Why use "#post" instead of "post" in hasPermission check in Spring Security

394 Views Asked by Zack At 19 October 2024 at 20:11

I am new to spring security. While analyzing the below code change, I could not comprehend why "#post" is used instead of "post" ? Why is the word "post" prefixed with a "#"? post is an object.

@PreAuthorize("hasPermission(#post, 'MANAGER') or hasRole('ROLE_MODERATOR')")
+   @PreAuthorize("hasPermission(#post, 'write') or hasRole('ROLE_MODERATOR')")
    public void updateFullyPost(Post post) throws AppException;

I referred to spring security documentation and found the below.

hasPermission(Object target, Object permission) Returns true if the user has access to the provided target for the given permission. For example, hasPermission(domainObject, 'read')

The first argument is supposed to be a target object.

Could someone provide some pointers? Appreciate it. Thank you.

Original Q&A

There are 1 best solutions below

holmis83 On 24 June 2015 at 06:46 BEST ANSWER

In Spring Expression Language (SpEL):

Variables can be referenced in the expression using the syntax #variableName.

When calling method with annotation like @PreAuthorize, the method arguments are passed to SpEL as variables.

If leaving out the #, Spring will look for a property in the root object, in this case a SecurityExpressionRoot. It is where you find the hasPermission method.

Why use "#post" instead of "post" in hasPermission check in Spring Security

There are 1 best solutions below

Related Questions in JAVA

Related Questions in SPRING

Related Questions in SECURITY

Related Questions in SPRING-SECURITY

Related Questions in SPRING-SECURITY-OAUTH2

Trending Questions

Popular # Hahtags

Popular Questions