Dynamic Method Security with SpEL Expressions

Snippet

Dynamic Method Security with SpEL Expressions

Spring Security enables fine-grained access control using Spring Expression Language (SpEL). By referencing custom beans within @PreAuthorize, complex authorization rules can be externalized and reused.

snippet.java
java
@Service
public class DocumentService {
    @PreAuthorize("@securityService.isOwner(#id) or hasRole('ADMIN')")
    public Document getDocument(Long id) {
        return repository.findById(id).orElseThrow();
    }
}
 
@Component("securityService")
public class SecurityService {
    public boolean isOwner(Long id) {
        String currentUser = SecurityContextHolder.getContext().getAuthentication().getName();
        // Database check logic here
        return true; 
    }
}

spring

Breakdown

@PreAuthorize("@securityService.isOwner(#id) ...")

Uses SpEL to call a method on a Spring bean before method execution.

SecurityContextHolder.getContext().getAuthentication()

Accesses the current authenticated user's details from the security context.

or hasRole('ADMIN')

Standard Spring Security expression combined with custom logic using logical operators.

Previous snippet Next snippet

More Expert Java exercises →

From your library

Dynamic Method Security with SpEL Expressions

Related