java - spring security permission programatic check -
i have in place spring security acl system, , seems work fine, `m not sure how should perform permission check programmatically.
app split 3 layers (view,service(business),dao) , want perform auth in service layer. so, method take argument domain object :
@preauthorize("haspermission(#proj,'write'") public project updateproject(project proj) { ............. } the problem solved annotations.
method take argument object not have acl on have programmatically check if user has permission.
let`s have object projectwrapper:
public class projectwrapper { private project project; private something; // setters , getters here } so service method received type of argument:
public project updateproject(projectwapper projwrapp) { project p = projwrapp.getproject(); // before performing operation on project need know if current user has neccessary permissions on object // ??? how check ? } do need use aclservice perform ? when need create/update permission, or there cleaner/nicer possibility ?
same question deleteproject(long id) methods,as first have object db check if current user has delete permission.
method security annotations support spring el expressions. in case of wrapper class, can use follows.
@preauthorize("haspermission(#projectwrapper.project, 'write'") public project updateproject(projectwrapper projectwrapper) { // body omitted } and if have object identifier instead of actual object, can use pattern below.
@preauthorize("haspermission(#id, 'my.package.project' 'delete'") public void deleteproject(long id) { // body omitted } you may need adjust default configuration (e.g. strategy retrieve object identity , like) meet requirements. see org.springframework.security.acls.aclpermissionevaluator class more details.
Comments
Post a Comment