Spring Security ACL plugin for grails by default uses the BasePermission class with 4 basic permissions. And uses DefaultFactory to assign this permissions. And AclPermissionEvaluator where this DefaultFactory is assigned.
When use this approach all is fine. I can use
@PreAuthorize("hasPermission(#report, read)")
Here I provided one of the basic permissions called READ which is defined in BasePermission class.
What I need is my own custom permissions.
I’ve done:
public class MyPermission extends AbstractPermission{
public static final Permission APPROVE= new MyPermission(1 << 0, 'a');
//constructors here..
}
1) How correctly assign my custom permission to use it like I used permissions from BasePermission?
2)Should I define my CustomFactory or its possible to use DefaultFactory?
3)If yes, how to set it to existing permission evaluator?
Also another open question. I’ve played around with subclass of BasePermission, but in that case I should use
@PreAuthorize("hasPermission(#report, 'approve')")
instead of just
@PreAuthorize("hasPermission(#report, approve)")
4)Why in case of no single quotes I got the error?
Class:org.springframework.expression.spel.SpelEvaluationException
Message:EL1008E:(pos 28): Field or property 'approve' cannot be found on object of type 'org.springframework.security.access.expression.method.MethodSecurityExpressionRoot'
Thanks in advance!
You’re better off extending
org.springframework.security.acls.domain.BasePermissionsince that way you have all the standard permissions plus yours:You need to register it with the permission factory to make it available in expressions; override the
aclPermissionFactorybean ingrails-app/conf/spring/resources.groovy, passing your class as the constructor argument:The reason it works unquoted with standard permissions is that
MethodSecurityExpressionRoothas constants for the standard permissions:but there isn’t one for yours, so you need to quote it to force a lookup in your permission class.