Extending Method Security with Custom SpEL Expressions

Snippet

Extending Method Security with Custom SpEL Expressions

By extending SecurityExpressionRoot, you can define custom domain-specific SpEL functions (like isResourceOwner) that can be used directly in @PreAuthorize annotations, centralizing complex authorization logic.

snippet.java
java
public class CustomSecurityExpressionRoot extends SecurityExpressionRoot implements MethodSecurityExpressionOperations {
    public CustomSecurityExpressionRoot(Authentication authentication) {
        super(authentication);
    }
 
    public boolean isResourceOwner(Long resourceId) {
        // Logic to check if the current user owns the specific resource
        return true;
    }
 
    @Override
    public void setFilterObject(Object filterObject) {}
    @Override
    public Object getFilterObject() { return null; }
    @Override
    public void setReturnObject(Object returnObject) {}
    @Override
    public Object getReturnObject() { return null; }
    @Override
    public Object getThis() { return this; }
}

spring

Breakdown

extends SecurityExpressionRoot

Inherits base security evaluation logic like hasRole() and isAuthenticated().

implements MethodSecurityExpressionOperations

Required interface for evaluating expressions on methods.

public boolean isResourceOwner(Long resourceId)

Custom SpEL function accessible via @PreAuthorize("isResourceOwner(#id)").

Previous snippet Next snippet

More Expert Java exercises →

From your library

Extending Method Security with Custom SpEL Expressions

Related