Call your own method with PreAuthorize in Spring Security

If you want to authorize with a little complicated logic in Spring Security method authorization, you can call the method of any bean.

By the way, if you want to add custom authentication correctly, implementing PermissionEvaluator is probably a legitimate approach. This article was easy to understand and detailed about the implementation of PermissionEvaluator. This is recommended if you want to add a general-purpose Evaluator for extension framework development. https://www.codeflow.site/ja/article/spring-security-create-new-custom-security-expression

This time, the procedure is that you can write in a slightly easier way.

PreAuthorize definition on the Controller side

Controller.java


    @PreAuthorize("@customPreAuthorizer.belongGroup(#groupId, authentication.principal)")
    @RequestMapping("/group/{groupId}/list")
    public String list(Model model, @PathVariable("groupId") Long groupId) {
    }

Bean definition

CustomPreAuthorizer.java


@Component
public class CustomPreAuthorizer {
    public boolean belongGroup(Long groupId, UserDetails userDetails) {
         //Implement your own authorization here. Returns true if allowed to run.
        return true;
    }
}

Commentary

By adding @ at the beginning of the bean name in the expression of PreAuthorize, you can refer to the bean registered as a component. @customPreAuthorizer

User information of the authenticated user can be passed as an argument with ʻauthentication.principal`.

If the description passed to the argument in PreAuthorize is redundant, the same thing can be obtained by calling SecurityContext in the method, so it can be retrieved in the method.

CustomPreAuthorizer.java


@Component
public class CustomPreAuthorizer {
    public boolean belongGroup(Long groupId) {
        var userDetails = (UserDetails)SecurityContextHolder.getContext().getAuthentication().getPrincipal();
        return true;
    }
}

After that, if you extend User Details and have the necessary information at login, you can implement and provide the extended original authorization.

Recommended Posts

Call your own method with PreAuthorize in Spring Security
Add your own authentication items with Spring Security
Java method call from RPG (method call in own class)
Create your own Utility with Thymeleaf with Spring Boot
Handle passwords hashed with BCryptPasswordEncoder in Spring Security in Perl
Spring Security Usage memo Method security
[ruby] Method call with argument
Use your own classes in the lib directory with Rails6
Login with HttpServletRequest # login in Spring Security of Servlet 3.x environment
Implemented authentication function with Spring Security ②
Call Chain from Chain in Spring Integration
Make your own sampler with JMeter
Implemented authentication function with Spring Security ③
How to create your own Controller corresponding to / error with Spring Boot
Authentication / authorization with Spring Security & Thymeleaf
Call the super method in Java
Call Java method from JavaScript executed in Java
Create your own validator with Bean Validation
Understand java interface in your own way
Concurrency Method in Java with basic example
DB authentication with Spring Security & hashing with BCrypt
Use Spring Security JSP tags with FreeMarker
How Spring Security works with Hello World
Achieve BASIC authentication with Spring Boot + Spring Security
Test controller with Mock MVC in Spring Boot
Asynchronous processing with regular execution in Spring Boot
Implement Sign in with Twitter in spring-boot, security, social
Hash passwords with Spring Boot + Spring Security (with salt, with stretching)
Tests with @Parameters in Spring 4.3 should have no parameters
Try LDAP authentication with Spring Security (Spring Boot) + OpenLDAP
[JAVA] [Spring] [MyBatis] Use IN () with SQL Builder
[Introduction to Spring Boot] Authentication function with Spring Security
Create Spring Cloud Config Server with security with Spring Boot 2.0