0

I need to have authorization at the method level so that the users with proper permissions only can access it. The method will contain a token as a parameter. I need to make an API call passing the token and get the user email id. Once I have the email id, I need to fetch the user's roles & permissions from the database. Then I invoke the method if the user have appropriate roles else return a 403 error.

Is there a way to get this done in spring boot? I will have multiple methods behind authorization and would like to have some kind of annotation at method level.

Thanks.

Tapan
  • 157
  • 2
  • 4
  • 18

2 Answers2

1

@PreAuthorize annotation is what you want

Please read the following link for spring method level authorization baeldung method authorization

you will also need to undestand SPEL(Spring Expression Language) as this is what the PreAuthorize method gets as parameter , link can be found here

please note that spring uses the SecurityContext to get the user data(Role etc..), meaning that the user already passed the login(authentication) stage and has SecurityContext loaded for said user

Example:

//other annotations 
@PreAuthorize("hasRole('ROLE_VIEWER')") // hasRole('ROLE_VIEWER') -> this is SPEL
public ResponseEntity<String> methodName() {
 //method
}
Roie Beck
  • 1,113
  • 3
  • 15
  • 30
  • Is there a way I can override @PreAuthorize..... In my case, SecurityContext won't contain any user data. I will have a token provided as a parameter. All I have to do is retrieve the user details from the token using an API, and then see if the user has the permissions to do whatever he wants to do. – Tapan Aug 11 '20 at 15:36
  • Preauth receives method that returnes a Boolean, in theory, you can write what ever you want in it, example: https://stackoverflow.com/questions/53248269/spring-security-preauthorize-based-on-custom-boolean-property-value , so feel free to create any function you want, you can send argument to the method using spel syntax – Roie Beck Aug 11 '20 at 19:42
  • Thanks Roie...I was able to implement a custom authorization using @PreAuthorize – Tapan Aug 21 '20 at 14:32
0

You can use @PreAuthorize with more flex as:-

@PreAuthorize("@securityService.hasPermission({'PERMISSION_1'})")

and service:-

@Component("securityService")
public class SecurityService {
    public boolean hasPermission(PermissionEnum... permissions) {

        Collection<? extends GrantedAuthority> authorities = SecurityContextHolder.getContext().getAuthentication()
                .getAuthorities();

        for (PermissionEnum permission : permissions) {
            if (authorities.contains(new SimpleGrantedAuthority(permission.toString))) {
                return true;
            }
        }
        return false;
    }
}

You can make it as you want.
For more

java dev
  • 313
  • 1
  • 3
  • 12