Best way to create custom method security expression

Question

I'm trying to create my own method security expressions, that I want to use in @PreFilter and @PostFilter annotations.

Searching for tutorials and similar questions I've found two ways to proceed.

The first is to extend DefaultMethodSecurityExpressionHandler and override createSecurityExpressionRoot, in order to give a customized SecurityExpressionRoot.

@PreAuthorize('isOwner(#someEntity)') 

The second way is to simply use a @Component class and in @Pre / @Post filter accessing its methods with @bean.method()

@PreAuthorize("@mySecurityService.isOwner('#someEntityl')")

My question is: Which is the preferred way? If both are ok, why choose one ore another?

thank you Marco

Answer 1

Advantages of @PreAuthorize('isOwner(#someEntity)') way over @bean.method() way:

• From maintenance point of view: when you change signature of some method like CustomSecurityExpressionRoot.isOwner() then it is clear for you (and even for some new developer familiar with Spring Security) that you need to review all @Pre / @Post annotations. This advantage is not so important if you have JUnit tests for all @Pre / @Post cases.
• Short syntax (you can try some short alias to improve @bean.method() way, for example @sec.isOwner())
• With SecurityExpressionRoot you automatically have access to authentication, trustResolver, roles, permissionEvaluator ojects. It is not so important because you can easy get them in your custom bean too.

Advantages of @bean.method() way over @PreAuthorize('isOwner(#someEntity)') way:

• Easy setup

I am like your @bean.method() way. IMHO all differences are not so important (for my previous project). But I like "easy setup" option so much! So for next project I'll try your @bean.method() way in conjuction with JUnit tests for all @Pre / @Post cases.