of code of this class. In expressions I want to use field repPrefix, but I receive exceptions that it's an unknown variable.

@Component("c2rTableManager")
@Scope("prototype")
public class C2RTableManager implements TableManager {
     private final TableManager tableManager;
     private final String repPrefix;

     @Autowired
     private SecurityInfoService securityInfoService;

     public C2RTableManager(TableManager tableManager, String repository) {
          this.tableManager = tableManager;
          this.repPrefix = repository + "__";
     }

     ...some methods

     @Override
     @PreAuthorize("hasRole('DBA') || hasPermission(repPrefix + #table, 'TABLE', 'DELETE_TABLE')")
     public void dropTable(String table) throws InterruptedException, IOException {
          tableManager.dropTable(table);
     }

     ...other methods
}

If I write another way, expressions AREN'T EVALUATED at all. Can't understand why.

@Component("c2rTableManager")
@Scope("prototype")
public class C2RTableManager implements TableManager {
     private final TableManager tableManager;
     private final String repPrefix;

     @Autowired
     private SecurityInfoService securityInfoService;

     public C2RTableManager(TableManager tableManager, String repository) {
          this.tableManager = tableManager;
          this.repPrefix = repository + "__";
     }

     ...some methods

     @Override

     public void dropTable(String table) throws InterruptedException, IOException {
          dropTable(table, repPrefix);
     }

     @PreAuthorize("hasRole('DBA') || hasPermission(#repPrefix + #table, 'TABLE', 'DELETE_TABLE')")
     public void dropTable(String table, String repPrefix) throws InterruptedException, IOException {
          tableManager.dropTable(table);
     }

     ...other methods
}

How can I write expressions for methods of class using values of fields of this class?

java spring spring-security spring-el
Original Q&A
2

There are 2 best solutions below

1
On

I do not have enough reputation for adding a comment. From the Spring Security docs available at http://docs.spring.io/spring-security/site/docs/3.0.x/reference/el-access.html

Here we're actually using a method argument as part of the expression to decide whether the current user has the “admin”permission for the given contact. The built-in hasPermission() expression is linked into the Spring Security ACL module through the application context, as we'll see below. You can access any of the method arguments by name as expression variables, provided your code has debug information compiled in.

Please stress on the Last sentence. Check the below two points:

  • Did you Compile the classes with debug flag on?
  • Did you enable the method level security with this declaration:<global-method-security pre-post-annotations="enabled"/>
0
On

I needed to declare bield as public

private final String repPrefix;

And write annotation with link to this

@PreAuthorize("hasRole('DBA') || hasPermission(repPrefix + #table, 'TABLE', 'DELETE_TABLE')")

Related Questions in JAVA

Related Questions in SPRING

Related Questions in SPRING-SECURITY

Related Questions in SPRING-EL

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.