Can we define Custom Spel function in @PostFilter annotation?
Hi to all :)
I have a simple question.
I read that is possible to define custom bean that extend SecurityExpressionRoot.
In this class i can add some custom method. hasConv() for example
Then i must define a:
Code:
public class MyMethodSecurityExpressionHandler extends DefaultMethodSecurityExpressionHandler implements MethodSecurityExpressionHandler {
@Override
protected SecurityExpressionRoot createSecurityExpressionRoot(Authentication authentication, MethodInvocation invocation) {
MyMethodSecurityExpressionRoot root = new MyMethodSecurityExpressionRoot(authentication);
//root.setThis(invocation.getThis());
root.setPermissionEvaluator(getPermissionEvaluator());
return root;
}
}
And then the xml configuration:
Code:
<security:global-method-security pre-post-annotations="enabled" mode="aspectj">
<security:expression-handler ref="expressionHandler"/>
</security:global-method-security>
<bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
<property name="permissionEvaluator" ref="permissionEvaluator"/>
</bean>
<bean id="permissionEvaluator"
class="org.springframework.samples.petclinic.StorytellingPermissionEvaluator">
</bean>
In StorytellingPermissionEvaluator i have standard hasPermission method.
With @PreAuthorize i can evaluate without any problem the function defined above: @PreAuthorize( hasConv(..))
With @PostFilter instead the expression seems to be evaluated but i had a classcastexception in DefaultMethodSecurityExpressionHandler class at:
Code:
@SuppressWarnings("unchecked")
public Object filter(Object filterTarget, Expression filterExpression, EvaluationContext ctx) {
MethodSecurityExpressionRoot rootObject = (MethodSecurityExpressionRoot) ctx.getRootObject().getValue();
miss something?
Is there an alternative way, more simple, to achieve the same objective?
Thanks in advance.
IlPistolero
