Multiple roles using @PreAuthorize

Question

To check multiple roles has the method level access

I have used @PreAuthorize annotation to check the role

@PreAuthorize("hasRole(\"" + AuthoritiesConstants.USER + "\",)" )

How to check multiple roles using @PreAuthorize annotaion?

score 31 · Answer 1 · edited Mar 23 '21 at 14:39

31

@PreAuthorize("hasAnyRole('ROLE_ADMIN', 'ROLE_USER')")

hasAnyRole() 

When you need to support multiple roles, you can use the hasAnyRole() expression.

@PreAuthorize("hasAnyRole('ADMIN','DB-ADMIN')")

https://docs.spring.io/spring-security/site/docs/3.0.x/reference/el-access.html https://www.appsdeveloperblog.com/spring-security-preauthorize-annotation-example/

edited Mar 23 '21 at 14:39

Rohit.007

3,414
2
21
33

answered Oct 23 '20 at 07:30

Oleh Tatsiun

749
6
7

3

While this code may answer the question, it is better to include any piece of reference, advice and guidelines here. Code-only answers give a solution but not really an answer. – Cyril CHAPON Oct 23 '20 at 08:21

score 30 · Accepted Answer · answered Jul 29 '19 at 11:01

You can create a custom annotation to validate many roles and conditions. P.e.:

@Retention(RetentionPolicy.RUNTIME)
@PreAuthorize("hasRole(T(com.bs.dmsbox.api.constants.RoleConstants).ROLE_AGENT) " +
        "|| hasRole(T(com.bs.dmsbox.api.constants.RoleConstants).ROLE_ADMIN)" +
        "|| (hasRole(T(com.bs.dmsbox.api.constants.RoleConstants).ROLE_CUSTOMER) && #userId == principal.username)")
public @interface IsAuthenticatedAsAgentOrCustomerIsUserId {
}

Then, you can use this annotation as below:

@IsAuthenticatedAsAgentOrCustomerIsUserId
Folder findByUserIdAndType(@Param("userId") String userId, @Param("typeId") FolderType id);

This annotation validate that user logged as role AGENT or ADMIN. If user has role CUSTOMER validate if userId parameter is equals to user logged

score 13 · Answer 3 · answered Jul 29 '19 at 05:52

13

Simply combine roles by using && or || in SpEL expressions

@PreAuthorize("hasRole('" + AuthoritiesConstants.USER + "')" +
              " && hasRole('" + AuthoritiesConstants.ADMIN + "')" )

answered Jul 29 '19 at 05:52

Nikolai Shevchenko

7,083
8
33
42

How can we implement CustomPermissionEvaluator in jhipster? – P Rajesh Jul 29 '19 at 09:38
1

That's a broad question. Since JHipster is based on Spring you should refer to Spring Security tutorial for details. Or search here at StackOverflow, it might be already answered – Nikolai Shevchenko Jul 29 '19 at 10:06

score 1 · Answer 4 · answered Dec 11 '22 at 11:18

SecurityExpressionOperations interface in package org.springframework.security.access.expression; contains all the authorization-related methods.

Below are the most useful methods for authentication.

boolean hasRole(String role);
boolean hasAnyRole(String... roles)
boolean isAuthenticated();
boolean hasPermission(Object target, Object permission);
boolean hasPermission(Object targetId, String targetType, Object permission);

score 0 · Answer 5 · answered Aug 24 '22 at 19:35

0

I believe the best option is to use @PreAuthorize("hasAnyRole()")

In this case I suppose @PreAuthorize("hasAnyRole(AuthoritiesConstants.USER, AuthoritiesConstants.ADMIN)")

answered Aug 24 '22 at 19:35

Malena Casas

1

`hasAnyRole` is not a method, you can't just pass `AuthoritiesConstants.USER` there, because than it will try to match with exact String like *"AuthoritiesConstants.USER"* instead of a `USER` field value of `AuthoritiesConstants` class – Andrei Titov Aug 24 '22 at 19:58

Multiple roles using @PreAuthorize

5 Answers5

Linked

Related