Built-In Expressions and Objects in Spring Security

By Arvind Rai, November 28, 2019
Spring Security provides built-in expressions and objects to check and validate roles. Spring expression is very powerful tool while handling with Spring Security. The SecurityExpressionRoot and WebSecurityExpressionRoot provides different built-in expression and objects that can be used in Spring Security XML file, service layer and controllers of the application. Before using built-in expressions and objects, we need do some configuration in our spring security XML. To use expression in http namespace, configure use-expressions="true" as below.
<http use-expressions="true"> 
For service layer and controller, enable pre-post-annotations="enabled" in global-method-security namespace as below.
<global-method-security pre-post-annotations="enabled"/> 
Now we will discuss some built-in expressions and objects here on this page.

authentication in Spring Security

It allows access to current authentication object directly and can be used in service layer with @PreFilter, @PostFilter, @PreAuthorize and @PostAuthorize.
@PostFilter ("filterObject.owner == authentication.name")
public List<Book> getBooks(); 

filterObject in Spring Security

filterObject is built-in object and used with @PreFilter and @PostFilter in Spring Security. The filterObject is normally a collection or arrays. On the basis of role, values can be filterd. To read more about @PreFilter and @PostFilter, find the link.
@PreFilter("filterObject.owner == authentication.name")
public void addBook(List<Book> books);  

returnObject in Spring Security

The returnObject is built-in object and is used with @PostAuthorize in Spring Security. The returnObject is used in service layer and after execution when methods return an object, that is considered as returnObject for security validation. To read more about @PreAuthorize or @PostAuthorize, find the link.
@PostAuthorize ("returnObject.owner == authentication.name")
public Book getBook(); 

hasRole() in Spring Security

The hasRole() checks for the role which is passed as arguments and returns true or false. It checks for role in current principal.
<http auto-config="true" use-expressions="true">
    <intercept-url pattern="/login" access="hasRole('ROLE_READ')" />

hasAnyRole() in Spring Security

We pass more than one role and hasAnyRole() checks for any of them in current principal and returns true or false.
<http auto-config="true" use-expressions="true">
    <intercept-url pattern="/login" access="hasAnyRole('ROLE_READ','ROLE_WRITE')" />

hasIpAddress() in Spring Security

We need to pass an IP address and hasIpAddress() checks in current principal for existence.
<http auto-config="true" use-expressions="true">
    <intercept-url pattern="/login" access="hasIpAddress('')" />

hasPermission()in Spring Security

The hasPermission() checks the permission to execute the method. It returns true or false values.
@PreAuthorize("hasPermission(#books, 'ROLE_READ')")
public void deletePermission(Contact contact, Sid recipient, Permission permission); 

denyAll in Spring Security

The denyAll denies for every role to access that particular URL pattern or any service method and returns false for everyone.

permitAll in Spring Security

The permitAll permits for every role to access that particular URL pattern or any service method and returns true for everyone.

principal in Spring Security

The principal allows access to current principal object directly. We fetch user name and user details from principal object.

isAnonymous() in Spring Security

The isAnonymous() checks for anonymous user using current principal. Anonymous user is that user which has no user id and password and can access the URL pattern anonymously.

isRememberMe() in Spring Security

The isRememberMe() checks for remember-me in current principal. Those users who has logged in with clicking remember-me checkbox will get true by this expression. Find the link to read more about remember me option.

isAuthenticated() in Spring Security

The isAuthenticated() always returns true for authenticated user except anonymous user.

isFullyAuthenticated() in Spring Security

The isFullyAuthenticated() returns true if user is remember-me or not anonymous. It checks both isRememberMe() and isAuthenticated().

©2024 concretepage.com | Privacy Policy | Contact Us