Spring Security @PreAuthorize takes in a lot of expressions, but how does it decide the class of the method in the expression, for e.g
@PreAuthorize("hasRole()") is from SecurityExpressionRoot and @PreAuthorize("hasPermission()") is from PermissionEvaluator class. How does it decide which class instance to use?
I'm not very familiar Spring AOP so not able to dig in lot.
The hasPermission expression is also evaluated against SecurityExpressionRoot, but the latter delegates to a PermissionEvaluator. You can see this easily if you have a look at the SecurityExpressionRoot source.
By default, permission expressions are automatically denied, but setting a different instance controls the way the hasPermission expression behaves.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With