I would like to apply the Spring Security @PreAuthorize annotation to a service method defined in the following Spring Roo ITD (without performing a push in refactor of the method):
privileged aspect CurriculumServiceImpl_Roo_Service {
declare @type: CurriculumServiceImpl: @Service;
declare @type: CurriculumServiceImpl: @Transactional;
public Curriculum CurriculumServiceImpl.updateCurriculum(Curriculum curriculum) {
return curriculumRepository.save(curriculum);
}
Is this possible? If so how?
There is a way to achieve this using Spring Roo: See detailed comment here.
To quote the comment:
If you want try and use the PermissionEvaluator, follow these steps (preferably on a test project).
Run the Roo command "permissionEvaluator --package {the package to which you want to add the PermissionEvaluator} " (security must be installed first)
Spring Roo will create three files: ApplicationPermissionEvaluator, ApplicationPermissionEvaluator_Roo_PermissionEvaluator, applicationContext-security-permissionEvaluator.xml.
Add userPermissionEvalutor=true to the @RooService annotation of the service you want to secure.
Spring Roo will append additional criteria to @PreAuthorize e.g. "OR hasPermission(#myDomanObject, 'MyService:deleteMyDomainObjectIsAllowed')"
Add/Update the method hasPermission(Authentication authentication, Object targetObject, Object permission)) in ApplicationPermissionEvaluator
By the way performing a push in refactor is not a solution for my application. It is always better to go the Roo way and rely on Roo features.