Custom permissions in Spring Security - targetId null

I'm securing my Application with expression based Spring Security 3.x. I have the following service interface:

@PreAuthorize("hasRole('ROLE_ADMIN') or hasPermission(#employeeId, 'employee', 'isOwner')")
EmployeeData getById(Integer employeeId);

@PreAuthorize("hasRole('ROLE_ADMIN') or hasPermission(#employeeId, 'employee', 'isOwner')")
void update(Integer employeeId, EmployeeData employeedata);

My PermissionEvaluator looks as follows:

@Component
public class CustomPermissionEvaluator implements PermissionEvaluator {
    private Map<String, Permission> permissionMap = new HashMap<String, Permission>();

    public CustomPermissionEvaluator(Map<String, Permission> permissionMap) {
        this.permissionMap = permissionMap;
    }

    @Override
    public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {
        throw new PermissionNotDefinedException("Permission not supported for loaded domain object by " + this.getClass().toString());
    }

    @Override
    public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permission) {
        verifyPermissionIsDefined((String) permission);
        return permissionMap.get(permission).isAllowed(authentication, (Integer) targetId);
    }

    private void verifyPermissionIsDefined(String permissionKey) {
        if (!permissionMap.containsKey(permissionKey)) {
            throw new PermissionNotDefinedException("No permission with key '" + permissionKey + "' is defined in" + this.getClass().toString());
        }
    }
}

For the first service method (getById) this works as it's supposed to:

  • If the user has the ROLE_ADMIN, then he's allowed to get the data.
  • If the user wants to look up his own profile, he's allowed as well

But, for the second method, the update method, the application doesn't work. The targetId is always null, when it invokes the method hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permission).

I can't figure out why. Any help would be appreciated.

Answers


Please check that parameter names match both in the service and in the implementation.

You can also check how MethodSecurityEvaluationContext.lookupVariable method is working with the debugger.

See similar question: spring security : Why can't we access Hibernate entitiy parameters in @PreAuthorize?


Need Your Help

Overflow-x IE 7

css internet-explorer internet-explorer-7 overflow internet-explorer-6

How would I go about making IE6/7 acknowledge overflow properties?

jQuery dialog overlay changing position at different div opacities

jquery css html overlay jquery-ui-dialog

Can somebody help me to overlay a div in a jQuery dialog? In my case the image (ajax loading) should be centered horizontally and vertically in the div. It also shouldn't be affected by the div-opa...

About UNIX Resources Network

Original, collect and organize Developers related documents, information and materials, contains jQuery, Html, CSS, MySQL, .NET, ASP.NET, SQL, objective-c, iPhone, Ruby on Rails, C, SQL Server, Ruby, Arrays, Regex, ASP.NET MVC, WPF, XML, Ajax, DataBase, and so on.