Which method from the permissions evaluator will be called?
public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission)
Will be called.
I read that the first argument (authentication object) is not bundled.
It is not explicitly referenced in your annotation, but implicitly provided by Spring. Your annotation should just read
@PreAuthorize("hasPermission(#opetussuunnitelmaDto, 'LUONTI')")
Ideally, I would check if they are even authenticated before authorization.
@PreAuthorize("isAuthenticated() and hasPermission(#opetussuunnitelmaDto, 'LUONTI')")
Update to your comment
Basically, you can either call PermissionEvaluator, or:
hasPermission('#targetDomainObject', 'permission') // method1 hasPermission('targetId', 'targetType', 'permission') // method2
Authentication will always be provided by Spring. In your case, you call hasPermission as follows
hasPermission (null, 'opetussuunnitelma', 'LUONTI') ")
which will correspond to method2 , but passing in a null identifier does not make sense, what object are you going to configure to check the permission? Based on your method in which you use @PreAuthorize,
OpetussuunnitelmaDto addOpetussuunnitelma (OpetussuunnitelmaDto opetussuunnitelmaDto);
it might make more sense to call method1 , since you seem to have something similar to the target domain object.