Home  >  Spring Security

Built-In Expressions and Objects in Spring Security

By Arvind Rai, December 28, 2013
Spring security provides built-in expressions and objects to check and validate roles. Spring expression is very powerful tool while handling with spring security. SecurityExpressionRoot and WebSecurityExpressionRoot provides different built-in expression and objects in spring security that can be used in XML spring security XML, service layer and controllers of the application. Before using built-in expressions and objects, we need do some configuration in our spring security XML. To use expression in http namespace, configure use-expressions="true" as below.
<http use-expressions="true">
For service layer and controller, enable pre-post-annotations="enabled" in global-method-security namespace as below.
<global-method-security pre-post-annotations="enabled"/>
Now we will discuss some built-in expressions and objects here in this page.

authentication in Spring Security

It allows access to current authentication object directly and can be used in service layer with @PreFilter, @PostFilter, @PreAuthorize or @PostAuthorize.
@PostFilter ("filterObject.owner == authentication.name")
public List<Book> getBooks(); 

filterObject in Spring Security

filterObject is built-in object and used with @PreFilter and @PostFilter in spring security. filterObject is normally a collection or arrays. On the basis of role, values can filterd. To read more about @PreFilter and @PostFilter, find the link
@PreFilter("filterObject.owner == authentication.name")
public void addBook(List<Book> books);  

returnObject in Spring Security

returnObject is built-in object and used with @PostAuthorize in spring security. returnObject is used in service layer and after execution when methods return an object, that is considered as returnObject for security validation. To read more about @PreAuthorize or @PostAuthorize, find the link.
@PostAuthorize ("returnObject.owner == authentication.name")
public Book getBook(); 

hasRole() in Spring Security

It checks for the role which is passed as arguments and returns true or false. It checks for role in current principal.
<http auto-config="true" use-expressions="true">
    <intercept-url pattern="/login" access="hasRole('ROLE_READ')" />

hasAnyRole() in Spring Security

We pass more than one role and it checks for any of them in current principal and returns true or false.
<http auto-config="true" use-expressions="true">
    <intercept-url pattern="/login" access="hasAnyRole('ROLE_READ','ROLE_WRITE')" />

hasIpAddress() in Spring Security

We need to pass an IP address and it checks in current principal for existence.
<http auto-config="true" use-expressions="true">
    <intercept-url pattern="/login" access="hasIpAddress('')" />

hasPermission()in Spring Security

It checks the permission to execute the method. It returns true or false values.
@PreAuthorize("hasPermission(#books, 'ROLE_READ')")
public void deletePermission(Contact contact, Sid recipient, Permission permission); 

denyAll in Spring Security

It denies for every role to access that particular URL pattern or any service method and returns false for everyone.

permitAll in Spring Security

It permits for every role to access that particular URL pattern or any service method and returns true for everyone.

principal in Spring Security

It allows access to current principal object directly. We fetch user name and user details from principal object.

isAnonymous() in Spring Security

It checks for anonymous user using current principal. Anonymous user is that user which has no user id and password and can access the URL pattern anonymously.

isRememberMe() in Spring Security

It checks for remember me in current principal. Those users who has logged in with clicking remember me checkbox will get true by this expression. Find the link to read more about remember me option.

isAuthenticated() in Spring Security

It always returns true if user is not anonymous. For any role if you have entered by your username and password, then you are authenticated.

isFullyAuthenticated() in Spring Security

It returns true if user is remember me or not anonymous. It checks both isRememberMe() and isAuthenticated().

©2019 concretepage.com | Privacy Policy | Contact Us