5

Simple question, I got a @Service class @Autowired up in my controller.

Trying to put a little security on one of the methods in my controller. So for simplicity I did this to test

@PreAuthorize("@myService.helloThere()")
public void someControllerMethod() {
    ...
}

But no success really. Getting an exception during method call.

java.lang.IllegalArgumentException: Failed to evaluate expression '@myService.helloThere()'

Am I missing something with EL here?

Update

Just adding the last Caused by exception

Caused by: org.springframework.expression.spel.SpelEvaluationException: EL1057E:(pos 1): No bean resolver registered in the context to resolve access to bean 'dummyServiceImpl'

Now I don't understand why it wouldn't be accesible in the StandardEvaluationContext if I'm using @Autowired ?

Update 2

Since I had my own Role Hierarchy hooked up in a custom GlobalMethodSecurityConfiguration extended class, the DefaultMethodSecurityExpressionHandler did not have the applicationContext set by default. I'm not sure why this is by design or I was missing something obvious. I searched the reference pages and found another SO thread that helped me solve the problem. I'm posting the updated security configuration. 

@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class GlobalMethodSecurityConfig extends GlobalMethodSecurityConfiguration {

    @Autowired
    ApplicationContext applicationContext; //added this

    @Override
    protected MethodSecurityExpressionHandler createExpressionHandler() {           
        final DefaultMethodSecurityExpressionHandler handler = new DefaultMethodSecurityExpressionHandler();

        handler.setApplicationContext(applicationContext); //added this
        RoleHierarchyImpl roleHierarchy = new RoleHierarchyImpl();

        roleHierarchy.setHierarchy("ROLE_ADMIN > ROLE_USER_MANAGER > ROLE_USER");
        handler.setRoleHierarchy(roleHierarchy);
        return handler;
    }
}
Community
  • 1
  • 1
H.Rabiee
  • 4,747
  • 3
  • 23
  • 35
  • What logic are you going to write in `@myService.helloThere()`? Why don't you expect the user to just have some specific role? – Aritz Jun 25 '16 at 15:40
  • You are missing a bean. – Roman C Jun 25 '16 at 16:25
  • @XtremeBiker eg ensuring authenticated user cannot add a user of higher authority. Has role solves one half of the equation but there are corner cases I guess that I like to extract. – H.Rabiee Jun 25 '16 at 19:32
  • @RomanC what do you mean? My class is auto wired? – H.Rabiee Jun 25 '16 at 19:32
  • @HajderRabiee If it's autowired then you ok. – Roman C Jun 25 '16 at 20:50
  • It's because Configuration class sets it during it's postProcessing. Client code is only called later and never gets this. Whole GlobalMethodSecurity class approach is... opinionated to say the least. – zeratul021 Apr 07 '20 at 14:23

1 Answers1

0

Try this.

@PreAuthorize("myService.helloThere()")

Shankar
  • 2,625
  • 3
  • 25
  • 49
  • Nope, the syntax is @beanName. However I updated the question, I don't understand why the service is not available in the evaluation context. – H.Rabiee Jun 26 '16 at 07:32