Lesson 27 - Method authorization configurations

 

@Service
public class ProductService {

  /**
   * @PreAuthorize -> the authorization rules are validated before calling the protected method
   * @PostAuthorize -> the method is called, and only then the aspect validates the authorization rules.
   *
   * @PreFilter -> the method needs to have the parameter of type Collection or array
   *            -> the aspects intercepts the method call and validated the values inside the collection
   *
   * @PostFilter -> returned value needs to be a Collection or an array
   *             -> the aspect applies the authorization rules and returns only the values that comply
   */

//  @PreAuthorize("hasAuthority('write')")
  @PreAuthorize("#username == authentication.name")
  public List<String> findProductsForUser(String username) {
    return List.of("beer", "chocolate");
  }
}

hasAuthority checks for if Authenticated user have matching GrantedAuthority.  just like endpoint configuration lecture

postAuthorize = execute the entire method call. after return the aspect get the returned object and apply authorization rule, and if fail it will send 403 to caller

#username = the value of parameter username

 

@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
/**
 * @PreAuthorize
 * @PostAutorize
 * @PreFilter
 * @PostFilter
 *
 * @Secured   --> securedEnabled = true
 * @RolesAllowed --> jsr250Enabled = true
 */
public class ProjectConfig extends WebSecurityConfigurerAdapter {

in order to use method annotation (by using AOP) , we need to enable prePostEnable to true