Built-In Expressions and Objects in Spring Security
November 28, 2019
Spring Security provides built-in expressions and objects to check and validate roles. Spring expression is very powerful tool while handling with Spring Security. The SecurityExpressionRoot
and WebSecurityExpressionRoot
provides different built-in expression and objects that can be used in Spring Security XML file, service layer and controllers of the application. Before using built-in expressions and objects, we need do some configuration in our spring security XML.
To use expression in http namespace, configure use-expressions="true"
as below.
<http use-expressions="true">
<global-method-security pre-post-annotations="enabled"/>
authentication in Spring Security
It allows access to current authentication object directly and can be used in service layer with@PreFilter
, @PostFilter
, @PreAuthorize
and @PostAuthorize
.
@PostFilter ("filterObject.owner == authentication.name") public List<Book> getBooks();
filterObject in Spring Security
filterObject
is built-in object and used with @PreFilter
and @PostFilter
in Spring Security. The filterObject
is normally a collection or arrays. On the basis of role, values can be filterd. To read more about @PreFilter
and @PostFilter
, find the link.
@PreFilter("filterObject.owner == authentication.name") public void addBook(List<Book> books);
returnObject in Spring Security
ThereturnObject
is built-in object and is used with @PostAuthorize
in Spring Security. The returnObject
is used in service layer and after execution when methods return an object, that is considered as returnObject
for security validation. To read more about @PreAuthorize
or @PostAuthorize
, find the link.
@PostAuthorize ("returnObject.owner == authentication.name") public Book getBook();
hasRole() in Spring Security
ThehasRole()
checks for the role which is passed as arguments and returns true or false. It checks for role in current principal
.
<http auto-config="true" use-expressions="true"> <intercept-url pattern="/login" access="hasRole('ROLE_READ')" /> </http>
hasAnyRole() in Spring Security
We pass more than one role andhasAnyRole()
checks for any of them in current principal
and returns true or false.
<http auto-config="true" use-expressions="true"> <intercept-url pattern="/login" access="hasAnyRole('ROLE_READ','ROLE_WRITE')" /> </http>
hasIpAddress() in Spring Security
We need to pass an IP address andhasIpAddress()
checks in current principal
for existence.
<http auto-config="true" use-expressions="true"> <intercept-url pattern="/login" access="hasIpAddress('190.108.1.0/24')" /> </http>
hasPermission()in Spring Security
ThehasPermission()
checks the permission to execute the method. It returns true or false values.
@PreAuthorize("hasPermission(#books, 'ROLE_READ')") public void deletePermission(Contact contact, Sid recipient, Permission permission);
denyAll in Spring Security
ThedenyAll
denies for every role to access that particular URL pattern or any service method and returns false for everyone.
permitAll in Spring Security
ThepermitAll
permits for every role to access that particular URL pattern or any service method and returns true for everyone.
principal in Spring Security
Theprincipal
allows access to current principal object directly. We fetch user name and user details from principal
object.
isAnonymous() in Spring Security
TheisAnonymous()
checks for anonymous user using current principal
. Anonymous user is that user which has no user id and password and can access the URL pattern anonymously.
isRememberMe() in Spring Security
TheisRememberMe()
checks for remember-me in current principal
. Those users who has logged in with clicking remember-me checkbox will get true by this expression. Find the link to read more about remember me option.
isAuthenticated() in Spring Security
TheisAuthenticated()
always returns true for authenticated user except anonymous user.
isFullyAuthenticated() in Spring Security
TheisFullyAuthenticated()
returns true if user is remember-me or not anonymous. It checks both isRememberMe()
and isAuthenticated()
.