All geek questions in one place

Spring security: Why can't we access Enable Hibernate options in @PreAuthorize?

I have the following interface method on which I apply @PreAuthoriz e:

 @PreAuthorize("doSomething(#user.id)") void something(User user, List<User> accessList);

where User is a Hibernate entity . This gives me an error:

org.springframework.expression.spel.SpelEvaluationException: EL1007E: (item 13): the field or property 'id' cannot be found at zero value org.springframework.expression.spel.ast.PropertyOrFieldReference.readProperty (PropertyOrFieldReference.java:204 )

There is no way for the User parameter to be null, as if I are deleting the annotation and checking the user value in a method that implements this interface method, there is a valid User object there. In addition, before calling this method, I made sure that the user object was correctly constructed.

I really can't understand why the User field should be considered a null SPEL parser

+4
source share
4 answers

You can check with the debugger what happens in the MethodSecurityEvaluationContext, inside the Object lookupVariable (String name) method:

  @Override public Object lookupVariable(String name) { Object variable = super.lookupVariable(name); if (variable != null) { return variable; } if (!argumentsAdded) { addArgumentsAsVariables(); argumentsAdded = true; }

and so you can see what happens in the addArgumentsAsVariables () method, since the conversion of the method arguments to SPEL variables is very clearly implemented in Spring.

+2
source

Spring Security now has a better answer for this problem:

http://docs.spring.io/spring-security/site/docs/3.2.5.RELEASE/reference/htmlsingle/#access-control-using-preauthorize-and-postauthorize

Basically, you can use the @P annotation or @Param annotation if you use <JDK 8.

+1
source

You can check out LazyParamAwareEvaluationContext , inside the loadArgsAsVariables() method, version 3.1.0.

The same key for different Entities, due to the implementation of the interface.

0
source

I need to add something to this, as the header indicates that we cannot access the sleep mode properties.

There are two releases of hasPermission, a loaded object, and a serialized object. Here is the code from the test case:

 @PreAuthorize("isAuthenticated() and hasPermission(#organization, 'edit')") public long protectedMethod(Organization organization) { return organization.getId(); }

And for the latter, here we see that we can enter access to the id id of the organization (which is a sleeping entity):

 @PreAuthorize("isAuthenticated() and hasPermission(#organization.getId(), 'organization', 'edit')") public long protectedMethodSerializableEdtion(Organization organization) { return organization.getId(); }
0
source

Source: https://habr.com/ru/post/1414524/

More articles:


All Articles