Built-In Expressions and Objects in Spring Security
November 28, 2019Spring Security provides built-in expressions and objects to check and validate roles. Spring expression is very powerful tool while handling with Spring Security. The
WebSecurityExpressionRootprovides different built-in expression and objects that can be used in Spring Security XML file, service layer and controllers of the application. Before using built-in expressions and objects, we need do some configuration in our spring security XML. To use expression in http namespace, configure
authentication in Spring SecurityIt allows access to current authentication object directly and can be used in service layer with
@PostFilter ("filterObject.owner == authentication.name") public List<Book> getBooks();
filterObject in Spring Security
filterObjectis built-in object and used with
@PostFilterin Spring Security. The
filterObjectis normally a collection or arrays. On the basis of role, values can be filterd. To read more about
@PostFilter, find the link.
@PreFilter("filterObject.owner == authentication.name") public void addBook(List<Book> books);
returnObject in Spring SecurityThe
returnObjectis built-in object and is used with
@PostAuthorizein Spring Security. The
returnObjectis used in service layer and after execution when methods return an object, that is considered as
returnObjectfor security validation. To read more about
@PostAuthorize, find the link.
@PostAuthorize ("returnObject.owner == authentication.name") public Book getBook();
hasRole() in Spring SecurityThe
hasRole()checks for the role which is passed as arguments and returns true or false. It checks for role in current
<http auto-config="true" use-expressions="true"> <intercept-url pattern="/login" access="hasRole('ROLE_READ')" /> </http>
hasAnyRole() in Spring SecurityWe pass more than one role and
hasAnyRole()checks for any of them in current
principaland returns true or false.
<http auto-config="true" use-expressions="true"> <intercept-url pattern="/login" access="hasAnyRole('ROLE_READ','ROLE_WRITE')" /> </http>
hasIpAddress() in Spring SecurityWe need to pass an IP address and
hasIpAddress()checks in current
<http auto-config="true" use-expressions="true"> <intercept-url pattern="/login" access="hasIpAddress('126.96.36.199/24')" /> </http>
hasPermission()in Spring SecurityThe
hasPermission()checks the permission to execute the method. It returns true or false values.
@PreAuthorize("hasPermission(#books, 'ROLE_READ')") public void deletePermission(Contact contact, Sid recipient, Permission permission);
denyAll in Spring SecurityThe
denyAlldenies for every role to access that particular URL pattern or any service method and returns false for everyone.
permitAll in Spring SecurityThe
permitAllpermits for every role to access that particular URL pattern or any service method and returns true for everyone.
principal in Spring SecurityThe
principalallows access to current principal object directly. We fetch user name and user details from
isAnonymous() in Spring SecurityThe
isAnonymous()checks for anonymous user using current
principal. Anonymous user is that user which has no user id and password and can access the URL pattern anonymously.
isRememberMe() in Spring SecurityThe
isRememberMe()checks for remember-me in current
principal. Those users who has logged in with clicking remember-me checkbox will get true by this expression. Find the link to read more about remember me option.
isAuthenticated() in Spring SecurityThe
isAuthenticated()always returns true for authenticated user except anonymous user.
isFullyAuthenticated() in Spring SecurityThe
isFullyAuthenticated()returns true if user is remember-me or not anonymous. It checks both