2019-09-22 00:56:30 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[[jc-method]]
							 
						 
					
						
							
								
									
										
										
										
											2021-07-30 13:52:15 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								= Method Security
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								:figures: servlet/authorization
							 
						 
					
						
							
								
									
										
										
										
											2019-09-22 00:56:30 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								In addition to xref:servlet/authorization/authorize-http-requests.adoc[modeling authorization at the request level], Spring Security also supports modeling at the method level.
							 
						 
					
						
							
								
									
										
										
										
											2019-09-22 00:56:30 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[[activate-method-security]]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								You can activate it in your application by annotating any `@Configuration` class with `@EnableMethodSecurity` or adding `<method-security>` to any  XML configuration file, like so:
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@EnableMethodSecurity
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@EnableMethodSecurity
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Xml::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,xml,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								<sec:method-security/>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Then, you are immediately able to annotate any Spring-managed class or method with <<use-preauthorize, `@PreAuthorize`>>, <<use-postauthorize,`@PostAuthorize`>>, <<use-prefilter,`@PreFilter`>>, and <<use-postfilter,`@PostFilter`>> to authorize method invocations, including the input parameters and return values.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[NOTE]
							 
						 
					
						
							
								
									
										
										
										
											2024-09-02 02:09:59 +07:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								{spring-boot-reference-url}reference/using/build-systems.html#using.build-systems.starters[Spring Boot Starter Security] does not activate method-level authorization by default.
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Method Security supports many other use cases as well including <<use-aspectj, AspectJ support>>, <<use-programmatic-authorization,custom annotations>>, and several configuration points.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Consider learning about the following use cases:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								* <<migration-enableglobalmethodsecurity, Migrating from `@EnableGlobalMethodSecurity`>>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								* Understanding <<method-security-architecture,how method security works>> and reasons to use it
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								* Comparing <<request-vs-method,request-level and method-level authorization>>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								* Authorizing methods with <<use-preauthorize,`@PreAuthorize`>> and <<use-postauthorize,`@PostAuthorize`>>
							 
						 
					
						
							
								
									
										
										
										
											2024-03-08 10:46:27 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								* Providing <<fallback-values-authorization-denied,fallback values when authorization is denied>>
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								* Filtering methods with <<use-prefilter,`@PreFilter`>> and <<use-postfilter,`@PostFilter`>>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								* Authorizing methods with <<use-jsr250,JSR-250 annotations>>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								* Authorizing methods with <<use-aspectj,AspectJ expressions>>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								* Integrating with <<weave-aspectj,AspectJ byte-code weaving>>
							 
						 
					
						
							
								
									
										
										
										
											2023-05-24 10:26:59 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								* Coordinating with <<changing-the-order,@Transactional and other AOP-based annotations>>
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								* Customizing <<customizing-expression-handling,SpEL expression handling>>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								* Integrating with <<custom-authorization-managers,custom authorization systems>>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[[method-security-architecture]]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								== How Method Security Works
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Spring Security's method authorization support is handy for:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								* Extracting fine-grained authorization logic; for example, when the method parameters and return values contribute to the authorization decision.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								* Enforcing security at the service layer
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								* Stylistically favoring annotation-based over `HttpSecurity`-based configuration
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								And since Method Security is built using {spring-framework-reference-url}core.html#aop-api[Spring AOP], you have access to all its expressive power to override Spring Security's defaults as needed.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								As already mentioned, you begin by adding `@EnableMethodSecurity` to a `@Configuration` class or `<sec:method-security/>` in a Spring XML configuration file.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[[use-method-security]]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[NOTE]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								====
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								This annotation and XML element supercede `@EnableGlobalMethodSecurity` and `<sec:global-method-security/>`, respectively.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								They offer the following improvements:
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								1. Uses the simplified `AuthorizationManager` API instead of metadata sources, config attributes, decision managers, and voters.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								This simplifies reuse and customization.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								2. Favors direct bean-based configuration, instead of requiring extending `GlobalMethodSecurityConfiguration` to customize beans
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								3. Is built using native Spring AOP, removing abstractions and allowing you to use Spring AOP building blocks to customize
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								4. Checks for conflicting annotations to ensure an unambiguous security configuration
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								5. Complies with JSR-250
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								6. Enables `@PreAuthorize`, `@PostAuthorize`, `@PreFilter`, and `@PostFilter` by default
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								If you are using `@EnableGlobalMethodSecurity` or `<global-method-security/>`, these are now deprecated, and you are encouraged to migrate.
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								====
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Method authorization is a combination of before- and after-method authorization.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Consider a service bean that is annotated in the following way:
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								@Service
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								public class MyCustomerService {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @PreAuthorize("hasAuthority('permission:read')")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @PostAuthorize("returnObject.owner == authentication.name")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    public Customer readCustomer(String id) { ... }
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								@Service
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								open class MyCustomerService {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @PreAuthorize("hasAuthority('permission:read')")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @PostAuthorize("returnObject.owner == authentication.name")
							 
						 
					
						
							
								
									
										
										
										
											2025-01-08 11:53:31 +01:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								    fun readCustomer(id: String): Customer { ... }
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								A given invocation to `MyCustomerService#readCustomer` may look something like this when Method Security <<activate-method-security,is activated>>:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-11-24 00:52:13 +05:30 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[.invert-dark]
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								image::{figures}/methodsecurity.png[]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-07-09 13:23:24 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								1. Spring AOP invokes its proxy method for `readCustomer`. Among the proxy's other advisors, it invokes an javadoc:org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor[] that matches <<annotation-method-pointcuts,the `@PreAuthorize` pointcut>>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								2. The interceptor invokes javadoc:org.springframework.security.authorization.method.PreAuthorizeAuthorizationManager[`PreAuthorizeAuthorizationManager#check`]
							 
						 
					
						
							
								
									
										
										
										
											2023-05-11 13:56:58 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								3. The authorization manager uses a `MethodSecurityExpressionHandler` to parse the annotation's <<authorization-expressions,SpEL expression>> and constructs a corresponding `EvaluationContext` from a `MethodSecurityExpressionRoot` containing xref:servlet/authentication/architecture.adoc#servlet-authentication-authentication[a `Supplier<Authentication>`] and `MethodInvocation`.
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								4. The interceptor uses this context to evaluate the expression; specifically, it reads xref:servlet/authentication/architecture.adoc#servlet-authentication-authentication[the `Authentication`] from the `Supplier` and checks whether it has `permission:read` in its collection of xref:servlet/authorization/architecture.adoc#authz-authorities[authorities]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								5. If the evaluation passes, then Spring AOP proceeds to invoke the method.
							 
						 
					
						
							
								
									
										
										
										
											2024-07-09 13:23:24 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								6. If not, the interceptor publishes an `AuthorizationDeniedEvent` and throws an javadoc:org.springframework.security.access.AccessDeniedException[] which xref:servlet/architecture.adoc#servlet-exceptiontranslationfilter[the `ExceptionTranslationFilter`] catches and returns a 403 status code to the response
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								7. After the method returns, Spring AOP invokes an javadoc:org.springframework.security.authorization.method.AuthorizationManagerAfterMethodInterceptor[] that matches <<annotation-method-pointcuts,the `@PostAuthorize` pointcut>>, operating the same as above, but with javadoc:org.springframework.security.authorization.method.PostAuthorizeAuthorizationManager[]
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								8. If the evaluation passes (in this case, the return value belongs to the logged-in user), processing continues normally
							 
						 
					
						
							
								
									
										
										
										
											2024-07-09 13:23:24 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								9. If not, the interceptor publishes an `AuthorizationDeniedEvent` and throws an javadoc:org.springframework.security.access.AccessDeniedException[], which xref:servlet/architecture.adoc#servlet-exceptiontranslationfilter[the `ExceptionTranslationFilter`] catches and returns a 403 status code to the response
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[NOTE]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								If the method is not being called in the context of an HTTP request, you will likely need to handle the `AccessDeniedException` yourself
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[[unanimous-based-authorization-decisions]]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								=== Multiple Annotations Are Computed In Series
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								As demonstrated above, if a method invocation involves multiple <<authorizing-with-annotations,Method Security annotations>>, each of those is processed one at a time.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								This means that they can collectively be thought of as being "anded" together.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								In other words, for an invocation to be authorized, all annotation inspections need to pass authorization.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[[repeated-annotations]]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								=== Repeated Annotations Are Not Supported
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								That said, it is not supported to repeat the same annotation on the same method.
							 
						 
					
						
							
								
									
										
										
										
											2023-10-29 13:39:10 +05:30 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								For example, you cannot place `@PreAuthorize` twice on the same method.
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Instead, use SpEL's boolean support or its support for delegating to a separate bean.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[[annotation-method-pointcuts]]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								=== Each Annotation Has Its Own Pointcut
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Each annotation has its own pointcut instance that looks for that annotation or its <<meta-annotations,meta-annotation>> counterparts across the entire object hierarchy, starting at <<class-or-interface-annotations,the method and its enclosing class>>.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-07-09 13:23:24 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								// FIXME: AuthorizationMethodPointcuts is package private and Javadoc is not published You can see the specifics of this in javadoc:org.springframework.security.authorization.method.AuthorizationMethodPointcuts[].
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[[annotation-method-interceptors]]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								=== Each Annotation Has Its Own Method Interceptor
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Each annotation has its own dedicated method interceptor.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								The reason for this is to make things more composable.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								For example, if needed, you can disable the Spring Security defaults and <<_enabling_certain_annotations,publish only the `@PostAuthorize` method interceptor>>.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								The method interceptors are as follows:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-07-09 13:23:24 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								* For <<use-preauthorize,`@PreAuthorize`>>, Spring Security uses javadoc:org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor[`AuthorizationManagerBeforeMethodInterceptor#preAuthorize`], which in turn uses javadoc:org.springframework.security.authorization.method.PreAuthorizeAuthorizationManager[]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								* For <<use-postauthorize,`@PostAuthorize`>>, Spring Security uses javadoc:org.springframework.security.authorization.method.AuthorizationManagerAfterMethodInterceptor[`AuthorizationManagerAfterMethodInterceptor#postAuthorize`], which in turn uses javadoc:org.springframework.security.authorization.method.PostAuthorizeAuthorizationManager[]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								* For <<use-prefilter,`@PreFilter`>>, Spring Security uses javadoc:org.springframework.security.authorization.method.PreFilterAuthorizationMethodInterceptor[]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								* For <<use-postfilter,`@PostFilter`>>, Spring Security uses javadoc:org.springframework.security.authorization.method.PostFilterAuthorizationMethodInterceptor[]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								* For <<use-secured,`@Secured`>>, Spring Security uses javadoc:org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor[`AuthorizationManagerBeforeMethodInterceptor#secured`], which in turn uses javadoc:org.springframework.security.authorization.method.SecuredAuthorizationManager[]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								* For JSR-250 annotations, Spring Security uses javadoc:org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor[`AuthorizationManagerBeforeMethodInterceptor#jsr250`], which in turn uses javadoc:org.springframework.security.authorization.method.Jsr250AuthorizationManager[]
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Generally speaking, you can consider the following listing as representative of what interceptors Spring Security publishes when you add `@EnableMethodSecurity`:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								@Bean
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								static Advisor preAuthorizeMethodInterceptor() {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    return AuthorizationManagerBeforeMethodInterceptor.preAuthorize();
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Bean
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								static Advisor postAuthorizeMethodInterceptor() {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    return AuthorizationManagerAfterMethodInterceptor.postAuthorize();
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Bean
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								static Advisor preFilterMethodInterceptor() {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    return AuthorizationManagerBeforeMethodInterceptor.preFilter();
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Bean
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								static Advisor postFilterMethodInterceptor() {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    return AuthorizationManagerAfterMethodInterceptor.postFilter();
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[[favor-granting-authorities]]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								=== Favor Granting Authorities Over Complicated SpEL Expressions
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Quite often it can be tempting to introduce a complicated SpEL expression like the following:
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								@PreAuthorize("hasAuthority('permission:read') || hasRole('ADMIN')")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-12-25 18:33:14 +01:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@PreAuthorize("hasAuthority('permission:read') || hasRole('ADMIN')")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2024-12-25 18:33:14 +01:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								However, you could instead grant `permission:read` to those with `ROLE_ADMIN`.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								One way to do this is with a `RoleHierarchy` like so:
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Bean
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								static RoleHierarchy roleHierarchy() {
							 
						 
					
						
							
								
									
										
										
										
											2023-12-08 10:45:26 -07:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								    return RoleHierarchyImpl.fromHierarchy("ROLE_ADMIN > permission:read");
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2024-07-03 22:16:11 +09:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								companion object {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @Bean
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    fun roleHierarchy(): RoleHierarchy {
							 
						 
					
						
							
								
									
										
										
										
											2023-12-08 10:45:26 -07:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								        return RoleHierarchyImpl.fromHierarchy("ROLE_ADMIN > permission:read")
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Xml::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,xml,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-12-08 10:45:26 -07:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								<bean id="roleHierarchy"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl" factory-method="fromHierarchy">
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								    <constructor-arg value="ROLE_ADMIN > permission:read"/>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								</bean>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								and then <<customizing-expression-handling,set that in a `MethodSecurityExpressionHandler` instance>>.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								This then allows you to have a simpler <<use-preauthorize,`@PreAuthorize`>> expression like this one:
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								@PreAuthorize("hasAuthority('permission:read')")
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								@PreAuthorize("hasAuthority('permission:read')")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Or, where possible, adapt application-specific authorization logic into granted authorities at login time.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[[request-vs-method]]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								== Comparing Request-level vs Method-level Authorization
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								When should you favor method-level authorization over xref:servlet/authorization/authorize-http-requests.adoc[request-level authorization]?
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Some of it comes down to taste; however, consider the following strengths list of each to help you decide.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								|===
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								|| *request-level* | *method-level*
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								| *authorization type* | coarse-grained | fine-grained
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								| *configuration location* | declared in a config class | local to method declaration
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								| *configuration style* | DSL | Annotations
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								| *authorization definitions* | programmatic | SpEL
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								|===
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								The main tradeoff seems to be where you want your authorization rules to live.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[NOTE]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								It's important to remember that when you use annotation-based Method Security, then unannotated methods are not secured.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								To protect against this, declare xref:servlet/authorization/authorize-http-requests.adoc#activate-request-security[a catch-all authorization rule] in your xref:servlet/configuration/java.adoc#jc-httpsecurity[`HttpSecurity`] instance.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[[authorizing-with-annotations]]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								== Authorizing with Annotations
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								The primary way Spring Security enables method-level authorization support is through annotations that you can add to methods, classes, and interfaces.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[[use-preauthorize]]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								=== Authorizing Method Invocation with `@PreAuthorize`
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-07-09 13:23:24 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								When <<activate-method-security,Method Security is active>>, you can annotate a method with the javadoc:org.springframework.security.access.prepost.PreAuthorize[format=annotation] annotation like so:
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Component
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								public class BankService {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									@PreAuthorize("hasRole('ADMIN')")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									public Account readAccount(Long id) {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        // ... is only invoked if the `Authentication` has the `ROLE_ADMIN` authority
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									}
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								@Component
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								open class BankService {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									@PreAuthorize("hasRole('ADMIN')")
							 
						 
					
						
							
								
									
										
										
										
											2025-01-08 11:53:31 +01:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
									fun readAccount(id: Long): Account {
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								        // ... is only invoked if the `Authentication` has the `ROLE_ADMIN` authority
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								This is meant to indicate that the method can only be invoked if the provided expression `hasRole('ADMIN')` passes.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								You can then xref:servlet/test/method.adoc[test the class] to confirm it is enforcing the authorization rule like so:
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								@Autowired
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								BankService bankService;
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@WithMockUser(roles="ADMIN")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Test
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								void readAccountWithAdminRoleThenInvokes() {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    Account account = this.bankService.readAccount("12345678");
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    // ... assertions
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@WithMockUser(roles="WRONG")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Test
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								void readAccountWithWrongRoleThenAccessDenied() {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    assertThatExceptionOfType(AccessDeniedException.class).isThrownBy(
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        () -> this.bankService.readAccount("12345678"));
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								@WithMockUser(roles="ADMIN")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Test
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								fun readAccountWithAdminRoleThenInvokes() {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    val account: Account = this.bankService.readAccount("12345678")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    // ... assertions
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@WithMockUser(roles="WRONG")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Test
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								fun readAccountWithWrongRoleThenAccessDenied() {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    assertThatExceptionOfType(AccessDeniedException::class.java).isThrownBy {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        this.bankService.readAccount("12345678")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[TIP]
							 
						 
					
						
							
								
									
										
										
										
											2023-05-11 13:56:58 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								`@PreAuthorize` also can be a <<meta-annotations, meta-annotation>>, be defined <<class-or-interface-annotations,at the class or interface level>>, and use <<authorization-expressions, SpEL Authorization Expressions>>.
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-05-11 13:56:58 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								While `@PreAuthorize` is quite helpful for declaring needed authorities, it can also be used to evaluate more complex <<using_method_parameters,expressions that involve the method parameters>>.
							 
						 
					
						
							
								
									
										
										
										
											2023-05-23 20:12:08 +01:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[[use-postauthorize]]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								=== Authorization Method Results with `@PostAuthorize`
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-07-09 13:23:24 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								When Method Security is active, you can annotate a method with the javadoc:org.springframework.security.access.prepost.PostAuthorize[format=annotation] annotation like so:
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								@Component
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								public class BankService {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									@PostAuthorize("returnObject.owner == authentication.name")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									public Account readAccount(Long id) {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        // ... is only returned if the `Account` belongs to the logged in user
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									}
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								@Component
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								open class BankService {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									@PostAuthorize("returnObject.owner == authentication.name")
							 
						 
					
						
							
								
									
										
										
										
											2025-01-08 11:53:31 +01:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
									fun readAccount(id: Long): Account {
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								        // ... is only returned if the `Account` belongs to the logged in user
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
									}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								This is meant to indicate that the method can only return the value if the provided expression `returnObject.owner == authentication.name` passes.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								`returnObject` represents the `Account` object to be returned.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								You can then xref:servlet/test/method.adoc[test the class] to confirm it is enforcing the authorization rule:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								@Autowired
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								BankService bankService;
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								@WithMockUser(username="owner")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Test
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								void readAccountWhenOwnedThenReturns() {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    Account account = this.bankService.readAccount("12345678");
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    // ... assertions
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@WithMockUser(username="wrong")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Test
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								void readAccountWhenNotOwnedThenAccessDenied() {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    assertThatExceptionOfType(AccessDeniedException.class).isThrownBy(
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        () -> this.bankService.readAccount("12345678"));
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@WithMockUser(username="owner")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Test
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								fun readAccountWhenOwnedThenReturns() {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    val account: Account = this.bankService.readAccount("12345678")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    // ... assertions
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@WithMockUser(username="wrong")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Test
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								fun readAccountWhenNotOwnedThenAccessDenied() {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    assertThatExceptionOfType(AccessDeniedException::class.java).isThrownBy {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        this.bankService.readAccount("12345678")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[TIP]
							 
						 
					
						
							
								
									
										
										
										
											2023-05-11 13:56:58 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								`@PostAuthorize` also can be a <<meta-annotations,meta-annotation>>, be defined <<class-or-interface-annotations,at the class or interface level>>, and use <<authorization-expressions, SpEL Authorization Expressions>>.
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								`@PostAuthorize` is particularly helpful when defending against https://cheatsheetseries.owasp.org/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.html[Insecure Direct Object Reference].
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								In fact, it can be defined as a <<meta-annotations,meta-annotation>> like so:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Target({ ElementType.METHOD, ElementType.TYPE })
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Retention(RetentionPolicy.RUNTIME)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@PostAuthorize("returnObject.owner == authentication.name")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								public @interface RequireOwnership {}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Target(ElementType.METHOD, ElementType.TYPE)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Retention(RetentionPolicy.RUNTIME)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@PostAuthorize("returnObject.owner == authentication.name")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								annotation class RequireOwnership
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Allowing you to instead annotate the service in the following way:
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								@Component
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								public class BankService {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									@RequireOwnership
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									public Account readAccount(Long id) {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        // ... is only returned if the `Account` belongs to the logged in user
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									}
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								@Component
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								open class BankService {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									@RequireOwnership
							 
						 
					
						
							
								
									
										
										
										
											2025-01-08 11:53:31 +01:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
									fun readAccount(id: Long): Account {
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								        // ... is only returned if the `Account` belongs to the logged in user
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
									}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								The result is that the above method will only return the `Account` if its `owner` attribute matches the logged-in user's `name`.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								If not, Spring Security will throw an `AccessDeniedException` and return a 403 status code.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2025-08-22 12:25:06 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[NOTE]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								=====
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Note that `@PostAuthorize` is not recommended for classes that perform database writes since that typically means that a database change was made before the security invariants were checked.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								A common example of doing this is if you have `@Transactional` and `@PostAuthorize` on the same method.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Instead, read the value first, using `@PostAuthorize` on the read, and then perform the database write, should that read is authorized.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								If you must do something like this, you can <<changing-the-order, ensure that `@EnableTransactionManagement` comes before `@EnableMethodSecurity`>>.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								=====
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[[use-prefilter]]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								=== Filtering Method Parameters with `@PreFilter`
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-07-09 13:23:24 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								When Method Security is active, you can annotate a method with the javadoc:org.springframework.security.access.prepost.PreFilter[format=annotation] annotation like so:
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								@Component
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								public class BankService {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									@PreFilter("filterObject.owner == authentication.name")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									public Collection<Account> updateAccounts(Account... accounts) {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        // ... `accounts` will only contain the accounts owned by the logged-in user
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        return updated;
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2024-05-18 15:39:27 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Component
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								open class BankService {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									@PreFilter("filterObject.owner == authentication.name")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									fun updateAccounts(vararg accounts: Account): Collection<Account> {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        // ... `accounts` will only contain the accounts owned by the logged-in user
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        return updated
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								This is meant to filter out any values from `accounts` where the expression `filterObject.owner == authentication.name` fails.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								`filterObject` represents each `account` in `accounts` and is used to test each `account`.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								You can then test the class in the following way to confirm it is enforcing the authorization rule:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Autowired
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								BankService bankService;
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@WithMockUser(username="owner")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Test
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								void updateAccountsWhenOwnedThenReturns() {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    Account ownedBy = ...
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    Account notOwnedBy = ...
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    Collection<Account> updated = this.bankService.updateAccounts(ownedBy, notOwnedBy);
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    assertThat(updated).containsOnly(ownedBy);
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2024-05-18 15:39:27 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Autowired
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								lateinit var bankService: BankService
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@WithMockUser(username="owner")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Test
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								fun updateAccountsWhenOwnedThenReturns() {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    val ownedBy: Account = ...
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    val notOwnedBy: Account = ...
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    val updated: Collection<Account> = bankService.updateAccounts(ownedBy, notOwnedBy)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    assertThat(updated).containsOnly(ownedBy)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[TIP]
							 
						 
					
						
							
								
									
										
										
										
											2023-05-11 13:56:58 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								`@PreFilter` also can be a <<meta-annotations,meta-annotation>>, be defined <<class-or-interface-annotations,at the class or interface level>>, and use <<authorization-expressions, SpEL Authorization Expressions>>.
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								`@PreFilter` supports arrays, collections, maps, and streams (so long as the stream is still open).
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								For example, the above `updateAccounts` declaration will function the same way as the following other four:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@PreFilter("filterObject.owner == authentication.name")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								public Collection<Account> updateAccounts(Account[] accounts)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@PreFilter("filterObject.owner == authentication.name")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								public Collection<Account> updateAccounts(Collection<Account> accounts)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@PreFilter("filterObject.value.owner == authentication.name")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								public Collection<Account> updateAccounts(Map<String, Account> accounts)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@PreFilter("filterObject.owner == authentication.name")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								public Collection<Account> updateAccounts(Stream<Account> accounts)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2024-05-18 15:39:27 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@PreFilter("filterObject.owner == authentication.name")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								fun updateAccounts(accounts: Array<Account>): Collection<Account>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@PreFilter("filterObject.owner == authentication.name")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								fun updateAccounts(accounts: Collection<Account>): Collection<Account>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@PreFilter("filterObject.value.owner == authentication.name")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								fun updateAccounts(accounts: Map<String, Account>): Collection<Account>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@PreFilter("filterObject.owner == authentication.name")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								fun updateAccounts(accounts: Stream<Account>): Collection<Account>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								The result is that the above method will only have the `Account` instances where their `owner` attribute matches the logged-in user's `name`.
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[[use-postfilter]]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								=== Filtering Method Results with `@PostFilter`
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-07-09 13:23:24 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								When Method Security is active, you can annotate a method with the javadoc:org.springframework.security.access.prepost.PostFilter[format=annotation] annotation like so:
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Component
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								public class BankService {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									@PostFilter("filterObject.owner == authentication.name")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									public Collection<Account> readAccounts(String... ids) {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        // ... the return value will be filtered to only contain the accounts owned by the logged-in user
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        return accounts;
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2024-05-18 15:39:27 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Component
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								open class BankService {
							 
						 
					
						
							
								
									
										
										
										
											2025-02-21 11:58:23 +01:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
									@PostFilter("filterObject.owner == authentication.name")
							 
						 
					
						
							
								
									
										
										
										
											2024-05-18 15:39:27 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
									fun readAccounts(vararg ids: String): Collection<Account> {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        // ... the return value will be filtered to only contain the accounts owned by the logged-in user
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        return accounts
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								This is meant to filter out any values from the return value where the expression `filterObject.owner == authentication.name` fails.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								`filterObject` represents each `account` in `accounts` and is used to test each `account`.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								You can then test the class like so to confirm it is enforcing the authorization rule:
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								@Autowired
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								BankService bankService;
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								@WithMockUser(username="owner")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Test
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								void readAccountsWhenOwnedThenReturns() {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    Collection<Account> accounts = this.bankService.updateAccounts("owner", "not-owner");
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    assertThat(accounts).hasSize(1);
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    assertThat(accounts.get(0).getOwner()).isEqualTo("owner");
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2024-05-18 15:39:27 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Autowired
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								lateinit var bankService: BankService
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@WithMockUser(username="owner")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Test
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								fun readAccountsWhenOwnedThenReturns() {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    val accounts: Collection<Account> = bankService.updateAccounts("owner", "not-owner")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    assertThat(accounts).hasSize(1)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    assertThat(accounts[0].owner).isEqualTo("owner")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[TIP]
							 
						 
					
						
							
								
									
										
										
										
											2023-05-11 13:56:58 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								`@PostFilter` also can be a <<meta-annotations,meta-annotation>>, be defined <<class-or-interface-annotations,at the class or interface level>>, and use <<authorization-expressions, SpEL Authorization Expressions>>.
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								`@PostFilter` supports arrays, collections, maps, and streams (so long as the stream is still open).
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								For example, the above `readAccounts` declaration will function the same way as the following other three:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-05-18 15:39:27 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@PostFilter("filterObject.owner == authentication.name")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								public Collection<Account> readAccounts(String... ids)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								@PostFilter("filterObject.owner == authentication.name")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								public Account[] readAccounts(String... ids)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@PostFilter("filterObject.value.owner == authentication.name")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								public Map<String, Account> readAccounts(String... ids)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@PostFilter("filterObject.owner == authentication.name")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								public Stream<Account> readAccounts(String... ids)
							 
						 
					
						
							
								
									
										
										
										
											2024-05-18 15:39:27 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@PostFilter("filterObject.owner == authentication.name")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								fun readAccounts(vararg ids: String): Collection<Account>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@PostFilter("filterObject.owner == authentication.name")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								fun readAccounts(vararg ids: String): Array<Account>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@PostFilter("filterObject.owner == authentication.name")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								fun readAccounts(vararg ids: String): Map<String, Account>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@PostFilter("filterObject.owner == authentication.name")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								fun readAccounts(vararg ids: String): Stream<Account>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								The result is that the above method will return the `Account` instances where their `owner` attribute matches the logged-in user's `name`.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[NOTE]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								In-memory filtering can obviously be expensive, and so be considerate of whether it is better to xref:servlet/integrations/data.adoc[filter the data in the data layer] instead.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[[use-secured]]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								=== Authorizing Method Invocation with `@Secured`
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-07-09 13:23:24 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								javadoc:org.springframework.security.access.annotation.Secured[format=annotation] is a legacy option for authorizing invocations.
							 
						 
					
						
							
								
									
										
										
										
											2024-11-09 23:28:30 +07:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								<<use-preauthorize,`@PreAuthorize`>> supersedes it and is recommended instead.
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								To use the `@Secured` annotation, you should first change your Method Security declaration to enable it like so:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@EnableMethodSecurity(securedEnabled = true)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@EnableMethodSecurity(securedEnabled = true)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Xml::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,xml,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								<sec:method-security secured-enabled="true"/>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								This will cause Spring Security to publish <<annotation-method-interceptors,the corresponding method interceptor>> that authorizes methods, classes, and interfaces annotated with `@Secured`.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[[use-jsr250]]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								=== Authorizing Method Invocation with JSR-250 Annotations
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								In case you would like to use https://jcp.org/en/jsr/detail?id=250[JSR-250] annotations, Spring Security also supports that.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								<<use-preauthorize,`@PreAuthorize`>> has more expressive power and is thus recommended.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								To use the JSR-250 annotations, you should first change your Method Security declaration to enable them like so:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@EnableMethodSecurity(jsr250Enabled = true)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@EnableMethodSecurity(jsr250Enabled = true)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Xml::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,xml,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								<sec:method-security jsr250-enabled="true"/>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								This will cause Spring Security to publish <<annotation-method-interceptors,the corresponding method interceptor>> that authorizes methods, classes, and interfaces annotated with `@RolesAllowed`, `@PermitAll`, and `@DenyAll`.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[[class-or-interface-annotations]]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								=== Declaring Annotations at the Class or Interface Level
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								It's also supported to have Method Security annotations at the class and interface level.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								If it is at the class level like so:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Controller
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@PreAuthorize("hasAuthority('ROLE_USER')")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								public class MyController {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @GetMapping("/endpoint")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    public String endpoint() { ... }
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								@Controller
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@PreAuthorize("hasAuthority('ROLE_USER')")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								open class MyController {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @GetMapping("/endpoint")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    fun endpoint(): String { ... }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								then all methods inherit the class-level behavior.
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Or, if it's declared like the following at both the class and method level:
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Controller
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@PreAuthorize("hasAuthority('ROLE_USER')")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								public class MyController {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @GetMapping("/endpoint")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @PreAuthorize("hasAuthority('ROLE_ADMIN')")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    public String endpoint() { ... }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Controller
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@PreAuthorize("hasAuthority('ROLE_USER')")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								open class MyController {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @GetMapping("/endpoint")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @PreAuthorize("hasAuthority('ROLE_ADMIN')")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    fun endpoint(): String { ... }
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								then methods declaring the annotation override the class-level annotation.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								The same is true for interfaces, with the exception that if a class inherits the annotation from two different interfaces, then startup will fail.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								This is because Spring Security has no way to tell which one you want to use.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								In cases like this, you can resolve the ambiguity by adding the annotation to the concrete method.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[[meta-annotations]]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								=== Using Meta Annotations
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Method Security supports meta annotations.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								This means that you can take any annotation and improve readability based on your application-specific use cases.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								For example, you can simplify `@PreAuthorize("hasRole('ADMIN')")` to `@IsAdmin` like so:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Target({ ElementType.METHOD, ElementType.TYPE })
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Retention(RetentionPolicy.RUNTIME)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@PreAuthorize("hasRole('ADMIN')")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								public @interface IsAdmin {}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								@Target(ElementType.METHOD, ElementType.TYPE)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Retention(RetentionPolicy.RUNTIME)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@PreAuthorize("hasRole('ADMIN')")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								annotation class IsAdmin
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								And the result is that on your secured methods you can now do the following instead:
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								@Component
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								public class BankService {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									@IsAdmin
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									public Account readAccount(Long id) {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        // ... is only returned if the `Account` belongs to the logged in user
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									}
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								@Component
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								open class BankService {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									@IsAdmin
							 
						 
					
						
							
								
									
										
										
										
											2025-01-08 11:53:31 +01:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
									fun readAccount(id: Long): Account {
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								        // ... is only returned if the `Account` belongs to the logged in user
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									}
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								This results in more readable method definitions.
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-01-22 16:29:47 -07:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								==== Templating Meta-Annotation Expressions
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								You can also opt into using meta-annotation templates, which allow for much more powerful annotation definitions.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								First, publish the following bean:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Bean
							 
						 
					
						
							
								
									
										
										
										
											2024-08-09 13:28:36 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								static AnnotationTemplateExpressionDefaults templateExpressionDefaults() {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									return new AnnotationTemplateExpressionDefaults();
							 
						 
					
						
							
								
									
										
										
										
											2024-01-22 16:29:47 -07:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								companion object {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @Bean
							 
						 
					
						
							
								
									
										
										
										
											2024-08-09 13:28:36 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								    fun templateExpressionDefaults(): AnnotationTemplateExpressionDefaults {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        return AnnotationTemplateExpressionDefaults()
							 
						 
					
						
							
								
									
										
										
										
											2024-01-22 16:29:47 -07:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Now instead of `@IsAdmin`, you can create something more powerful like `@HasRole` like so:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Target({ ElementType.METHOD, ElementType.TYPE })
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Retention(RetentionPolicy.RUNTIME)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@PreAuthorize("hasRole('{value}')")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								public @interface HasRole {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									String value();
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Target(ElementType.METHOD, ElementType.TYPE)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Retention(RetentionPolicy.RUNTIME)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@PreAuthorize("hasRole('{value}')")
							 
						 
					
						
							
								
									
										
										
										
											2024-07-25 18:24:27 +03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								annotation class HasRole(val value: String)
							 
						 
					
						
							
								
									
										
										
										
											2024-01-22 16:29:47 -07:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								And the result is that on your secured methods you can now do the following instead:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Component
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								public class BankService {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									@HasRole("ADMIN")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									public Account readAccount(Long id) {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        // ... is only returned if the `Account` belongs to the logged in user
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Component
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								open class BankService {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									@HasRole("ADMIN")
							 
						 
					
						
							
								
									
										
										
										
											2025-01-08 11:53:31 +01:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
									fun readAccount(id: Long): Account {
							 
						 
					
						
							
								
									
										
										
										
											2024-01-22 16:29:47 -07:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								        // ... is only returned if the `Account` belongs to the logged in user
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Note that this works with method variables and all annotation types, too, though you will want to be careful to correctly take care of quotation marks so the resulting SpEL expression is correct.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								For example, consider the following `@HasAnyRole` annotation:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Target({ ElementType.METHOD, ElementType.TYPE })
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Retention(RetentionPolicy.RUNTIME)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@PreAuthorize("hasAnyRole({roles})")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								public @interface HasAnyRole {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									String[] roles();
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Target(ElementType.METHOD, ElementType.TYPE)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Retention(RetentionPolicy.RUNTIME)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@PreAuthorize("hasAnyRole({roles})")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								annotation class HasAnyRole(val roles: Array<String>)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								In that case, you'll notice that you should not use the quotation marks in the expression, but instead in the parameter value like so:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Component
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								public class BankService {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									@HasAnyRole(roles = { "'USER'", "'ADMIN'" })
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									public Account readAccount(Long id) {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        // ... is only returned if the `Account` belongs to the logged in user
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Component
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								open class BankService {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									@HasAnyRole(roles = arrayOf("'USER'", "'ADMIN'"))
							 
						 
					
						
							
								
									
										
										
										
											2025-01-08 11:53:31 +01:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
									fun readAccount(id: Long): Account {
							 
						 
					
						
							
								
									
										
										
										
											2024-01-22 16:29:47 -07:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								        // ... is only returned if the `Account` belongs to the logged in user
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								so that, once replaced, the expression becomes `@PreAuthorize("hasAnyRole('USER', 'ADMIN')")`.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[[enable-annotation]]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								=== Enabling Certain Annotations
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								You can turn off ``@EnableMethodSecurity``'s pre-configuration and replace it with you own.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								You may choose to do this if you want to <<custom-authorization-managers,customize the `AuthorizationManager`>> or `Pointcut`.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Or you may simply want to only enable a specific annotation, like `@PostAuthorize`.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								You can do this in the following way:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								.Only @PostAuthorize Configuration
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2022-08-09 07:37:59 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								@Configuration
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								@EnableMethodSecurity(prePostEnabled = false)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								class MethodSecurityConfig {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									@Bean
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
									Advisor postAuthorize() {
							 
						 
					
						
							
								
									
										
										
										
											2024-05-22 14:15:16 +08:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
										return AuthorizationManagerAfterMethodInterceptor.postAuthorize();
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
									}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2022-08-09 07:37:59 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								@Configuration
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								@EnableMethodSecurity(prePostEnabled = false)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								class MethodSecurityConfig {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									@Bean
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
									fun postAuthorize() : Advisor {
							 
						 
					
						
							
								
									
										
										
										
											2024-05-22 14:15:16 +08:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
										return AuthorizationManagerAfterMethodInterceptor.postAuthorize()
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
									}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Xml::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,xml,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								<sec:method-security pre-post-enabled="false"/>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								<aop:config/>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								<bean id="postAuthorize"
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
									class="org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor"
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
									factory-method="postAuthorize"/>
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								The above snippet achieves this by first disabling Method Security's pre-configurations and then publishing <<annotation-method-interceptors, the `@PostAuthorize` interceptor>> itself.
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[[use-intercept-methods]]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								== Authorizing with `<intercept-methods>`
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								While using Spring Security's <<authorizing-with-annotations,annotation-based support>> is preferred for method security, you can also use XML to declare bean authorization rules.
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								If you need to declare it in your XML configuration instead, you can use xref:servlet/appendix/namespace/method-security.adoc#nsa-intercept-methods[`<intercept-methods>`] like so:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Xml::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,xml,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								<bean class="org.mycompany.MyController">
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    <intercept-methods>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        <protect method="get*" access="hasAuthority('read')"/>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        <protect method="*" access="hasAuthority('write')"/>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    </intercept-methods>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								</bean>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[NOTE]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								This only supports matching method by prefix or by name.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								If your needs are more complex than that, <<authorizing-with-annotations,use annotation support>> instead.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[[use-programmatic-authorization]]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								== Authorizing Methods Programmatically
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-05-11 13:56:58 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								As you've already seen, there are several ways that you can specify non-trivial authorization rules using <<authorization-expressions, Method Security SpEL expressions>>.
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								There are a number of ways that you can instead allow your logic to be Java-based instead of SpEL-based.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								This gives use access the entire Java language for increased testability and flow control.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								=== Using a Custom Bean in SpEL
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								The first way to authorize a method programmatically is a two-step process.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								First, declare a bean that has a method that takes a `MethodSecurityExpressionOperations` instance like the following:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								@Component("authz")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								public class AuthorizationLogic {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    public boolean decide(MethodSecurityExpressionOperations operations) {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        // ... authorization logic
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								@Component("authz")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								open class AuthorizationLogic {
							 
						 
					
						
							
								
									
										
										
										
											2025-01-08 11:53:31 +01:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								    fun decide(operations: MethodSecurityExpressionOperations): boolean {
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								        // ... authorization logic
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Then, reference that bean in your annotations in the following way:
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Controller
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								public class MyController {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @PreAuthorize("@authz.decide(#root)")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @GetMapping("/endpoint")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    public String endpoint() {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        // ...
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Controller
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								open class MyController {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @PreAuthorize("@authz.decide(#root)")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @GetMapping("/endpoint")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    fun String endpoint() {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        // ...
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Spring Security will invoke the given method on that bean for each method invocation.
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								What's nice about this is all your authorization logic is in a separate class that can be independently unit tested and verified for correctness.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								It also has access to the full Java language.
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-04-03 13:20:26 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[TIP]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								In addition to returning a `Boolean`, you can also return `null` to indicate that the code abstains from making a decision.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								If you want to include more information about the nature of the decision, you can instead return a custom `AuthorizationDecision` like this:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Component("authz")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								public class AuthorizationLogic {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    public AuthorizationDecision decide(MethodSecurityExpressionOperations operations) {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        // ... authorization logic
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        return new MyAuthorizationDecision(false, details);
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Component("authz")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								open class AuthorizationLogic {
							 
						 
					
						
							
								
									
										
										
										
											2025-01-08 11:53:31 +01:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								    fun decide(operations: MethodSecurityExpressionOperations): AuthorizationDecision {
							 
						 
					
						
							
								
									
										
										
										
											2024-04-03 13:20:26 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								        // ... authorization logic
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        return MyAuthorizationDecision(false, details)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-04-04 10:20:41 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Or throw a custom `AuthorizationDeniedException` instance.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Note, though, that returning an object is preferred as this doesn't incur the expense of generating a stacktrace.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-04-03 13:20:26 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Then, you can access the custom details when you <<fallback-values-authorization-denied, customize how the authorization result is handled>>.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2025-09-19 10:02:06 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[TIP]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								====
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Further, you can return an `AuthorizationManager` itself.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								This is helpful when unifying custom web authorization rules with method security ones since web security by default requires specifying an `AuthorizationManager` instance.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								====
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[[custom-authorization-managers]]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								=== Using a Custom Authorization Manager
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-10-10 20:10:05 +03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								The second way to authorize a method programmatically is to create a custom xref:servlet/authorization/architecture.adoc#_the_authorizationmanager[`AuthorizationManager`].
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								First, declare an authorization manager instance, perhaps like this one:
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								@Component
							 
						 
					
						
							
								
									
										
										
										
											2023-10-10 20:10:05 +03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								public class MyAuthorizationManager implements AuthorizationManager<MethodInvocation>, AuthorizationManager<MethodInvocationResult> {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @Override
							 
						 
					
						
							
								
									
										
										
										
											2025-06-21 01:12:07 +07:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								    public AuthorizationResult authorize(Supplier<Authentication> authentication, MethodInvocation invocation) {
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								        // ... authorization logic
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
									
										
										
										
											2023-10-10 20:10:05 +03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @Override
							 
						 
					
						
							
								
									
										
										
										
											2025-06-21 01:12:07 +07:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								    public AuthorizationResult authorize(Supplier<Authentication> authentication, MethodInvocationResult invocation) {
							 
						 
					
						
							
								
									
										
										
										
											2023-10-10 20:10:05 +03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								        // ... authorization logic
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-10-10 20:10:05 +03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								@Component
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								class MyAuthorizationManager : AuthorizationManager<MethodInvocation>, AuthorizationManager<MethodInvocationResult> {
							 
						 
					
						
							
								
									
										
										
										
											2025-06-21 01:12:07 +07:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								    override fun authorize(authentication: Supplier<Authentication>, invocation: MethodInvocation): AuthorizationResult {
							 
						 
					
						
							
								
									
										
										
										
											2023-10-10 20:10:05 +03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								        // ... authorization logic
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2025-06-21 01:12:07 +07:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								    override fun authorize(authentication: Supplier<Authentication>, invocation: MethodInvocationResult): AuthorizationResult {
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								        // ... authorization logic
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Then, publish the method interceptor with a pointcut that corresponds to when you want that `AuthorizationManager` to run.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								For example, you could replace how `@PreAuthorize` and `@PostAuthorize` work like so:
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-10-10 20:10:05 +03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								.Only @PreAuthorize and @PostAuthorize Configuration
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2022-08-09 07:37:59 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								@Configuration
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								@EnableMethodSecurity(prePostEnabled = false)
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								class MethodSecurityConfig {
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								    @Bean
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
							 
						 
					
						
							
								
									
										
										
										
											2023-10-10 20:10:05 +03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
									Advisor preAuthorize(MyAuthorizationManager manager) {
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
										return AuthorizationManagerBeforeMethodInterceptor.preAuthorize(manager);
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
									@Bean
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
									Advisor postAuthorize(MyAuthorizationManager manager) {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
										return AuthorizationManagerAfterMethodInterceptor.postAuthorize(manager);
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
									}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2022-08-09 07:37:59 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								@Configuration
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								@EnableMethodSecurity(prePostEnabled = false)
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								class MethodSecurityConfig {
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								   	@Bean
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
							 
						 
					
						
							
								
									
										
										
										
											2025-01-08 11:53:31 +01:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
									fun preAuthorize(manager: MyAuthorizationManager) : Advisor {
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
										return AuthorizationManagerBeforeMethodInterceptor.preAuthorize(manager)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
									@Bean
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
							 
						 
					
						
							
								
									
										
										
										
											2025-01-08 11:53:31 +01:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
									fun postAuthorize(manager: MyAuthorizationManager) : Advisor {
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
										return AuthorizationManagerAfterMethodInterceptor.postAuthorize(manager)
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
									}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Xml::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,xml,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								<sec:method-security pre-post-enabled="false"/>
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								<aop:config/>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-10-10 20:10:05 +03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								<bean id="preAuthorize"
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
									class="org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									factory-method="preAuthorize">
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    <constructor-arg ref="myAuthorizationManager"/>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								</bean>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								<bean id="postAuthorize"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									class="org.springframework.security.authorization.method.AuthorizationManagerAfterMethodInterceptor"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									factory-method="postAuthorize">
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    <constructor-arg ref="myAuthorizationManager"/>
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								</bean>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[TIP]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								====
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								You can place your interceptor in between Spring Security method interceptors using the order constants specified in `AuthorizationInterceptorsOrder`.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								====
							 
						 
					
						
							
								
									
										
										
										
											2021-04-07 15:33:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[[customizing-expression-handling]]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								=== Customizing Expression Handling
							 
						 
					
						
							
								
									
										
										
										
											2019-09-22 00:56:30 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Or, third, you can customize how each SpEL expression is handled.
							 
						 
					
						
							
								
									
										
										
										
											2024-07-09 13:23:24 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								To do that, you can expose a custom javadoc:org.springframework.security.access.expression.method.MethodSecurityExpressionHandler[], like so:
							 
						 
					
						
							
								
									
										
										
										
											2019-09-22 00:56:30 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								.Custom MethodSecurityExpressionHandler
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2021-06-16 10:31:29 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
									
										
										
										
											2019-09-22 00:56:30 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								@Bean
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								static MethodSecurityExpressionHandler methodSecurityExpressionHandler(RoleHierarchy roleHierarchy) {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									DefaultMethodSecurityExpressionHandler handler = new DefaultMethodSecurityExpressionHandler();
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									handler.setRoleHierarchy(roleHierarchy);
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									return handler;
							 
						 
					
						
							
								
									
										
										
										
											2019-09-22 00:56:30 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2021-06-16 10:31:29 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								companion object {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									@Bean
							 
						 
					
						
							
								
									
										
										
										
											2025-01-08 11:53:31 +01:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
									fun methodSecurityExpressionHandler(roleHierarchy: RoleHierarchy) : MethodSecurityExpressionHandler {
							 
						 
					
						
							
								
									
										
										
										
											2023-11-30 12:00:05 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
										val handler = DefaultMethodSecurityExpressionHandler()
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
										handler.setRoleHierarchy(roleHierarchy)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
										return handler
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
									}
							 
						 
					
						
							
								
									
										
										
										
											2021-06-16 10:31:29 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Xml::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,xml,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								<sec:method-security>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									<sec:expression-handler ref="myExpressionHandler"/>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								</sec:method-security>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								<bean id="myExpressionHandler"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
										class="org.springframework.security.messaging.access.expression.DefaultMessageSecurityExpressionHandler">
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									<property name="roleHierarchy" ref="roleHierarchy"/>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								</bean>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[TIP]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								====
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								We expose `MethodSecurityExpressionHandler` using a `static` method to ensure that Spring publishes it before it initializes Spring Security's method security `@Configuration` classes
							 
						 
					
						
							
								
									
										
										
										
											2021-06-16 10:31:29 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								====
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								You can also <<subclass-defaultmethodsecurityexpressionhandler,subclass `DefaultMessageSecurityExpressionHandler`>> to add your own custom authorization expressions beyond the defaults.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-11-18 15:42:02 -07:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[[pre-post-authorize-aot]]
							 
						 
					
						
							
								
									
										
										
										
											2024-09-11 15:21:40 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								=== Working with AOT
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Spring Security will scan all beans in the application context for methods that use `@PreAuthorize` or `@PostAuthorize`.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								When it finds one, it will resolve any beans used inside the security expression and register the appropriate runtime hints for that bean.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								If it finds a method that uses `@AuthorizeReturnObject`, it will recursively search inside the method's return type for `@PreAuthorize` and `@PostAuthorize` annotations and register them accordingly.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								For example, consider the following Spring Boot application:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Service
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								public class AccountService { <1>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @PreAuthorize("@authz.decide()") <2>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @AuthorizeReturnObject <3>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    public Account getAccountById(String accountId) {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        // ...
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								public class Account {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    private final String accountNumber;
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    // ...
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @PreAuthorize("@accountAuthz.canViewAccountNumber()") <4>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    public String getAccountNumber() {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        return this.accountNumber;
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @AuthorizeReturnObject <5>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    public User getUser() {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        return new User("John Doe");
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								public class User {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    private final String fullName;
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    // ...
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @PostAuthorize("@myOtherAuthz.decide()") <6>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    public String getFullName() {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        return this.fullName;
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Service
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								class AccountService { <1>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @PreAuthorize("@authz.decide()") <2>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @AuthorizeReturnObject <3>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    fun getAccountById(accountId: String): Account {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        // ...
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								class Account(private val accountNumber: String) {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @PreAuthorize("@accountAuthz.canViewAccountNumber()") <4>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    fun getAccountNumber(): String {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        return this.accountNumber
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @AuthorizeReturnObject <5>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    fun getUser(): User {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        return User("John Doe")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								class User(private val fullName: String) {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @PostAuthorize("@myOtherAuthz.decide()") <6>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    fun getFullName(): String {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        return this.fullName
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								<1> Spring Security finds the `AccountService` bean
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								<2> Finding a method that uses `@PreAuthorize`, it will resolve any bean names used inside the expression, `authz` in that case, and register runtime hints for the bean class
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								<3> Finding a method that uses `@AuthorizeReturnObject`, it will look into the method's return type for any `@PreAuthorize` or `@PostAuthorize`
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								<4> Then, it finds a `@PreAuthorize` with another bean name: `accountAuthz`; the runtime hints are registered for the bean class as well
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								<5> Finding another `@AuthorizeReturnObject` it will look again into the method's return type
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								<6> Now, a `@PostAuthorize` is found with yet another bean name used: `myOtherAuthz`; the runtime hints are registered for the bean class as well
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								There will be many times when Spring Security cannot determine the actual return type of the method ahead of time since it may be hidden in an erased generic type.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Consider the following service:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Service
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								public class AccountService {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @AuthorizeReturnObject
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    public List<Account> getAllAccounts() {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        // ...
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Service
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								class AccountService {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @AuthorizeReturnObject
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    fun getAllAccounts(): List<Account> {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        // ...
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
										 
							
							
								In this case, the generic type is erased and so it isn’ 
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								To address this, you can publish a javadoc:org.springframework.security.aot.hint.PrePostAuthorizeExpressionBeanHintsRegistrar[`PrePostAuthorizeExpressionBeanHintsRegistrar`] like so:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Bean
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								static SecurityHintsRegistrar registerTheseToo() {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    return new PrePostAuthorizeExpressionBeanHintsRegistrar(Account.class);
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Bean
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								fun registerTheseToo(): SecurityHintsRegistrar {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    return PrePostAuthorizeExpressionBeanHintsRegistrar(Account::class.java)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[[use-aspectj]]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								== Authorizing with AspectJ
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[[match-by-pointcut]]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								=== Matching Methods with Custom Pointcuts
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Being built on Spring AOP, you can declare patterns that are not related to annotations, similar to xref:servlet/authorization/authorize-http-requests.adoc[request-level authorization].
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								This has the potential advantage of centralizing method-level authorization rules.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								For example, you can use publish your own `Advisor` or use xref:servlet/appendix/namespace/method-security.adoc#nsa-protect-pointcut[`<protect-pointcut>`] to match AOP expressions to authorization rules for your service layer like so:
							 
						 
					
						
							
								
									
										
										
										
											2019-09-22 00:56:30 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2021-06-16 10:31:29 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
									
										
										
										
											2019-09-22 00:56:30 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-11-30 12:00:05 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								import static org.springframework.security.authorization.AuthorityAuthorizationManager.hasRole
							 
						 
					
						
							
								
									
										
										
										
											2019-09-22 00:56:30 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								@Bean
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								static Advisor protectServicePointcut() {
							 
						 
					
						
							
								
									
										
										
										
											2023-11-30 12:00:05 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								    AspectJExpressionPointcut pattern = new AspectJExpressionPointcut()
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    pattern.setExpression("execution(* com.mycompany.*Service.*(..))")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    return new AuthorizationManagerBeforeMethodInterceptor(pattern, hasRole("USER"))
							 
						 
					
						
							
								
									
										
										
										
											2019-09-22 00:56:30 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2021-06-16 10:31:29 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-11-30 12:00:05 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								import static org.springframework.security.authorization.AuthorityAuthorizationManager.hasRole
							 
						 
					
						
							
								
									
										
										
										
											2021-06-16 10:31:29 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								companion object {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @Bean
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @Role(BeanDefinition.ROLE_INFRASTRUCTURE)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    fun protectServicePointcut(): Advisor {
							 
						 
					
						
							
								
									
										
										
										
											2023-11-30 12:00:05 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								        val pattern = AspectJExpressionPointcut()
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        pattern.setExpression("execution(* com.mycompany.*Service.*(..))")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        return new AuthorizationManagerBeforeMethodInterceptor(pattern, hasRole("USER"))
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
									
										
										
										
											2021-06-16 10:31:29 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-11-30 12:00:05 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Xml::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,xml,role="secondary"]
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								<sec:method-security>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    <protect-pointcut expression="execution(* com.mycompany.*Service.*(..))" access="hasRole('USER')"/>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								</sec:method-security>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-11-30 12:00:05 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
									
										
										
										
											2021-06-16 10:31:29 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[[weave-aspectj]]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								=== Integrate with AspectJ Byte-weaving
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Performance can at times be enhanced by using AspectJ to weave Spring Security advice into the byte code of your beans.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								After setting up AspectJ, you can quite simply state in the `@EnableMethodSecurity` annotation or `<method-security>` element that you are using AspectJ:
							 
						 
					
						
							
								
									
										
										
										
											2019-09-22 00:56:30 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2021-06-16 10:31:29 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
									
										
										
										
											2019-09-22 00:56:30 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								@EnableMethodSecurity(mode=AdviceMode.ASPECTJ)
							 
						 
					
						
							
								
									
										
										
										
											2019-09-22 00:56:30 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2021-06-16 10:31:29 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								@EnableMethodSecurity(mode=AdviceMode.ASPECTJ)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Xml::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,xml,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								<sec:method-security mode="aspectj"/>
							 
						 
					
						
							
								
									
										
										
										
											2021-06-16 10:31:29 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
									
										
										
										
											2021-06-16 10:31:29 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								And the result will be that Spring Security will publish its advisors as AspectJ advice so that they can be woven in accordingly.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-05-24 10:26:59 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[[changing-the-order]]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								== Specifying Order
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								As already noted, there is a Spring AOP method interceptor for each annotation, and each of these has a location in the Spring AOP advisor chain.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Namely, the `@PreFilter` method interceptor's order is 100, ``@PreAuthorize``'s is 200, and so on.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2025-08-22 12:25:06 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								You can use the `offset` parameter on `@EnableMethodSecurity` to move all interceptors en masse to provide their advice earlier or later in a method invocation.
							 
						 
					
						
							
								
									
										
										
										
											2023-05-24 10:26:59 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-05-11 13:56:58 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[[authorization-expressions]]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								== Expressing Authorization with SpEL
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								You've already seen several examples using SpEL, so now let's cover the API a bit more in depth.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Spring Security encapsulates all of its authorization fields and methods in a set of root objects.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								The most generic root object is called `SecurityExpressionRoot` and it forms the basis for `MethodSecurityExpressionRoot`.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Spring Security supplies this root object to `MethodSecurityEvaluationContext` when preparing to evaluate an authorization expression.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[[using-authorization-expression-fields-and-methods]]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								=== Using Authorization Expression Fields and Methods
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								The first thing this provides is an enhanced set of authorization fields and methods to your SpEL expressions.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								What follows is a quick overview of the most common methods:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								* `permitAll` - The method requires no authorization to be invoked; note that in this case, xref:servlet/authentication/architecture.adoc#servlet-authentication-authentication[the `Authentication`] is never retrieved from the session
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								* `denyAll` - The method is not allowed under any circumstances; note that in this case, the `Authentication` is never retrieved from the session
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								* `hasAuthority` - The method requires that the `Authentication` have xref:servlet/authorization/architecture.adoc#authz-authorities[a `GrantedAuthority`] that matches the given value
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								* `hasRole` - A shortcut for `hasAuthority` that prefixes `ROLE_` or whatever is configured as the default prefix
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								* `hasAnyAuthority` - The method requires that the `Authentication` have a `GrantedAuthority` that matches any of the given values
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								* `hasAnyRole` - A shortcut for `hasAnyAuthority` that prefixes `ROLE_` or whatever is configured as the default prefix
							 
						 
					
						
							
								
									
										
										
										
											2025-09-19 09:33:50 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								* `hasAllAuthorities` - The method requires that the `Authentication` have ``GrantedAuthority``s that matches all of the given values
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								* `hasAllRoles` - A shortcut for `hasAllAuthorities` that prefixes `ROLE_` or whatever is configured as the default prefix
							 
						 
					
						
							
								
									
										
										
										
											2023-05-11 13:56:58 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								* `hasPermission` - A hook into your `PermissionEvaluator` instance for doing object-level authorization
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								And here is a brief look at the most common fields:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								* `authentication` - The `Authentication` instance associated with this method invocation
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								* `principal` - The `Authentication#getPrincipal` associated with this method invocation
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Having now learned the patterns, rules, and how they can be paired together, you should be able to understand what is going on in this more complex example:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								.Authorize Requests
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2023-05-11 13:56:58 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Component
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								public class MyService {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @PreAuthorize("denyAll") <1>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    MyResource myDeprecatedMethod(...);
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @PreAuthorize("hasRole('ADMIN')") <2>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    MyResource writeResource(...)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @PreAuthorize("hasAuthority('db') and hasRole('ADMIN')") <3>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    MyResource deleteResource(...)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @PreAuthorize("principal.claims['aud'] == 'my-audience'") <4>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    MyResource readResource(...);
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									@PreAuthorize("@authz.check(authentication, #root)")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    MyResource shareResource(...);
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2023-05-11 13:56:58 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Component
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								open class MyService {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @PreAuthorize("denyAll") <1>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    fun myDeprecatedMethod(...): MyResource
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @PreAuthorize("hasRole('ADMIN')") <2>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    fun writeResource(...): MyResource
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @PreAuthorize("hasAuthority('db') and hasRole('ADMIN')") <3>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    fun deleteResource(...): MyResource
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @PreAuthorize("principal.claims['aud'] == 'my-audience'") <4>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    fun readResource(...): MyResource
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @PreAuthorize("@authz.check(#root)")
							 
						 
					
						
							
								
									
										
										
										
											2023-11-30 12:00:05 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								    fun shareResource(...): MyResource
							 
						 
					
						
							
								
									
										
										
										
											2023-05-11 13:56:58 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Xml::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2023-05-11 13:56:58 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,xml,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								<sec:method-security>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    <protect-pointcut expression="execution(* com.mycompany.*Service.myDeprecatedMethod(..))" access="denyAll"/> <1>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    <protect-pointcut expression="execution(* com.mycompany.*Service.writeResource(..))" access="hasRole('ADMIN')"/> <2>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    <protect-pointcut expression="execution(* com.mycompany.*Service.deleteResource(..))" access="hasAuthority('db') and hasRole('ADMIN')"/> <3>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    <protect-pointcut expression="execution(* com.mycompany.*Service.readResource(..))" access="principal.claims['aud'] == 'my-audience'"/> <4>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    <protect-pointcut expression="execution(* com.mycompany.*Service.shareResource(..))" access="@authz.check(#root)"/> <5>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								</sec:method-security>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
									
										
										
										
											2023-05-11 13:56:58 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								<1> This method may not be invoked by anyone for any reason
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								<2> This method may only be invoked by ``Authentication``s granted the `ROLE_ADMIN` authority
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								<3> This method may only be invoked by ``Authentication``s granted the `db` and `ROLE_ADMIN` authorities
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								<4> This method may only be invoked by ``Princpal``s with an `aud` claim equal to "my-audience"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								<5> This method may only be invoked if the bean ``authz``'s `check` method returns `true`
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-04-10 16:38:10 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[TIP]
							 
						 
					
						
							
								
									
										
										
										
											2024-04-04 10:20:41 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								====
							 
						 
					
						
							
								
									
										
										
										
											2024-04-10 16:38:10 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								You can use a bean like `authz` above to <<_using_a_custom_bean_in_spel, add programmatic authorization>>.
							 
						 
					
						
							
								
									
										
										
										
											2024-04-04 10:20:41 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								====
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-05-11 13:56:58 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[[using_method_parameters]]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								=== Using Method Parameters
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Additionally, Spring Security provides a mechanism for discovering method parameters so they can also be accessed in the SpEL expression as well.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								For a complete reference, Spring Security uses `DefaultSecurityParameterNameDiscoverer` to discover the parameter names.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								By default, the following options are tried for a method.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								1. If Spring Security's `@P` annotation is present on a single argument to the method, the value is used.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								The following example uses the `@P` annotation:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2023-05-11 13:56:58 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								import org.springframework.security.access.method.P;
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								...
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@PreAuthorize("hasPermission(#c, 'write')")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								public void updateContact(@P("c") Contact contact);
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2023-05-11 13:56:58 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								import org.springframework.security.access.method.P
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								...
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@PreAuthorize("hasPermission(#c, 'write')")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								fun doSomething(@P("c") contact: Contact?)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
									
										
										
										
											2023-05-11 13:56:58 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								The intention of this expression is to require that the current `Authentication` have `write` permission specifically for this `Contact` instance.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Behind the scenes, this is implemented by using `AnnotationParameterNameDiscoverer`, which you can customize to support the value attribute of any specified annotation.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-06-30 01:40:20 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								2. If xref:servlet/integrations/data.adoc[Spring Data's] `@Param` annotation is present on at least one parameter for the method, the value is used.
							 
						 
					
						
							
								
									
										
										
										
											2023-05-11 13:56:58 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								The following example uses the `@Param` annotation:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2023-05-11 13:56:58 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								import org.springframework.data.repository.query.Param;
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								...
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@PreAuthorize("#n == authentication.name")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Contact findContactByName(@Param("n") String name);
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2023-05-11 13:56:58 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								import org.springframework.data.repository.query.Param
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								...
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@PreAuthorize("#n == authentication.name")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								fun findContactByName(@Param("n") name: String?): Contact?
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
									
										
										
										
											2023-05-11 13:56:58 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								The intention of this expression is to require that `name` be equal to `Authentication#getName` for the invocation to be authorized.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Behind the scenes, this is implemented by using `AnnotationParameterNameDiscoverer`, which you can customize to support the value attribute of any specified annotation.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-06-30 01:40:20 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								3. If you compile your code with the `-parameters` argument, the standard JDK reflection API is used to discover the parameter names.
							 
						 
					
						
							
								
									
										
										
										
											2023-05-11 13:56:58 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								This works on both classes and interfaces.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-06-30 01:40:20 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								4. Finally, if you compile your code with debug symbols, the parameter names are discovered by using the debug symbols.
							 
						 
					
						
							
								
									
										
										
										
											2023-05-11 13:56:58 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								This does not work for interfaces, since they do not have debug information about the parameter names.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								For interfaces, either annotations or the `-parameters` approach must be used.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2025-09-02 12:47:53 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[[customizing-authorization-managers]]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								== Customizing Authorization Managers
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								When you use SpEL expressions with <<use-preauthorize,`@PreAuthorize`>>, <<use-postauthorize,`@PostAuthorize`>>, <<use-prefilter,`@PreFilter`>> and <<use-postfilter,`@PostFilter`>>, Spring Security takes care of creating the appropriate `AuthorizationManager` instances for you.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								In certain cases, you may want to customize what is created in order to have complete control over how authorization decisions are made xref:servlet/authorization/architecture.adoc#authz-delegate-authorization-manager[at the framework level].
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								In order to take control of creating instances of `AuthorizationManager` for pre- and post-annotations, you can create a custom xref:servlet/authorization/architecture.adoc#authz-authorization-manager-factory[`AuthorizationManagerFactory`].
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								For example, let's say you want to allow users with the `ADMIN` role whenever any other role is required.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								To do this, you can create a custom implementation for method security as in the following example:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								include-code::./CustomMethodInvocationAuthorizationManagerFactory[tag=class,indent=0]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Now, whenever you <<use-preauthorize,use the `@PreAuthorize` annotation>> with `hasRole` or `hasAnyRole`, Spring Security will automatically invoke your custom factory to create an instance of `AuthorizationManager` that allows access for the given role(s) _OR_ the `ADMIN` role.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[TIP]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								We use this as a simple example of creating a custom `AuthorizationManagerFactory`, though the same outcome could be accomplished with <<favor-granting-authorities,a role hierarchy>>.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Use whichever approach fits best in your situation.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-02-29 14:14:02 -07:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[[authorize-object]]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								== Authorizing Arbitrary Objects
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Spring Security also supports wrapping any object that is annotated its method security annotations.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-03-15 13:11:26 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								The simplest way to achieve this is to mark any method that returns the object you wish to authorize with the `@AuthorizeReturnObject` annotation.
							 
						 
					
						
							
								
									
										
										
										
											2024-02-29 14:14:02 -07:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								For example, consider the following `User` class:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								public class User {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									private String name;
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									private String email;
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									public User(String name, String email) {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
										this.name = name;
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
										this.email = email;
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									public String getName() {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
										return this.name;
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @PreAuthorize("hasAuthority('user:read')")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    public String getEmail() {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
										return this.email;
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								class User (val name:String, @get:PreAuthorize("hasAuthority('user:read')") val email:String)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-03-15 13:11:26 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Given an interface like this one:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								public class UserRepository {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									@AuthorizeReturnObject
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    Optional<User> findByName(String name) {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
										// ...
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								class UserRepository {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @AuthorizeReturnObject
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    fun findByName(name:String?): Optional<User?>? {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        // ...
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Then any `User` that is returned from `findById` will be secured like other Spring Security-protected components:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Autowired
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								UserRepository users;
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Test
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								void getEmailWhenProxiedThenAuthorizes() {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    Optional<User> securedUser = users.findByName("name");
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    assertThatExceptionOfType(AccessDeniedException.class).isThrownBy(() -> securedUser.get().getEmail());
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								import jdk.incubator.vector.VectorOperators.Test
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								import java.nio.file.AccessDeniedException
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								import java.util.*
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Autowired
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								var users:UserRepository? = null
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Test
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								fun getEmailWhenProxiedThenAuthorizes() {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    val securedUser: Optional<User> = users.findByName("name")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    assertThatExceptionOfType(AccessDeniedException::class.java).isThrownBy{securedUser.get().getEmail()}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-03-19 18:45:51 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								=== Using `@AuthorizeReturnObject` at the class level
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								`@AuthorizeReturnObject` can be placed at the class level. Note, though, that this means Spring Security will attempt to proxy any return object, including ``String``, ``Integer`` and other types.
							 
						 
					
						
							
								
									
										
										
										
											2024-03-15 13:11:26 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								This is often not what you want to do.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-03-19 18:45:51 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								If you want to use `@AuthorizeReturnObject` on a class or interface whose methods return value types, like `int`, `String`, `Double` or collections of those types, then you should also publish the appropriate `AuthorizationAdvisorProxyFactory.TargetVisitor` as follows:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2025-04-10 10:41:36 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								import org.springframework.security.authorization.method.AuthorizationAdvisorProxyFactory.TargetVisitor;
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								// ...
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-03-19 18:45:51 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								@Bean
							 
						 
					
						
							
								
									
										
										
										
											2025-04-10 10:41:36 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								static TargetVisitor skipValueTypes() {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    return TargetVisitor.defaultsSkipValueTypes();
							 
						 
					
						
							
								
									
										
										
										
											2024-03-19 18:45:51 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2025-04-10 10:41:36 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								import org.springframework.security.authorization.method.AuthorizationAdvisorProxyFactory.TargetVisitor
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								// ...
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-03-19 18:45:51 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								@Bean
							 
						 
					
						
							
								
									
										
										
										
											2025-04-10 10:41:36 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								open fun skipValueTypes() = TargetVisitor.defaultsSkipValueTypes()
							 
						 
					
						
							
								
									
										
										
										
											2024-03-19 18:45:51 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[TIP]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								====
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								You can set your own `AuthorizationAdvisorProxyFactory.TargetVisitor` to customize the proxying for any set of types
							 
						 
					
						
							
								
									
										
										
										
											2024-03-15 13:11:26 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								====
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								=== Programmatically Proxying
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								You can also programmatically proxy a given object.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								To achieve this, you can autowire the provided `AuthorizationProxyFactory` instance, which is based on which method security interceptors you have configured.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								If you are using `@EnableMethodSecurity`, then this means that it will by default have the interceptors for `@PreAuthorize`, `@PostAuthorize`, `@PreFilter`, and `@PostFilter`.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-02-29 14:14:02 -07:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								You can proxy an instance of user in the following way:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Autowired
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								AuthorizationProxyFactory proxyFactory;
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Test
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								void getEmailWhenProxiedThenAuthorizes() {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    User user = new User("name", "email");
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    assertThat(user.getEmail()).isNotNull();
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    User securedUser = proxyFactory.proxy(user);
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    assertThatExceptionOfType(AccessDeniedException.class).isThrownBy(securedUser::getEmail);
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Autowired
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								var proxyFactory:AuthorizationProxyFactory? = null
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Test
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								fun getEmailWhenProxiedThenAuthorizes() {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    val user: User = User("name", "email")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    assertThat(user.getEmail()).isNotNull()
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    val securedUser: User = proxyFactory.proxy(user)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    assertThatExceptionOfType(AccessDeniedException::class.java).isThrownBy(securedUser::getEmail)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								=== Manual Construction
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								You can also define your own instance if you need something different from the Spring Security default.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								For example, if you define an `AuthorizationProxyFactory` instance like so:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2024-03-22 10:08:48 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								import org.springframework.security.authorization.method.AuthorizationAdvisorProxyFactory.TargetVisitor;
							 
						 
					
						
							
								
									
										
										
										
											2024-02-29 14:14:02 -07:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								import static org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor.preAuthorize;
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								// ...
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-03-19 18:45:51 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								AuthorizationProxyFactory proxyFactory = AuthorizationAdvisorProxyFactory.withDefaults();
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								// and if needing to skip value types
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								proxyFactory.setTargetVisitor(TargetVisitor.defaultsSkipValueTypes());
							 
						 
					
						
							
								
									
										
										
										
											2024-02-29 14:14:02 -07:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2024-03-22 10:08:48 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								import org.springframework.security.authorization.method.AuthorizationAdvisorProxyFactory.TargetVisitor;
							 
						 
					
						
							
								
									
										
										
										
											2024-02-29 14:14:02 -07:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								import org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor.preAuthorize
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								// ...
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								val proxyFactory: AuthorizationProxyFactory = AuthorizationProxyFactory(preAuthorize())
							 
						 
					
						
							
								
									
										
										
										
											2024-03-19 18:45:51 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								// and if needing to skip value types
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								proxyFactory.setTargetVisitor(TargetVisitor.defaultsSkipValueTypes())
							 
						 
					
						
							
								
									
										
										
										
											2024-02-29 14:14:02 -07:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Then you can wrap any instance of `User` as follows:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Test
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								void getEmailWhenProxiedThenAuthorizes() {
							 
						 
					
						
							
								
									
										
										
										
											2024-03-19 18:45:51 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
									AuthorizationProxyFactory proxyFactory = AuthorizationAdvisorProxyFactory.withDefaults();
							 
						 
					
						
							
								
									
										
										
										
											2024-02-29 14:14:02 -07:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								    User user = new User("name", "email");
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    assertThat(user.getEmail()).isNotNull();
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    User securedUser = proxyFactory.proxy(user);
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    assertThatExceptionOfType(AccessDeniedException.class).isThrownBy(securedUser::getEmail);
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Test
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								fun getEmailWhenProxiedThenAuthorizes() {
							 
						 
					
						
							
								
									
										
										
										
											2024-03-19 18:45:51 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								    val proxyFactory: AuthorizationProxyFactory = AuthorizationAdvisorProxyFactory.withDefaults()
							 
						 
					
						
							
								
									
										
										
										
											2024-02-29 14:14:02 -07:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								    val user: User = User("name", "email")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    assertThat(user.getEmail()).isNotNull()
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    val securedUser: User = proxyFactory.proxy(user)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    assertThatExceptionOfType(AccessDeniedException::class.java).isThrownBy(securedUser::getEmail)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								=== Proxying Collections
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								`AuthorizationProxyFactory` supports Java collections, streams, arrays, optionals, and iterators by proxying the element type and maps by proxying the value type.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								This means that when proxying a `List` of objects, the following also works:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Test
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								void getEmailWhenProxiedThenAuthorizes() {
							 
						 
					
						
							
								
									
										
										
										
											2024-03-19 18:45:51 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
									AuthorizationProxyFactory proxyFactory = AuthorizationAdvisorProxyFactory.withDefaults();
							 
						 
					
						
							
								
									
										
										
										
											2024-02-29 14:14:02 -07:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								    List<User> users = List.of(ada, albert, marie);
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    List<User> securedUsers = proxyFactory.proxy(users);
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									securedUsers.forEach((securedUser) ->
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        assertThatExceptionOfType(AccessDeniedException.class).isThrownBy(securedUser::getEmail));
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								=== Proxying Classes
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								In limited circumstances, it may be valuable to proxy a `Class` itself, and `AuthorizationProxyFactory` also supports this.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								This is roughly the equivalent of calling `ProxyFactory#getProxyClass` in Spring Framework's support for creating proxies.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								One place where this is handy is when you need to construct the proxy class ahead-of-time, like with Spring AOT.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								=== Support for All Method Security Annotations
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								`AuthorizationProxyFactory` supports whichever method security annotations are enabled in your application.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								It is based off of whatever `AuthorizationAdvisor` classes are published as a bean.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Since `@EnableMethodSecurity` publishes `@PreAuthorize`, `@PostAuthorize`, `@PreFilter`, and `@PostFilter`  advisors by default, you will typically need to do nothing to activate the ability.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[NOTE]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								====
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								SpEL expressions that use `returnObject` or `filterObject` sit behind the proxy and so have full access to the object.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								====
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[#custom_advice]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								=== Custom Advice
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								If you have security advice that you also want applied, you can publish your own `AuthorizationAdvisor` like so:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@EnableMethodSecurity
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								class SecurityConfig {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @Bean
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    static AuthorizationAdvisor myAuthorizationAdvisor() {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        return new AuthorizationAdvisor();
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@EnableMethodSecurity
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								internal class SecurityConfig {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @Bean
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    fun myAuthorizationAdvisor(): AuthorizationAdvisor {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        return AuthorizationAdvisor()
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								And Spring Security will add that advisor into the set of advice that `AuthorizationProxyFactory` adds when proxying an object.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								=== Working with Jackson
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								One powerful use of this feature is to return a secured value from a controller like so:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@RestController
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								public class UserController {
							 
						 
					
						
							
								
									
										
										
										
											2024-08-30 11:43:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								    @Autowired
							 
						 
					
						
							
								
									
										
										
										
											2024-02-29 14:14:02 -07:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								    AuthorizationProxyFactory proxyFactory;
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-08-30 11:43:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								    @GetMapping
							 
						 
					
						
							
								
									
										
										
										
											2024-02-29 14:14:02 -07:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								    User currentUser(@AuthenticationPrincipal User user) {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        return this.proxyFactory.proxy(user);
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@RestController
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								class UserController  {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @Autowired
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    var proxyFactory: AuthorizationProxyFactory? = null
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @GetMapping
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    fun currentUser(@AuthenticationPrincipal user:User?): User {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        return proxyFactory.proxy(user)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-08-30 11:43:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								You will need to <<fallback-values-authorization-denied,add a `MethodAuthorizationDeniedHandler`>> like this one:
							 
						 
					
						
							
								
									
										
										
										
											2024-02-29 14:14:02 -07:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Component
							 
						 
					
						
							
								
									
										
										
										
											2024-08-30 11:43:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								public class Null implements MethodAuthorizationDeniedHandler {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @Override
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    public Object handleDeniedInvocation(MethodInvocation methodInvocation, AuthorizationResult authorizationResult) {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        return null;
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
									
										
										
										
											2024-02-29 14:14:02 -07:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-08-30 11:43:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								// ...
							 
						 
					
						
							
								
									
										
										
										
											2024-02-29 14:14:02 -07:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-08-30 11:43:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								@HandleAuthorizationDenied(handlerClass = Null.class)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								public class User {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									...
							 
						 
					
						
							
								
									
										
										
										
											2024-02-29 14:14:02 -07:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Component
							 
						 
					
						
							
								
									
										
										
										
											2024-08-30 11:43:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								class Null : MethodAuthorizationDeniedHandler {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    override fun handleDeniedInvocation(methodInvocation: MethodInvocation?, authorizationResult: AuthorizationResult?): Any? {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        return null
							 
						 
					
						
							
								
									
										
										
										
											2024-02-29 14:14:02 -07:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
									
										
										
										
											2024-08-30 11:43:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
									
										
										
										
											2024-02-29 14:14:02 -07:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-08-30 11:43:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								// ...
							 
						 
					
						
							
								
									
										
										
										
											2024-02-29 14:14:02 -07:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-08-30 11:43:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								@HandleAuthorizationDenied(handlerClass = Null.class)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								open class User {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									...
							 
						 
					
						
							
								
									
										
										
										
											2024-02-29 14:14:02 -07:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Then, you'll see a different JSON serialization based on the authorization level of the user.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								If they don't have the `user:read` authority, then they'll see:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,json]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								{
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    "name" : "name",
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    "email" : null
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								And if they do have that authority, they'll see:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,json]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								{
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    "name" : "name",
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    "email" : "email"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[TIP]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								====
							 
						 
					
						
							
								
									
										
										
										
											2024-08-30 11:43:47 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								You can also add the Spring Boot property `spring.jackson.default-property-inclusion=non_null` to exclude the null value from serialization, if you also don't want to reveal the JSON key to an unauthorized user.
							 
						 
					
						
							
								
									
										
										
										
											2024-02-29 14:14:02 -07:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								====
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-11-18 15:42:02 -07:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[[authorize-return-object-aot]]
							 
						 
					
						
							
								
									
										
										
										
											2024-09-09 14:49:22 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								=== Working with AOT
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Spring Security will scan all beans in the application context for methods that use `@AuthorizeReturnObject`.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								When it finds one, it will create and register the appropriate proxy class ahead of time.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								It will also recursively search for other nested objects that also use `@AuthorizeReturnObject` and register them accordingly.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								For example, consider the following Spring Boot application:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@SpringBootApplication
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								public class MyApplication {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									@RestController
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    public static class MyController { <1>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
										@GetMapping
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        @AuthorizeReturnObject
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        Message getMessage() { <2>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
											return new Message(someUser, "hello!");
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									public static class Message { <3>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
										User to;
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
										String text;
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
										// ...
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        @AuthorizeReturnObject
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        public User getTo() { <4>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
											return this.to;
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
										// ...
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									public static class User { <5>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
										// ...
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									public static void main(String[] args) {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
										SpringApplication.run(MyApplication.class);
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@SpringBootApplication
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								open class MyApplication {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									@RestController
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    open class MyController { <1>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
										@GetMapping
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        @AuthorizeReturnObject
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        fun getMessage():Message { <2>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
											return Message(someUser, "hello!")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									open class Message { <3>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
										val to: User
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
										val test: String
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
										// ...
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        @AuthorizeReturnObject
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        fun getTo(): User { <4>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
											return this.to
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
										// ...
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									open class User { <5>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
										// ...
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									fun main(args: Array<String>) {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
										SpringApplication.run(MyApplication.class)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								<1> - First, Spring Security finds the `MyController` bean
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								<2> - Finding a method that uses `@AuthorizeReturnObject`, it proxies `Message`, the return value, and registers that proxy class to `RuntimeHints`
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								<3> - Then, it traverses `Message` to see if it uses `@AuthorizeReturnObject`
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								<4> - Finding a method that uses `@AuthorizeReturnObject`, it proxies `User`, the return value, and registers that proxy class to `RuntimeHints`
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								<5> - Finally, it traverses `User` to see if it uses `@AuthorizeReturnObject`; finding nothing, the algorithm completes
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								There will be many times when Spring Security cannot determine the proxy class ahead of time since it may be hidden in an erased generic type.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Consider the following change to `MyController`:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@RestController
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								public static class MyController {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @GetMapping
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @AuthorizeReturnObject
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    List<Message> getMessages() {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        return List.of(new Message(someUser, "hello!"));
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@RestController
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								static class MyController {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @AuthorizeReturnObject
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @GetMapping
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    fun getMessages(): Array<Message> = arrayOf(Message(someUser, "hello!"))
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								In this case, the generic type is erased and so it isn't apparent to Spring Security ahead-of-time that `Message` will need to be proxied at runtime.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								To address this, you can publish `AuthorizeProxyFactoryHintsRegistrar` like so:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Bean
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								static SecurityHintsRegsitrar registerTheseToo(AuthorizationProxyFactory proxyFactory) {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									return new AuthorizeReturnObjectHintsRegistrar(proxyFactory, Message.class);
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Bean
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								fun registerTheseToo(proxyFactory: AuthorizationProxyFactory?): SecurityHintsRegistrar {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    return AuthorizeReturnObjectHintsRegistrar(proxyFactory, Message::class.java)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Spring Security will register that class and then traverse its type as before.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-03-08 10:46:27 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[[fallback-values-authorization-denied]]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								== Providing Fallback Values When Authorization is Denied
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-04-09 10:56:40 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								There are some scenarios where you may not wish to throw an `AuthorizationDeniedException` when a method is invoked without the required permissions.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Instead, you might wish to return a post-processed result, like a masked result, or a default value in cases where authorization denied happened before invoking the method.
							 
						 
					
						
							
								
									
										
										
										
											2024-03-08 10:46:27 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-07-09 13:23:24 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Spring Security provides support for handling authorization denied on method invocation by using the javadoc:org.springframework.security.authorization.method.HandleAuthorizationDenied[format=annotation].
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								The handler works for denied authorizations that happened in the <<authorizing-with-annotations,`@PreAuthorize` and `@PostAuthorize` annotations>> as well as javadoc:org.springframework.security.authorization.AuthorizationDeniedException[] thrown from the method invocation itself.
							 
						 
					
						
							
								
									
										
										
										
											2024-03-08 10:46:27 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-04-09 10:56:40 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Let's consider the example from the <<authorize-object,previous section>>, but instead of creating the `AccessDeniedExceptionInterceptor` to transform an `AccessDeniedException` to a `null` return value, we will use the `handlerClass` attribute from `@HandleAuthorizationDenied`:
							 
						 
					
						
							
								
									
										
										
										
											2024-03-08 10:46:27 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								public class NullMethodAuthorizationDeniedHandler implements MethodAuthorizationDeniedHandler { <1>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @Override
							 
						 
					
						
							
								
									
										
										
										
											2024-04-09 10:56:40 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								    public Object handleDeniedInvocation(MethodInvocation methodInvocation, AuthorizationResult authorizationResult) {
							 
						 
					
						
							
								
									
										
										
										
											2024-03-08 10:46:27 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								        return null;
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Configuration
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@EnableMethodSecurity
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								public class SecurityConfig {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @Bean <2>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    public NullMethodAuthorizationDeniedHandler nullMethodAuthorizationDeniedHandler() {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        return new NullMethodAuthorizationDeniedHandler();
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								public class User {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    // ...
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-04-05 15:44:45 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								    @PreAuthorize(value = "hasAuthority('user:read')")
							 
						 
					
						
							
								
									
										
										
										
											2024-04-09 10:56:40 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								    @HandleAuthorizationDenied(handlerClass = NullMethodAuthorizationDeniedHandler.class)
							 
						 
					
						
							
								
									
										
										
										
											2024-03-08 10:46:27 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								    public String getEmail() {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        return this.email;
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								class NullMethodAuthorizationDeniedHandler : MethodAuthorizationDeniedHandler { <1>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-04-09 10:56:40 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								    override fun handleDeniedInvocation(methodInvocation: MethodInvocation, authorizationResult: AuthorizationResult): Any {
							 
						 
					
						
							
								
									
										
										
										
											2024-03-08 10:46:27 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								        return null
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Configuration
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@EnableMethodSecurity
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								class SecurityConfig {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @Bean <2>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    fun nullMethodAuthorizationDeniedHandler(): NullMethodAuthorizationDeniedHandler {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        return MaskMethodAuthorizationDeniedHandler()
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-04-09 10:56:40 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								class User (val name:String, @PreAuthorize(value = "hasAuthority('user:read')") @HandleAuthorizationDenied(handlerClass = NullMethodAuthorizationDeniedHandler::class) val email:String) <3>
							 
						 
					
						
							
								
									
										
										
										
											2024-03-08 10:46:27 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								<1> Create an implementation of `MethodAuthorizationDeniedHandler` that returns a `null` value
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								<2> Register the `NullMethodAuthorizationDeniedHandler` as a bean
							 
						 
					
						
							
								
									
										
										
										
											2024-04-09 10:56:40 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								<3> Annotate the method with `@HandleAuthorizationDenied` and pass the `NullMethodAuthorizationDeniedHandler` to the `handlerClass` attribute
							 
						 
					
						
							
								
									
										
										
										
											2024-03-08 10:46:27 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								And then you can verify that a `null` value is returned instead of the `AccessDeniedException`:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-04-05 15:44:45 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[TIP]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								====
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								You can also annotate your class with `@Component` instead of creating a `@Bean` method
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								====
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-03-08 10:46:27 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Autowired
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								UserRepository users;
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Test
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								void getEmailWhenProxiedThenNullEmail() {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    Optional<User> securedUser = users.findByName("name");
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    assertThat(securedUser.get().getEmail()).isNull();
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Autowired
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								var users:UserRepository? = null
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Test
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								fun getEmailWhenProxiedThenNullEmail() {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    val securedUser: Optional<User> = users.findByName("name")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    assertThat(securedUser.get().getEmail()).isNull()
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-04-09 10:56:40 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								=== Using the Denied Result From the Method Invocation
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								There are some scenarios where you might want to return a secure result derived from the denied result.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								For example, if a user is not authorized to see email addresses, you might want to apply some masking on the original email address, i.e. _useremail@example.com_ would become _use\\******@example.com_.
							 
						 
					
						
							
								
									
										
										
										
											2024-03-08 10:46:27 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-07-09 13:23:24 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								For those scenarios, you can override the `handleDeniedInvocationResult` from the `MethodAuthorizationDeniedHandler`, which has the javadoc:org.springframework.security.authorization.method.MethodInvocationResult[] as an argument.
							 
						 
					
						
							
								
									
										
										
										
											2024-03-08 10:46:27 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Let's continue with the previous example, but instead of returning `null`, we will return a masked value of the email:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2024-04-09 10:56:40 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								public class EmailMaskingMethodAuthorizationDeniedHandler implements MethodAuthorizationDeniedHandler { <1>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @Override
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    public Object handleDeniedInvocation(MethodInvocation methodInvocation, AuthorizationResult authorizationResult) {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        return "***";
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
									
										
										
										
											2024-03-08 10:46:27 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @Override
							 
						 
					
						
							
								
									
										
										
										
											2024-04-09 10:56:40 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								    public Object handleDeniedInvocationResult(MethodInvocationResult methodInvocationResult, AuthorizationResult authorizationResult) {
							 
						 
					
						
							
								
									
										
										
										
											2024-03-08 10:46:27 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								        String email = (String) methodInvocationResult.getResult();
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        return email.replaceAll("(^[^@]{3}|(?!^)\\G)[^@]", "$1*");
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Configuration
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@EnableMethodSecurity
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								public class SecurityConfig {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @Bean <2>
							 
						 
					
						
							
								
									
										
										
										
											2024-04-09 10:56:40 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								    public EmailMaskingMethodAuthorizationDeniedHandler emailMaskingMethodAuthorizationDeniedHandler() {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        return new EmailMaskingMethodAuthorizationDeniedHandler();
							 
						 
					
						
							
								
									
										
										
										
											2024-03-08 10:46:27 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								public class User {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    // ...
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-04-05 15:44:45 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								    @PostAuthorize(value = "hasAuthority('user:read')")
							 
						 
					
						
							
								
									
										
										
										
											2024-04-09 10:56:40 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								    @HandleAuthorizationDenied(handlerClass = EmailMaskingMethodAuthorizationDeniedHandler.class)
							 
						 
					
						
							
								
									
										
										
										
											2024-03-08 10:46:27 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								    public String getEmail() {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        return this.email;
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2024-04-09 10:56:40 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								class EmailMaskingMethodAuthorizationDeniedHandler : MethodAuthorizationDeniedHandler {
							 
						 
					
						
							
								
									
										
										
										
											2024-03-08 10:46:27 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-04-09 10:56:40 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								    override fun handleDeniedInvocation(methodInvocation: MethodInvocation, authorizationResult: AuthorizationResult): Any {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        return "***"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    override fun handleDeniedInvocationResult(methodInvocationResult: MethodInvocationResult, authorizationResult: AuthorizationResult): Any {
							 
						 
					
						
							
								
									
										
										
										
											2024-03-08 10:46:27 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								        val email = methodInvocationResult.result as String
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        return email.replace("(^[^@]{3}|(?!^)\\G)[^@]".toRegex(), "$1*")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Configuration
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@EnableMethodSecurity
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								class SecurityConfig {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @Bean
							 
						 
					
						
							
								
									
										
										
										
											2024-04-09 10:56:40 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								    fun emailMaskingMethodAuthorizationDeniedHandler(): EmailMaskingMethodAuthorizationDeniedHandler {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        return EmailMaskingMethodAuthorizationDeniedHandler()
							 
						 
					
						
							
								
									
										
										
										
											2024-03-08 10:46:27 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-04-09 10:56:40 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								class User (val name:String, @PostAuthorize(value = "hasAuthority('user:read')") @HandleAuthorizationDenied(handlerClass = EmailMaskingMethodAuthorizationDeniedHandler::class) val email:String) <3>
							 
						 
					
						
							
								
									
										
										
										
											2024-03-08 10:46:27 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-04-09 10:56:40 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								<1> Create an implementation of `MethodAuthorizationDeniedHandler` that returns a masked value of the unauthorized result value
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								<2> Register the `EmailMaskingMethodAuthorizationDeniedHandler` as a bean
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								<3> Annotate the method with `@HandleAuthorizationDenied` and pass the `EmailMaskingMethodAuthorizationDeniedHandler` to the `handlerClass` attribute
							 
						 
					
						
							
								
									
										
										
										
											2024-03-08 10:46:27 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								And then you can verify that a masked email is returned instead of an `AccessDeniedException`:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-04-09 10:56:40 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[WARNING]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								====
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Since you have access to the original denied value, make sure that you correctly handle it and do not return it to the caller.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								====
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-03-08 10:46:27 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Autowired
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								UserRepository users;
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Test
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								void getEmailWhenProxiedThenMaskedEmail() {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    Optional<User> securedUser = users.findByName("name");
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    // email is useremail@example.com
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    assertThat(securedUser.get().getEmail()).isEqualTo("use******@example.com");
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Autowired
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								var users:UserRepository? = null
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Test
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								fun getEmailWhenProxiedThenMaskedEmail() {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    val securedUser: Optional<User> = users.findByName("name")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    // email is useremail@example.com
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    assertThat(securedUser.get().getEmail()).isEqualTo("use******@example.com")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-04-09 10:56:40 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								When implementing the `MethodAuthorizationDeniedHandler` you have a few options on what type you can return:
							 
						 
					
						
							
								
									
										
										
										
											2024-03-08 10:46:27 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								- A `null` value.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								- A non-null value, respecting the method's return type.
							 
						 
					
						
							
								
									
										
										
										
											2024-04-09 10:56:40 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								- Throw an exception, usually an instance of `AuthorizationDeniedException`. This is the default behavior.
							 
						 
					
						
							
								
									
										
										
										
											2024-03-08 10:46:27 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								- A `Mono` type for reactive applications.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-04-09 10:56:40 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Note that since the handler must be registered as beans in your application context, you can inject dependencies into them if you need a more complex logic.
							 
						 
					
						
							
								
									
										
										
										
											2024-03-08 10:46:27 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								In addition to that, you have available the `MethodInvocation` or the `MethodInvocationResult`, as well as the `AuthorizationResult` for more details related to the authorization decision.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-04-05 15:44:45 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[[deciding-return-based-parameters]]
							 
						 
					
						
							
								
									
										
										
										
											2024-03-08 10:46:27 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								=== Deciding What to Return Based on Available Parameters
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-04-09 10:56:40 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Consider a scenario where there might be multiple mask values for different methods, it would be not so productive if we had to create a handler for each of those methods, although it is perfectly fine to do that.
							 
						 
					
						
							
								
									
										
										
										
											2024-03-08 10:46:27 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								In such cases, we can use the information passed via parameters to decide what to do.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								For example, we can create a custom `@Mask` annotation and a handler that detects that annotation to decide what mask value to return:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								import org.springframework.core.annotation.AnnotationUtils;
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Target({ ElementType.METHOD, ElementType.TYPE })
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Retention(RetentionPolicy.RUNTIME)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								public @interface Mask {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    String value();
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								public class MaskAnnotationDeniedHandler implements MethodAuthorizationDeniedHandler {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @Override
							 
						 
					
						
							
								
									
										
										
										
											2024-04-09 10:56:40 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								    public Object handleDeniedInvocation(MethodInvocation methodInvocation, AuthorizationResult authorizationResult) {
							 
						 
					
						
							
								
									
										
										
										
											2024-03-08 10:46:27 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								        Mask mask = AnnotationUtils.getAnnotation(methodInvocation.getMethod(), Mask.class);
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        return mask.value();
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Configuration
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@EnableMethodSecurity
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								public class SecurityConfig {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @Bean
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    public MaskAnnotationDeniedHandler maskAnnotationDeniedHandler() {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        return new MaskAnnotationDeniedHandler();
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Component
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								public class MyService {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-04-05 15:44:45 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								    @PreAuthorize(value = "hasAuthority('user:read')")
							 
						 
					
						
							
								
									
										
										
										
											2024-04-09 10:56:40 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								    @HandleAuthorizationDenied(handlerClass = MaskAnnotationDeniedHandler.class)
							 
						 
					
						
							
								
									
										
										
										
											2024-03-08 10:46:27 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								    @Mask("***")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    public String foo() {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        return "foo";
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-04-05 15:44:45 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								    @PreAuthorize(value = "hasAuthority('user:read')")
							 
						 
					
						
							
								
									
										
										
										
											2024-04-09 10:56:40 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								    @HandleAuthorizationDenied(handlerClass = MaskAnnotationDeniedHandler.class)
							 
						 
					
						
							
								
									
										
										
										
											2024-03-08 10:46:27 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								    @Mask("???")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    public String bar() {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        return "bar";
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								import org.springframework.core.annotation.AnnotationUtils
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Target(AnnotationTarget.FUNCTION, AnnotationTarget.CLASS)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Retention(AnnotationRetention.RUNTIME)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								annotation class Mask(val value: String)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								class MaskAnnotationDeniedHandler : MethodAuthorizationDeniedHandler {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-04-09 10:56:40 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								    override fun handleDeniedInvocation(methodInvocation: MethodInvocation, authorizationResult: AuthorizationResult): Any {
							 
						 
					
						
							
								
									
										
										
										
											2024-03-08 10:46:27 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								        val mask = AnnotationUtils.getAnnotation(methodInvocation.method, Mask::class.java)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        return mask.value
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Configuration
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@EnableMethodSecurity
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								class SecurityConfig {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @Bean
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    fun maskAnnotationDeniedHandler(): MaskAnnotationDeniedHandler {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        return MaskAnnotationDeniedHandler()
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Component
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								class MyService {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-04-05 15:44:45 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								    @PreAuthorize(value = "hasAuthority('user:read')")
							 
						 
					
						
							
								
									
										
										
										
											2024-04-09 10:56:40 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								    @HandleAuthorizationDenied(handlerClass = MaskAnnotationDeniedHandler::class)
							 
						 
					
						
							
								
									
										
										
										
											2024-03-08 10:46:27 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								    @Mask("***")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    fun foo(): String {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        return "foo"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-04-05 15:44:45 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								    @PreAuthorize(value = "hasAuthority('user:read')")
							 
						 
					
						
							
								
									
										
										
										
											2024-04-09 10:56:40 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								    @HandleAuthorizationDenied(handlerClass = MaskAnnotationDeniedHandler::class)
							 
						 
					
						
							
								
									
										
										
										
											2024-03-08 10:46:27 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								    @Mask("???")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    fun bar(): String {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        return "bar"
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Now the return values when access is denied will be decided based on the `@Mask` annotation:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Autowired
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								MyService myService;
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Test
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								void fooWhenDeniedThenReturnStars() {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    String value = this.myService.foo();
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    assertThat(value).isEqualTo("***");
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Test
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								void barWhenDeniedThenReturnQuestionMarks() {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    String value = this.myService.foo();
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    assertThat(value).isEqualTo("???");
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Autowired
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								var myService: MyService
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Test
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								fun fooWhenDeniedThenReturnStars() {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    val value: String = myService.foo()
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    assertThat(value).isEqualTo("***")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Test
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								fun barWhenDeniedThenReturnQuestionMarks() {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    val value: String = myService.foo()
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    assertThat(value).isEqualTo("???")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								=== Combining with Meta Annotation Support
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-04-09 10:56:40 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								You can also combine the `@HandleAuthorizationDenied` with other annotations in order to reduce and simplify the annotations in a method.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Let's consider the <<deciding-return-based-parameters,example from the previous section>> and merge `@HandleAuthorizationDenied` with `@Mask`:
							 
						 
					
						
							
								
									
										
										
										
											2024-03-08 10:46:27 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Target({ ElementType.METHOD, ElementType.TYPE })
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Retention(RetentionPolicy.RUNTIME)
							 
						 
					
						
							
								
									
										
										
										
											2024-04-09 10:56:40 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								@HandleAuthorizationDenied(handlerClass = MaskAnnotationDeniedHandler.class)
							 
						 
					
						
							
								
									
										
										
										
											2024-04-05 15:44:45 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								public @interface Mask {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    String value();
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
									
										
										
										
											2024-03-08 10:46:27 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-04-05 15:44:45 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								@Mask("***")
							 
						 
					
						
							
								
									
										
										
										
											2024-03-08 10:46:27 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								public String myMethod() {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    // ...
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Target(AnnotationTarget.FUNCTION, AnnotationTarget.CLASS)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Retention(AnnotationRetention.RUNTIME)
							 
						 
					
						
							
								
									
										
										
										
											2024-04-09 10:56:40 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								@HandleAuthorizationDenied(handlerClass = MaskAnnotationDeniedHandler::class)
							 
						 
					
						
							
								
									
										
										
										
											2024-04-05 15:44:45 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								annotation class Mask(val value: String)
							 
						 
					
						
							
								
									
										
										
										
											2024-03-08 10:46:27 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-04-05 15:44:45 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								@Mask("***")
							 
						 
					
						
							
								
									
										
										
										
											2024-03-08 10:46:27 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								fun myMethod(): String {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    // ...
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-04-05 15:44:45 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Now you do not have to remember to add both annotations when you need a mask behavior in your method.
							 
						 
					
						
							
								
									
										
										
										
											2024-03-08 10:46:27 -03:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Make sure to read the <<meta-annotations,Meta Annotations Support>> section for more details on the usage.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[[migration-enableglobalmethodsecurity]]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								== Migrating from `@EnableGlobalMethodSecurity`
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								If you are using `@EnableGlobalMethodSecurity`, you should migrate to `@EnableMethodSecurity`.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2025-09-02 18:48:37 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								If you cannot migrate at this time, please include the `spring-security-access` module as a dependency like so:
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Maven::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,xml,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								<dependency>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    <groupId>org.springframework.security</groupId>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    <artifactId>spring-security-access</artifactId>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								</dependency>
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Gradle::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								[source,groovy,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								implementation('org.springframework.security:spring-security-access')
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[[servlet-replace-globalmethodsecurity-with-methodsecurity]]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								=== Replace xref:servlet/authorization/method-security.adoc#jc-enable-global-method-security[global method security] with xref:servlet/authorization/method-security.adoc#jc-enable-method-security[method security]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2024-07-09 13:23:24 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								javadoc:org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity[format=annotation] and xref:servlet/appendix/namespace/method-security.adoc#nsa-global-method-security[`<global-method-security>`] are deprecated in favor of javadoc:org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity[`@EnableMethodSecurity`] and xref:servlet/appendix/namespace/method-security.adoc#nsa-method-security[`<method-security>`], respectively.
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								The new annotation and XML element activate Spring's xref:servlet/authorization/method-security.adoc#jc-enable-method-security[pre-post annotations] by default and use `AuthorizationManager` internally.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								This means that the following two listings are functionally equivalent:
							 
						 
					
						
							
								
									
										
										
										
											2019-09-22 00:56:30 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2021-06-16 10:31:29 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
									
										
										
										
											2019-09-22 00:56:30 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@EnableGlobalMethodSecurity(prePostEnabled = true)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2021-06-16 10:31:29 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@EnableGlobalMethodSecurity(prePostEnabled = true)
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Xml::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,xml,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								<global-method-security pre-post-enabled="true"/>
							 
						 
					
						
							
								
									
										
										
										
											2021-06-16 10:31:29 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
									
										
										
										
											2021-06-16 10:31:29 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								and:
							 
						 
					
						
							
								
									
										
										
										
											2019-09-22 00:56:30 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2021-06-16 10:31:29 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
									
										
										
										
											2019-09-22 00:56:30 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								@EnableMethodSecurity
							 
						 
					
						
							
								
									
										
										
										
											2019-09-22 00:56:30 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2021-06-16 10:31:29 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								@EnableMethodSecurity
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2021-06-16 10:31:29 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Xml::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,xml,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								<method-security/>
							 
						 
					
						
							
								
									
										
										
										
											2021-06-16 10:31:29 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
									
										
										
										
											2021-06-16 10:31:29 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								For applications not using the pre-post annotations, make sure to turn it off to avoid activating unwanted behavior.
							 
						 
					
						
							
								
									
										
										
										
											2019-09-22 00:56:30 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								For example, a listing like:
							 
						 
					
						
							
								
									
										
										
										
											2019-09-22 00:56:30 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2021-06-16 10:31:29 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
									
										
										
										
											2019-09-22 00:56:30 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								@EnableGlobalMethodSecurity(securedEnabled = true)
							 
						 
					
						
							
								
									
										
										
										
											2019-09-22 00:56:30 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2021-06-16 10:31:29 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								@EnableGlobalMethodSecurity(securedEnabled = true)
							 
						 
					
						
							
								
									
										
										
										
											2021-06-16 10:31:29 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Xml::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,xml,role="secondary"]
							 
						 
					
						
							
								
									
										
										
										
											2019-09-22 00:56:30 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								<global-method-security secured-enabled="true"/>
							 
						 
					
						
							
								
									
										
										
										
											2019-09-22 00:56:30 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
									
										
										
										
											2019-09-22 00:56:30 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								should change to:
							 
						 
					
						
							
								
									
										
										
										
											2019-09-22 00:56:30 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2021-06-16 10:31:29 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
									
										
										
										
											2019-09-22 00:56:30 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								@EnableMethodSecurity(securedEnabled = true, prePostEnabled = false)
							 
						 
					
						
							
								
									
										
										
										
											2019-09-22 00:56:30 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2021-06-16 10:31:29 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								@EnableMethodSecurity(securedEnabled = true, prePostEnabled = false)
							 
						 
					
						
							
								
									
										
										
										
											2021-06-16 10:31:29 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2019-09-22 00:56:30 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Xml::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,xml,role="secondary"]
							 
						 
					
						
							
								
									
										
										
										
											2019-09-22 00:56:30 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								<method-security secured-enabled="true" pre-post-enabled="false"/>
							 
						 
					
						
							
								
									
										
										
										
											2019-09-22 00:56:30 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
									
										
										
										
											2019-09-22 00:56:30 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								=== Use a Custom `@Bean` instead of subclassing `DefaultMethodSecurityExpressionHandler`
							 
						 
					
						
							
								
									
										
										
										
											2019-09-22 00:56:30 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								As a performance optimization, a new method was introduced to `MethodSecurityExpressionHandler` that takes a `Supplier<Authentication>` instead of an `Authentication`.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								This allows Spring Security to defer the lookup of the `Authentication`, and is taken advantage of automatically when you use `@EnableMethodSecurity` instead of `@EnableGlobalMethodSecurity`.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								However, let's say that your code extends `DefaultMethodSecurityExpressionHandler` and overrides `createSecurityExpressionRoot(Authentication, MethodInvocation)` to return a custom `SecurityExpressionRoot` instance.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								This will no longer work because the arrangement that `@EnableMethodSecurity` sets up calls `createEvaluationContext(Supplier<Authentication>, MethodInvocation)` instead.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Happily, such a level of customization is often unnecessary.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Instead, you can create a custom bean with the authorization methods that you need.
							 
						 
					
						
							
								
									
										
										
										
											2019-09-22 00:56:30 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								For example, let's say you are wanting a custom evaluation of `@PostAuthorize("hasAuthority('ADMIN')")`.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								You can create a custom `@Bean` like this one:
							 
						 
					
						
							
								
									
										
										
										
											2019-09-22 00:56:30 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2021-06-16 10:31:29 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
									
										
										
										
											2019-09-22 00:56:30 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								class MyAuthorizer {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									boolean isAdmin(MethodSecurityExpressionOperations root) {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
										boolean decision = root.hasAuthority("ADMIN");
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
										// custom work ...
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        return decision;
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									}
							 
						 
					
						
							
								
									
										
										
										
											2019-09-22 00:56:30 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2021-06-16 10:31:29 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								class MyAuthorizer {
							 
						 
					
						
							
								
									
										
										
										
											2025-01-08 11:53:31 +01:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
									fun isAdmin(root: MethodSecurityExpressionOperations): boolean {
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
										val decision = root.hasAuthority("ADMIN");
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
										// custom work ...
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        return decision;
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
									}
							 
						 
					
						
							
								
									
										
										
										
											2021-06-16 10:31:29 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:30:41 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
									
										
										
										
											2021-06-16 10:31:29 +02:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								and then refer to it in the annotation like so:
							 
						 
					
						
							
								
									
										
										
										
											2019-09-22 00:56:30 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@PreAuthorize("@authz.isAdmin(#root)")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2019-09-22 00:56:30 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@PreAuthorize("@authz.isAdmin(#root)")
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
									
										
										
										
											2019-09-22 00:56:30 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[[subclass-defaultmethodsecurityexpressionhandler]]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								==== I'd still prefer to subclass `DefaultMethodSecurityExpressionHandler`
							 
						 
					
						
							
								
									
										
										
										
											2019-09-22 00:56:30 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								If you must continue subclassing `DefaultMethodSecurityExpressionHandler`, you can still do so.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Instead, override the `createEvaluationContext(Supplier<Authentication>, MethodInvocation)` method like so:
							 
						 
					
						
							
								
									
										
										
										
											2019-09-22 00:56:30 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[tabs]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Java::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,java,role="primary"]
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								@Component
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								class MyExpressionHandler extends DefaultMethodSecurityExpressionHandler {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    @Override
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    public EvaluationContext createEvaluationContext(Supplier<Authentication> authentication, MethodInvocation mi) {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
										StandardEvaluationContext context = (StandardEvaluationContext) super.createEvaluationContext(authentication, mi);
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        MethodSecurityExpressionOperations delegate = (MethodSecurityExpressionOperations) context.getRootObject().getValue();
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        MySecurityExpressionRoot root = new MySecurityExpressionRoot(delegate);
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        context.setRootObject(root);
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        return context;
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								Kotlin::
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								+
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								[source,kotlin,role="secondary"]
							 
						 
					
						
							
								
									
										
										
										
											2019-09-22 00:56:30 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								@Component
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								class MyExpressionHandler: DefaultMethodSecurityExpressionHandler {
							 
						 
					
						
							
								
									
										
										
										
											2025-01-08 11:53:31 +01:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								    override fun createEvaluationContext(authentication: Supplier<Authentication>,
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								        val mi: MethodInvocation): EvaluationContext {
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
										val context = super.createEvaluationContext(authentication, mi) as StandardEvaluationContext
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        val delegate = context.getRootObject().getValue() as MethodSecurityExpressionOperations
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        val root = MySecurityExpressionRoot(delegate)
							 
						 
					
						
							
								
									
										
										
										
											2023-11-30 12:00:05 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								        context.setRootObject(root)
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								        return context
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								    }
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								}
							 
						 
					
						
							
								
									
										
										
										
											2019-09-22 00:56:30 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								----
							 
						 
					
						
							
								
									
										
										
										
											2023-06-18 21:40:45 -05:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								======
							 
						 
					
						
							
								
									
										
										
										
											2019-09-22 00:56:30 -06:00 
										
									 
								 
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
									
										
										
										
											2023-04-18 18:13:50 -06:00 
										
									 
								 
							 
							
								
									
										 
								
							 
							
								 
							
								
									
								 
							
							
								== Further Reading
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								Now that you have secured your application's requests, please xref:servlet/authorization/authorize-http-requests.adoc[secure its requests] if you haven't already.
							 
						 
					
						
							
								
							 
							
								
							 
							
								 
							
								
									
								 
							
							
								You can also read further on xref:servlet/test/index.adoc[testing your application] or on integrating Spring Security with other aspects of you application like xref:servlet/integrations/data.adoc[the data layer] or xref:servlet/integrations/observability.adoc[tracing and metrics].