Home/ Questions/Q 8534903
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-11T10:18:19+00:00

I’m securing my Application with expression based Spring Security 3.x. I have the following

  • 0

I’m securing my Application with expression based Spring Security 3.x. I have the following service interface:

@PreAuthorize("hasRole('ROLE_ADMIN') or hasPermission(#employeeId, 'employee', 'isOwner')")
EmployeeData getById(Integer employeeId);

@PreAuthorize("hasRole('ROLE_ADMIN') or hasPermission(#employeeId, 'employee', 'isOwner')")
void update(Integer employeeId, EmployeeData employeedata);

My PermissionEvaluator looks as follows:

@Component
public class CustomPermissionEvaluator implements PermissionEvaluator {
    private Map<String, Permission> permissionMap = new HashMap<String, Permission>();

    public CustomPermissionEvaluator(Map<String, Permission> permissionMap) {
        this.permissionMap = permissionMap;
    }

    @Override
    public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {
        throw new PermissionNotDefinedException("Permission not supported for loaded domain object by " + this.getClass().toString());
    }

    @Override
    public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permission) {
        verifyPermissionIsDefined((String) permission);
        return permissionMap.get(permission).isAllowed(authentication, (Integer) targetId);
    }

    private void verifyPermissionIsDefined(String permissionKey) {
        if (!permissionMap.containsKey(permissionKey)) {
            throw new PermissionNotDefinedException("No permission with key '" + permissionKey + "' is defined in" + this.getClass().toString());
        }
    }
}

For the first service method (getById) this works as it’s supposed to:

  • If the user has the ROLE_ADMIN, then he’s allowed to get the data.
  • If the user wants to look up his own profile, he’s allowed as well

But, for the second method, the update method, the application doesn’t work. The targetId is always null, when it invokes the method hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permission).

I can’t figure out why. Any help would be appreciated.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Please check that parameter names match both in the service and in the implementation.

    You can also check how MethodSecurityEvaluationContext.lookupVariable method is working with the debugger.

    See similar question: spring security : Why can't we access Hibernate entitiy parameters in @PreAuthorize?

    • 0