Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Spring security @PreAuthorize SecurityExpressionRoot or PermissionEvaluator

Spring Security @PreAuthorize takes in a lot of expressions, but how does it decide the class of the method in the expression, for e.g

@PreAuthorize("hasRole()") is from SecurityExpressionRoot and @PreAuthorize("hasPermission()") is from PermissionEvaluator class. How does it decide which class instance to use?

I'm not very familiar Spring AOP so not able to dig in lot.

like image 439
Kaushik Avatar asked Jul 02 '26 01:07

Kaushik


1 Answers

The hasPermission expression is also evaluated against SecurityExpressionRoot, but the latter delegates to a PermissionEvaluator. You can see this easily if you have a look at the SecurityExpressionRoot source.

By default, permission expressions are automatically denied, but setting a different instance controls the way the hasPermission expression behaves.

like image 165
Shaun the Sheep Avatar answered Jul 04 '26 14:07

Shaun the Sheep