I'm working on securing a REST Service endpoints with Spring Security. I basically need to check if user has given Authority, if the user can invoke the function with the given parameters, and lastly, I filter the output, so that the user cannot see things that it shouldn't.
For this, I have this set of annotations:
@PostFilter("#canViewOwnAssignment.canView(filterObject) or #canViewAllAssignments.canView(filterObject)")
@PreAuthorize("hasAnyAuthority('canViewOwnAssignment', 'canViewAllAssignments') and (#canViewOwnAssignment.canEnter(userId) or #canViewAllAssignments.canEnter(userId))")
...for all the methods. The only thing changing from the above snippet is canViewOwnAssignment and the parameter(s) of .canEnter().
I'd like to simplify this, so that I can have an annotation looking sg like this:@MyAnnotation(bean = CanViewAssignment.class, args = {"userId"})
How could I make this happen?
I tried extending PrePostAnnotationSecurityMetadataSource.class, since that's the one parsing the annotations, however I can't just use @Primary to override it, since the bean instantiation is baked into the GlobalMethodSecurityDefinitionParser.class
If I don't need to, I'd rather not start rewriting half of the Spring Security, only to have one overriden method.
