How can I use a local variable in the annotation @Preauthorize?

Question

i need to do something like this

String myVar = "myString";
...
@Preauthorize("customMethod(myVar)")
public void myMethod() {
...
}

but I'm failing at it. How can I do that? It says it cannot be resolved

EDIT:I'm decoupling few rest services and sometimes I have to share infos between them

@Value("${my-properties}")
String urlIWantToShare;
...
@PreAuthorize("isValid(#myValue,urlIWantToShare)")
@RequestMapping(value = "**/letsCheckSecurityConfig", method = RequestMethod.GET)
public boolean letsCheckSecurityConfig(@RequestHeader(name = "MY-VALUE") String myValue)) {
    return true;
}

this "isValid" custom security method will call an external service, that doesn't know anything about the caller and his infos. I need to transmit few infos and I need to take them from different kind of sources

One of the sources is my application.properties

EDIT2: I managed to do this

@PreAuthorize("isValid(#myValue, #myProperty)")
@RequestMapping(value = "**/letsCheckSecurityConfig", method = RequestMethod.GET)
public boolean letsCheckSecurityConfig(@RequestHeader(name = "MY-VALUE") String myValue,
                                       @Value("${my-property-from-app-properties}") String myProperty))

..but I want to use not only actual static properties but runtime one. Any help?

You can't. Can you describe what are you trying to achive? Or maybe share some more code? — Leffchik, Jun 28 '17 at 14:45

score 0 · Answer 1 · answered Jun 28 '17 at 15:15

0

You can create a wrapper method without parameters which will call the desired method with parameters. In the annotation you can use the method without parameters

answered Jun 28 '17 at 15:15

Elka

227
1
9

could you please write some code for example? Thanks a lot – sarbuLopex Jun 28 '17 at 15:18
Where is defined your isValid method? The method you want to call from the annotation – Elka Jun 28 '17 at 15:20
It stays in a custom spring-security class that extends SecurityExpressionRoot and implements MethodSecurityExpressionOperations, as the architecture wishes. In that context it has not visibility on properties or other infos. Most of all few infos I need to send are runtime – sarbuLopex Jun 28 '17 at 15:22

score 0 · Answer 2 · answered Jul 05 '17 at 00:24

Apologies if I have misunderstood what you are trying to do, but from my understanding you're trying to set an annotation at runtime based on a variable / app.properties, so that you can then read this variable and then execute your class?

If this is the case, You cannot do this from an annotation alone as annotations cannot read local variables and cannot be set at runtime.

However, one option for you is to have an object which contains the 'values' of interest for you and then read the values from the object.

Something like the below:

PoJo

public class testObject{
    @test
    private String myVar;
    private String myValue;

    //Getters and Setters
}

Get Object values

public void getFields (Object obj){
    Field fields = obj.getClass().getDeclaredFields();

    for (Field f : fields){
        test fieldAnnotation = f.getAnnotation(test.Class);
        if (fieldAnnotation != null){
            f.get(obj);
            // Do checks based on this
        }
    }
}

Main Class

public static void main(String[] args){
    //Create object
    testObject test = new testObject();

    test.setOne("testOne");
    test.setTwo("testTwo");
    getFields(test);
}

I've pulled this code based on what I had to do to get the fields - but in my case, I did not know the object types I was going to be passed. You are simply using the annotation to 'mark' the fields you want to retrieve and then reading the value from the object.

If you're in a similar situation, then you can see my answer here: initial answer

Let me know if i've misunderstood this and I can try and further clarify my answer.

Hello Amit, thanks for your time and answer. First of all, what I'm trying to achieve is services decoupling. The architecture itself is stateless and the microservices in this scenario doesn't know each other. There's a specific microservice that is handling security and being into spring I made few custom methods for securing my endpoints. My need is to show urls and references to each other and stay in spring architecture (so the need to use @Preauthorize and vars into annotations). Actually the EDIT2 part works well — sarbuLopex, Jul 05 '17 at 08:09

How can I use a local variable in the annotation @Preauthorize?

2 Answers2