PreAuthorize

**alo7261** · Aug 3rd, 2010, 02:35 PM

In the Spring Security manual, following approach is suggested:

Code:

  @PreAuthorize("#contact.name == principal.name)")
  public void doSomething(Contact contact);

(see http://static.springsource.org/sprin...st-annotations )

However, when not being logged in, I get an error

Code:

java.lang.IllegalArgumentException: Failed to evaluate expression '#username == principal.username'

Why is this?

**Rob Winch** · Aug 3rd, 2010, 09:55 PM

What does your method signature (including the annotation) look like? Does this also happen when you are authenticated? If so what type of authentication are you doing?

The IllegalArgumentException means that the expression couldn't be evaluated for the current context (i.e. the arguments passed in and the authentication). My guess is you will need to change to something similar to the following:

Code:

@PreAuthorize("isFullyAuthenticated() and #username == principal.name")
public void doSomething(String username);

In short, I think the documentation has a bug for two reasons:

1) it has a dangling ')'
2) It should probably include isAuthenticatedFully() since the AnymousAuthentidcationFilter creates an AnonymousAuthenticationToken with a String for the principal (thus principal.name is String.name which is not valid).

**alo7261** · Aug 4th, 2010, 02:49 AM

Hi

Thanks for the answer:

Originally Posted by rwinch

What does your method signature (including the annotation) look like? Does

Code:

    @RequestMapping(value = "{username}/more", method = RequestMethod.GET)
    @PreAuthorize("#username == principal.username")
    public String doSomething(@PathVariable String username, Model model)

Originally Posted by rwinch

this also happen when you are authenticated? If so what type of authentication are you doing?

No, only if I am not authenticated.

Originally Posted by rwinch

My guess is you will need to change to something similar to the following:

Code:

@PreAuthorize("isFullyAuthenticated() and #username == principal.name")
public void doSomething(String username);

Thank you very much, it works, but only if I use

Code:

principal.username

instead of

Code:

principal.name

(another Doc-Bug?)

Originally Posted by rwinch

2) It should probably include isAuthenticatedFully() since the AnymousAuthentidcationFilter creates an AnonymousAuthenticationToken with a String for the principal (thus principal.name is String.name which is not valid).

Thanks, that did work, except for that principal.*user*name issue.

Best Regards

**pmularien** · Aug 4th, 2010, 06:15 AM

Most probably a doc bug. The expression in the annotation is an SpEL expression (ref. Spring 3 documentation), and there's no magic, it's just accessing the principal object (which is most probably a org.springframework.security.core.userdetails.User in your case) using bean properties. If you refer to the code/Javadoc for org.springframework.security.core.userdetails.User , you'll see it has a username getter, so that's why the expression needs to reference username.

The only twist here is if you have implemented your own UserDetails object for authenticated users (which you haven't told us), in which case maybe that object does have a name property. Let us know if this is the case.

Hope that helps!

**Rob Winch** · Aug 4th, 2010, 09:56 AM

FYI: I logged a SEC-1529

**Rob Winch** · Aug 5th, 2010, 12:58 PM

Just in case someone is looking at this thread and not at the bug. Luke suggested a better approach on the issue that I logged (you don't need the isAuthenticated()).

@PreAuthorize("#contact.name == authentication.name")

**alo7261** · Sep 20th, 2010, 01:30 PM

Originally Posted by rwinch

Just in case someone is looking at this thread and not at the bug. Luke suggested a better approach on the issue that I logged (you don't need the isAuthenticated()).

Thanks, this one finally works!

Thread: PreAuthorize

Thread Tools

Display

PreAuthorize

Posting Permissions