Writing your spring security expression language annotation — PART 3
In the last part of tutorial, I will discuss how to override the behaviour of defualt spring security method expression. You may wonder why I need to override the default behaviour of these methods. The reason behind is that, in recent development project, we are reviewing the developer’s code and we hope to maintain a standard coding practice. We find that the default method expression is too flexible. In our case, under similar coding scenario, some developers use hasRole() for security checking while other developers using hasPermission() for security checking. In order to keep the maintainability of the program, we thus have an idea to disallow developer to use certain secruity method expression. That’s why we have the crazy idea of overriding the default behaviour of these methods. (This may not be a good idea :P. But anyway, we have implemented it :D)
In this example, I simply show how to override the default behaviour of hasRole() method. You can not do this by override the hasRole() method of SecurityExpressionRoot directly because most of the method in this class is marked as final. To archive it, we have to create another new expression root class and expression handler.
Step 1: Create your Expression Root class and Evaluation Context Class with your own expression method
In my case, I want to not allow developer to use certain method (e.g. hasRole()). I can do this by simpily not include this method. Or I can simpily throw exception to alert use not to use it.
You can see the following code that I have involved custom behaviour (i.e. simply throw exception) of hasAuthority(), hasAnyAuthority() , hasRole(), hasAnyRole(). You can add more logic to these method to suite your application requirement.
Step 2: Create your Expression Handler class which implements SecurityExpressionHandler and ApplicationContextAware.
In this class, you have to implements your createEvaluationContext(). This is the key method to create your newly defined security expression root class (i.e. RestrictedSecurityExpressionRoot) and evaluation context class (i.e. RestrictedMethodSecurityEvaluationContext).
Step 3: Add your custom expression handler to your configuration file
The last step is to add your custom security expression handler to the XML file. The permissionEvaluator is created in previous post. You could see the souce code in this link”PART 1"
Now, when developer use the annotation @PreAuthorize(“hasRole(‘XXX’)”), it will throws exception. This is only an simple example. You could apply the same idea here and build your own custom logic inside the spring’s default method (hasRole(), hasAuthority() , etc.) to suit your application requirement and logic.
Originally published at https://www.borislam.com on December 9, 2021.
