Custom class principal in @PreAuthorize

Question

UPDATE (17.04.2012): So what I have as result.

root-context.xml:

<context:annotation-config/>
<context:component-scan base-package="com.grsnet.qvs.controller.web"/>  
<security:global-method-security pre-post-annotations="enabled" />
<bean id="permissionManager" class="com.grsnet.qvs.auth.PermissionManager"/>

PermissionManager.java

package com.grsnet.qvs.auth;

import com.grsnet.qvs.model.Benutzer;

public class PermissionManager {

public PermissionManager() {}

public boolean hasPermissionU01(Object principal, Integer permissionLevel) {
    return ((Benutzer)principal).getPermission().getU_01() >= permissionLevel;
}
}

Controller:

@PreAuthorize("@permissionManager.hasPermissionU01(principal, 1)")
@RequestMapping(value = "/u01", method = RequestMethod.GET)
public String listU01(HttpServletRequest request, Map<String, Object> map) throws Exception {
    setGridFilters(map);
    return "u01panel";      
}

I set break point in PermissionManager.hasPermissionU01. it seems my security annotation just ignored.

What is the reason? Where is my mistake?

Thanks.

END OF UPDATE

After hours of googling I have to ask here. I have

1. Spring MVC app
2. CustomUserDetailService

3. Custom UserDetails class

   public class Benutzer extends User implements UserDetails {
   ...
     private Permission permission = null;
   ...
   }
   

4. Permissions class, not very good realized, but I have to use it.

   public class Permission {
   ... 
     private Integer u_01 = 0;
   ...
   }
   

5. Controller

   @Controller 
   public class U01Controller {
   
       @RequestMapping(value = "/u01", method = RequestMethod.GET)
       public String listU01(HttpServletRequest request, Map<String, Object> map) throws Exception {
   

My task is to secure the controller at whole and to secure a methods inside. I would like to write some like this:

@PreAuthorize("principal.permission.u_01>0")
public class U01Controller {

and

@RequestMapping(value = "/u01", method = RequestMethod.GET)
@PreAuthorize("principal.permission.u_01=2")
public String listU01(HttpServletRequest request, Map<String, Object> map) throws Exception {

It seems ACL uses UserDetails interface to gain access to a principal. Is it probably to make some type cast inside ACL?

@PreAuthorize("(com.grsnet.qvs.model.Benutzer)principal.permission.u_01=2")

Thanks in advance.

Answer 1

While I think you can probably do that (did you just try it?) it seems to me that the best approach would be to create another class that knows how to do permissions decisions. In particular, it could be done like this:

public class Decision {
    private Decision() {} // no instance, please

    // Type is probably a bit too wide...
    static boolean mayList(Object principal) {
        return ((com.grsnet.qvs.model.Benutzer)principal).permission.u_01 == 2;
    }

    // etc...
}

Then your @PreAuthorize can be written like this:

@PreAuthorize("Decision.mayList(principal)")

If the decision process was more complex, then you'd be getting into using a bean to do the decision making. Then, because this is Spring EL, you'd write (assuming you're delegating to to the decider bean):

@PreAuthorize("@decider.mayList(principal)")

(Of course, my little Decider class above definitely isn't a bean…)

Answer 2

prolem was solved with Donal's solution. My error was I placed

<security:global-method-security pre-post-annotations="enabled" />

in root-context.

Be careful with it and place it in servletContext.

Donal, thanks again.