Spring Security
  1. Spring Security
  2. SEC-1640

provide access to current calling object in @Preauthorize and PermissionEvaluator

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Complete
    • Affects Version/s: None
    • Fix Version/s: 3.1.0.RC2
    • Component/s: ACLs
    • Labels:
      None

      Description

      This would create an easy way to wire up basic object level permissions for Spring Roo (or other DD) projects, which use void no-arg methods for many methods that should be secured. E.g., take an entity "Contact", I'd like to be able to do this:

      @PreAuthorize("hasPermission(this, 'write')");
      public void persist(){
      ..
      }
      

      Or even:

      @PreAuthorize("this.owner.name== authentication.name");
      public void persist(){
      ..
      }
      

      In the examples above, "this" would refer to the instance of the object that contains the annotated method (in this case, an instance of Contact).

      Can this be supported?

        Activity

        Hide
        Mike J added a comment -

        Hi, can you give me a pointer to the source to explore to investigate this issue on my own? Specifically, I guess I want to find the class that calls the expression handler?

        Any thoughts on this in regards to whether this would be reasonable (or problematic)?

        Thanks.

        Show
        Mike J added a comment - Hi, can you give me a pointer to the source to explore to investigate this issue on my own? Specifically, I guess I want to find the class that calls the expression handler? Any thoughts on this in regards to whether this would be reasonable (or problematic)? Thanks.
        Hide
        Luke Taylor added a comment -

        I've added a "this" property to the expression root object. Please give it a try with the latest snapshot build.

        Show
        Luke Taylor added a comment - I've added a "this" property to the expression root object. Please give it a try with the latest snapshot build.
        Hide
        Mike J added a comment -

        Works brilliantly! Thanks.

        Show
        Mike J added a comment - Works brilliantly! Thanks.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Mike J
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: