In spring security 3,how to customize my @ PreAuthorize annotation?

Question

these days I meet a problem, I can not figure it out,so please help me...

My entity: Utilisateur this is a french word means user

    @Entity
    @Inheritance(strategy = InheritanceType.JOINED)
    public class Utilisateur implements Serializable 
    {
         private static final long serialVersionUID = 1L;
         @Id
         @GeneratedValue(strategy = GenerationType.IDENTITY)
         protected int id;
         protected String login;
         protected String password;
         protected String nom;
         protected String prenom;
         protected String email;
         protected String username;}

    @OneToOne(mappedBy="user", cascade={CascadeType.ALL})
    private Role role;

    public int getId() {
        return id;
    }

    public void setId(int id) {
        this.id = id;
    }

    public String getUsername() {
        return login;
    }

    public void setUsername(String username) {
        this.username = username;
    }

    public String getLogin() {
        return login;
    }

    public void setLogin(String login) {
        this.login = login;
    }

    public String getPassword() {
        return password;
    }

    public void setPassword(String password) {
        this.password = password;
    }

    public String getNom() {
        return nom;
    }

    public void setNom(String nom) {
        this.nom = nom;
    }

    public String getPrenom() {
        return prenom;
    }

    public void setPrenom(String prenom) {
        this.prenom = prenom;
    }

    public String getEmail() {
        return email;
    }

    public void setEmail(String email) {
        this.email = email;
    }



    public Role getRole() {
        return role;
    }

    public void setRole(Role role) {
        this.role = role;
    }
}

and a Role entity.

In my web app, there is a controller to show for example the information about a student(Etudiant in french)

@EJB(mappedName = "Etudiant.EtudiantFacade")
    EtudiantFacade etudiantF;

    // Affiche le detail d'un Etudiant  (show the infomations of the student)
    @RequestMapping(value = "/Etudiant/{idEtudiant}/info")
    public ModelAndView detail(@PathVariable String idEtudiant, Model m) {
        m.addAttribute("etudiant",
                etudiantF.trouver(Integer.parseInt(idEtudiant)));
        return new ModelAndView("EtudiantInformation", "null", null);
    }

I implemented my own CustomUseDetailService using the entity Utilisateur directly.

 @Override
    public UserDetails loadUserByUsername(String username)
            throws UsernameNotFoundException, DataAccessException {
        // TODO Auto-generated method stub
        System.out.println("!!!!!!!!!!!!!!!!!");
        System.out.println(username);

        boolean enabled = true;
        boolean accountNonExpired = true;
        boolean credentialsNonExpired = true;
        boolean accountNonLocked = true;

            Utilisateur etudiant = etudiantF.trouverParLogin(username);


            return new User(etudiant.getLogin(), etudiant.getPassword(), enabled,accountNonExpired,credentialsNonExpired,accountNonLocked,getAuthorities(etudiant.getRole().getRole()));

    }

and my security.xml is below:

<http auto-config="true" use-expressions="true">
        <intercept-url pattern="/app/Login" access="permitAll"/>
        <intercept-url pattern="/app/*" access="hasAnyRole('ROLE_ADMIN','ROLE_USER')"/>
        <form-login login-page="/app/Login" 
            authentication-success-handler-ref="authenticationSuccessHandler"/> 
        <logout logout-url="/app/Logout" logout-success-url="/"/>
    </http>

    <authentication-manager alias="authenticationManager">
        <authentication-provider user-service-ref="customUserDetailsService"/>
    </authentication-manager>

Last my question is: for a student, his id is 1, his username is stu1,to control this student with id 1 can only access his own page information /ProjetName/Student/{studentId}/Info how do I write the code with @PreAuthorize, I have see the document in form spring, there is example like @PreAuthorize(#contract.name = principal.username), because there is a attribute username in principal, but here,what I need is Id, I use @RequestMapping(value = "/Etudiant/{idEtudiant}/info") to match the student not the username. So how can I solve it? Many thanks... I can not find the tutorial.

score 1 · Accepted Answer · answered Jan 28 '13 at 10:35

1

You can provide your own implementation for User class (just extend org.springframework.security.core.userdetails.User). Add an identifier field to it. Then set corresponding value in loadUserByUsername method:

@Override
public UserDetails loadUserByUsername(String username)
    ...
    return new CustomUser(etudiant.getId(), etudiant.getLogin(), etudiant.getPassword(), enabled,accountNonExpired,credentialsNonExpired,accountNonLocked,getAuthorities(etudiant.getRole().getRole()));

}

Then you will be able to use it:

@PreAuthorize(#contract.name = principal.id)

answered Jan 28 '13 at 10:35

Maksym Demidas

7,707
1
29
36

thank you for your response, the solution works,but in my case, we use the EJB entity, so if my entity Utilisateur also User extend the class UseDetail. Is it not good for the reuse of the code? I am not sure about it. So in the real project, how to solve this problem if we use the Entityclass. Thank you very much – user2016385 Jan 28 '13 at 12:53
I am do not understand your question. Could you provide more details? – Maksym Demidas Jan 28 '13 at 17:07
in most tutorial, we have a user class,if we want to customize our own UserDetailService, we could let our User class extend UserDetail. But I think it is just a simple project. In my project, my user class is a POJO, it is a EJB entity beans. So if I let my user class extend UserDetail, I know it works, but I am not sure it is also reusable. But it is just what i think, i don't know it is right. My project has two subproject,one is a ejb project, the other is a web project which reference the ejb project. – user2016385 Jan 28 '13 at 21:30
If you do not want to extend a org.springframework.security.core.userdetails.User class then you can just implement org.springframework.security.core.userdetails.UserDetails – Maksym Demidas Jan 29 '13 at 09:10

In spring security 3,how to customize my @ PreAuthorize annotation?

1 Answers1