Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

SpringSecurity check method parameter

Tags:

spring

spring-security

acl

I need to restrict method execution with specific parameters. F.e. some seller can create bill for customer id=1 but can't for customer id=2. Is it possible implement in spring security or I should make check in business logic code?

like image 474
kolchanov Avatar asked Sep 12 '13 12:09

kolchanov

1 Answers

There are multiple options here:

  • You can use Spring Security ACL module to take into account actual domain object for your security restrictions. It is a good option when you have multiple security rules like this.

  • If you have only one security rule like this then using ACL module may be an overkill. In this case it will be better to make check in your business code. You have two options to call this code:

    • Call it declaratively using annotation. You will be able reuse this check more easy, but you lose control over raised exception (it will be default AccessDeniedException):

      @PreAuthorize("hasRole('ROLE_AAA') and @billValidatorBean.validateForCustomer(#customerId)")
public createBill(Integer customerId, ...) {

    • Or implement it in corresponding method directly which gives you complete control over everything.

Choose your way depending on situation.

like image 122
Maksym Demidas Avatar answered Sep 28 '22 06:09

Maksym Demidas
Sign in to Comment

Related questions

junit/spring properties not loading with application context
How can I trim whitespace from request parameters in Spring MVC
Using and controlling Spring transactions within Struts 2 actions
Disable SpringSecurity's SavedRequest storing logic
Spring unit test case is not rolling back insertion of a record
Sending Email with spring in a new thread issue
Unable to locate Spring Namespace for JAX-WS
Internal working of Springs's @RequestParam annotation
Spring integration: difficulty with transaction between 2 activators
Spring Framework MVC Base Controller Method
Thread keeps running even after application has been stopped in Websphere
Unable to locate Spring NamespaceHandler for XML schema namespace [http://www.springframework.org/schema/data/jpa]
For the spring autodetection, what's the difference between component and service?
Spring can't see beans between servlet-context and contextConfigLocation beans
Can't we use spring for distributed java applications?
HibernateOptimisticLockingFailureException marks connection as 'closed'?
Best practice: Creation of SAX parser for XMLReader
How to define RequestMapping prioritization
how to remove unused triggers from quartz tables
How to add LDAP cache in Spring LDAP?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!