Steps to Pro

In the last part of tutorial, I will discuss how to override the behaviour of defualt spring security method expression. You may wonder why I need to override the default behaviour of these methods. The reason behind is that, in recent development project, we are reviewing the developer's code and we hope to maintain a standard coding practice. We find that the default method expression is too flexible. In our case, under similar coding scenario, some developers use hasRole() for security checking while other developers using hasPermission() for security checking. In order to keep the maintainability of the program, we thus have an idea to disallow developer to use certain secruity method expression. That's why we have the crazy idea of overriding the default behaviour of these methods. (This may not be a good idea :P. But anyway, we have implement it :D) In this example, I simply show how to override the default behaviour of hasRole() method. You can not do this by override ...

We are now going into the second part of the tutorial. In this post, it will show you how to add a new custom expression for @PreAuthorize annotation. For example, I will show how to add a adminOnly() expression language to the security expression root. Step 1: Define your custom security expression root class You have to first create a new security expression root class. This class should be extended from the abstract class org.springframework.security.access.expression.SecurityExpressionRoot. You can add your custom This class is similar to org.springframework.security.access.expression.method.MethodSecurityExpressionRoot but with your new custom method added. As an example, I just add a very simple mehod adminOnly() which check if the user has admin role. public class MyMethodSecurityExpressionRoot extends SecurityExpressionRoot { private static Logger logger = LoggerFactory.getLogger(MyMethodSecurityExpressionRoot.class); private Object filterObject; priva...

Spring security expression language is very useful. It helps to secure your service/web methods with one line of code. It supports @PreAuthorize and @Secured. In the coming three posts, I will talk about how to add custom behaviour to the @PreAuthorize annotation. Part 1 - Customize "hasPermission()" expression Part 2 - Add new customize method security expression Part 3 - Override default behaviour of spring security expression (e.g. hasRole() , permitAll() ...) In this post, I will discuss how to add custom rule for permission checking in your application. This is somewhat similar to what describe in Sold Craft's post . You can reference it for more details. Step 1: Add configuration in your spring security xml file. You should first add the DefaultMethodSecurityExpressionHandler. It will instantiate a default MethodSecurityExpressionRoot which provides you all the default security expression (e.g. isAutghenticated(), isAnonymous() ,etc ) . Besides, you ha...