Issue
Hi we are implementing ABAC over SpringSecurity (looks same as Axiomatics solution). So we would like to define custome expression and customize underlaying mechanisms. e.g. @PreAuthorize("myexpression").
At this point I'm trying understand how can I get information about the target method (the JoinPoint): name, class, parameters. I didn't find how to do it for SpringSecurity customization.
As I Inderstand, other solution may be implemention based direct on AOP e.g. @Around, however I would like to try first to find out if the Spring Security can provide me a way to get somehow JoinPoint it self, isn't it implemented over AOP ?
If anyone have an example, thanks.
Solution
I would recommend checking out the new support for @PreAuthorize in Spring Security 5.6 with @EnableMethodSecurity. See the reference docs for information on how to customize the interceptors. There are numerous places you can hook into this support based on your requirements using delegation or fully replacing components with your own implementation.
In your case, it seems the most likely place to start would be creating an @Bean to replace the AuthorizationManagerBeforeMethodInterceptor:
@Bean
@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
Advisor preAuthorizeAuthorizationMethodInterceptor() {
PreAuthorizeAuthorizationManager authorizationManager = new PreAuthorizeAuthorizationManager();
authorizationManager.setExpressionHandler(...);
return AuthorizationManagerBeforeMethodInterceptor.preAuthorize(authorizationManager);
}
You will have to implement the MethodSecurityExpressionHandler, but you can use delegation to re-use the DefaultMethodSecurityExpressionHandler for anything you don't want to implement yourself.
Answered By - Steve Riesenberg
Answer Checked By - Mary Flores (JavaFixing Volunteer)
