1

How can I call the hasPermission function with just one parameter?

Currently I have something like this:

@PreAuthorize("hasPermission('someResource', 'READ')")

I want to be able to do this:

@PreAuthorize("hasPermission('canReadSomeResource')")

Is there an easy way to accomplish this? I basically just want to specify the permission that is needed in order to call a method, rather than a resource and a permission.

user1751547
  • 2,211
  • 4
  • 21
  • 25

2 Answers2

2

The specific purpose of hasPermission() is to check whether a user is authorized to execute an operation on a particular domain object. If you're wanting to just check whether a user has a certain general-purpose authority, you should use hasRole().

chrylis -cautiouslyoptimistic-
  • 75,269
  • 21
  • 115
  • 152
  • Ok, is there something other than hasRole()? In my model each role is assigned a set of permissions, and I want to annotate a method requiring the permission. In this way I don't know what roles would be valid, I want to be able to check the roles a user has for a particular permission. – user1751547 Oct 16 '13 at 16:17
  • @user1751547 What authentication provider are you using? The general advice is to make each permission an authority and to add all of them to the user's list. – chrylis -cautiouslyoptimistic- Oct 16 '13 at 18:59
  • I've extended the AbstractUserDetailsAuthenticationProvider. The answer to this question seems to suggest I can do what I am trying to do: http://stackoverflow.com/questions/18097152/custom-annotation-with-spring-security I'm not just sure how to implement it. – user1751547 Oct 16 '13 at 20:04
1

I think you need hasAuthority('canReadSomeResource') that checks the user authority to access a resource. 

@PreAuthorize("hasAuthority('canReadSomeResource')")
public void myMethod(){
   ...
}

That authority (canReadSomeResource) can be provided to the spring security by implementing UserDetailsService interface.

Dariush Jafari
  • 5,223
  • 7
  • 42
  • 71