Writing your spring security expression language annotation - PART 2

-
We are now going into the second part of the tutorial. In this post, it will show you how to add a new custom expression for @PreAuthorize annotation. For example, I will show how to add a adminOnly() expression language to the security expression root.


Step 1: Define your custom security expression root class
You have to first create a new security expression root class. This class should be extended from the abstract class org.springframework.security.access.expression.SecurityExpressionRoot. You can add your custom

This class is similar to org.springframework.security.access.expression.method.MethodSecurityExpressionRoot but with your new custom method added. As an example, I just add a very simple mehod adminOnly() which check if the user has admin role.


public class MyMethodSecurityExpressionRoot extends SecurityExpressionRoot {
 
    private static  Logger logger = LoggerFactory.getLogger(MyMethodSecurityExpressionRoot.class);
 
    private Object filterObject;
    private Object returnObject;
    private Object target;
    
     
    public  boolean adminOnly() {
     logger.debug("haha -- check if this function is used by admin role only");
     return  this.hasAuthority("ADMIN");
    }
    
    public MyMethodSecurityExpressionRoot(Authentication a) {
  super(a);
    }

    public void setFilterObject(Object filterObject) {
        this.filterObject = filterObject;
    }

    public Object getFilterObject() {
        return filterObject;
    }

    public void setReturnObject(Object returnObject) {
        this.returnObject = returnObject;
    }

    public Object getReturnObject() {
        return returnObject;
    }

    void setThis(Object target) {
        this.target = target;
    }

    public Object getThis() {
        return target;
    }

}


Step 2: Define your custom expression handler class
To add custom security expression method, you cannot use the DefaultMethodSecurityExpressionHandler. You need to define a new expression handler class by extends the DefaultMethodSecurityExpressionHandler.

You have to override the createSecurityExpressionRoot() method to create your custom security expression root class.


public class MyMethodSecurityExpressionHandler extends DefaultMethodSecurityExpressionHandler implements MethodSecurityExpressionHandler  {

   @Override
   protected SecurityExpressionRoot createSecurityExpressionRoot(Authentication authentication, MethodInvocation invocation) {
  MyMethodSecurityExpressionRoot root = new MyMethodSecurityExpressionRoot(authentication);
         root.setThis(invocation.getThis());
         root.setPermissionEvaluator(getPermissionEvaluator());
         return root;
   }
}


Step 3: Register the custom expression handler in XML


<sec:global-method-security pre-post-annotations="enabled">
  <sec:expression-handler ref="expressionHandler"/>
</sec:global-method-security>

<bean id="expressionHandler" class="org.borislam.security.ExtendedMethodSecurityExpressionHandler">
  <property name="permissionEvaluator" ref="permissionEvaluator"/>
</bean>  

<bean id="permissionEvaluator" class="org.borislam.security.BasePermissionEvaluator"/>



Example usage:

@PreAuthorize("adminOnly()")
 public void doSomething() {
  System.out.println("doSomething!!!"); 
 }

Comments

Post a Comment

Popular posts from this blog

Sample Apps: Spring data MongoDB and JSF Integration tutorial (PART 1)

-
Image
In this year, I will start a new series of “Sample application Tutorials”. In this series of tutorial, a sample case study application will be built with different technologies. In this tutorial, sample JSF application with Spring Data MongoDB will be covered. Table of Contents: 1. Introduction to sample application (MongoShop Product Catalog) 2. MongoDB schema design and data preparation 3. JSF (PrimeFaces) and Spring data MongoDB Integration 4. Enquriy data with spring data repository and mongotemplate 5. Create, Edit and delete data Introduction to sample application (MongoShop Product Catalog) After this tutorial, a sample application (MongoShop Product Catalog) with the following functional requirement will be built: 1. Searching product with different criteria (e.g. sku, product type, title, stc) 2. Create a new product with different category. 3. Edit selected product details 4. Delete selected product from the enquiry screen. Presentation Layer:...
Read more

Customizing Spring Data JPA Repository

-
Spring Data is a very convenient library. However, as the project as quite new, it is not well featured. By default, Spring Data JPA will provide implementation of the DAO based on SimpleJpaRepository. In recent project, I have developed a customize repository base class so that I could add more features on it. You could add vendor specific features to this repository base class as you like. Configuration You have to add the following configuration to you spring beans configuration file. You have to specified a new repository factory class. We will develop the class later. <jpa:repositories base-package="example.borislam.dao" factory-class="example.borislam.data.springData.DefaultRepositoryFactoryBean/> Just develop an interface extending JpaRepository. You should remember to annotate it with @NoRepositoryBean. @NoRepositoryBean public interface GenericRepository <T, ID extends Serializable> extends JpaRepository<T, ID> { } Define...
Read more

Adding Hibernate Entity Level Filtering feature to Spring Data JPA Repository

-
Those who have used data filtering features of hibernate should know that it is very powerful. You could define a set of filtering criteria to an entity class or a collection. Spring data JPA is a very handy library but it does not have fitering features. In this post, I will demonstrate how to add the hibernate filter features at entity level. We can just use annotation in your repositoy interface to enable this features. Step 1. Define filter at entity level as usual. Just use hibernate @FilterDef annotation. @Entity @Table(name = "STUDENT") @FilterDef(name="filterBySchoolAndClass", parameters={@ParamDef(name="school", type="string"),@ParamDef(name="class", type="integer")}) public class Student extends GenericEntity implements Serializable { ... } Step2. Define two custom annotations. These two annotations are to be used in your repository interfaces. You could apply the hibernate filter defined in step 1 to spe...
Read more