Using custom spring security annotations

2
votes

I'm trying to make use of springs security annotations like @PreAuthorize and @Secured but Im looking to evaluate a user not on a role but whether they have permissions to a particular entity in this case a firm. In my controller I receive a http request containing a firmId as a parameter and I want to make sure this user is permissioned to this firm. Is this possible using the current spring security annotations?. Im looking for an elegant solution, i've been looking at custom constraint validators as part of the jsr303 specification. Method header below.

public ModelAndView getSessionsJson(HttpServletRequest request,
  HttpServletResponse response) throws ServletRequestBindingException {}
1
springspring-mvcspring-securityspring-3

1 Answers

2
votes

I think you can do something like this:

public ModelAndView getSessionsJson(HttpServletRequest request, HttpServletResponse response) throws ServletRequestBindingException { 
    Integer firmId = getFirmId(request);
    Firm firm = getFirmById(firmId);
    doSomeBusinessLogic(firm);
    .....
}

@PreAuthorize("hasPermission(#firm, 'admin')")
public void doSomeBusinessLogic(Firm firm) {
     ....
}

....

using pre and post annotations in conjuction with ACL module. Of course before you need to set up ACL DB schema and prepare ACL permissions for each firm object.