mirror of
https://github.com/spring-projects/spring-security.git
synced 2025-06-12 07:02:13 +00:00
SEC-1529: More user-friendly expression @PreAuthorize expression in EL chapter.
This commit is contained in:
Luke Taylor
parent
1a9b7e1b6f
commit
f6abc24ed6
@ -154,14 +154,16 @@
|
||||
within the expression, so you can also access properties on the arguments. For
|
||||
example, if you wanted a particular method to only allow access to a user whose
|
||||
username matched that of the contact, you could write</para>
|
||||
<programlisting> @PreAuthorize("#contact.name == principal.name)")
|
||||
<programlisting>
|
||||
@PreAuthorize("#contact.name == authentication.name")
|
||||
public void doSomething(Contact contact);</programlisting>
|
||||
<para>Here we are accessing another built–in expression, which is the
|
||||
<literal>principal</literal> of the current Spring Security
|
||||
<interfacename>Authentication</interfacename> object obtained from the
|
||||
security context. You can also access the
|
||||
<interfacename>Authentication</interfacename> object itself directly using
|
||||
the expression name <literal>authentication</literal>.</para>
|
||||
<para>Here we are accessing another built–in expression, <literal>authentication</literal>,
|
||||
which is the <interfacename>Authentication</interfacename> stored in the
|
||||
security context. You can also access its <quote>principal</quote> property
|
||||
directly, using the expression <literal>principal</literal>. The value will
|
||||
often be a <interfacename>UserDetails</interfacename> instance, so you might use an
|
||||
expression like <literal>principal.username</literal> or
|
||||
<literal>principal.enabled</literal>.</para>
|
||||
<para>Less commonly, you may wish to perform an access-control check after the
|
||||
method has been invoked. This can be achieved using the
|
||||
<literal>@PostAuthorize</literal> annotation. To access the return value
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user