I've faced with discrepancy between Spring documentation and what I see as a result of my experiments. I have some method and I need to check permissions before method invocation and in accordance with spring docs I prepared the following:
@PreAuthorize("authentication.principle.company == #company.company")
public CompanyForm getCompanyForm(Company company) {
//some code here
}
But surprisingly method invocation is denied due to this error:
org.springframework.expression.spel.SpelEvaluationException: EL1008E:(pos 15): Property or field 'principle' cannot be found on object of type 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken' - maybe not public?
Could somebody point me to my mistake?
Per the Spring Security Javadocs, the field in the authentication token is principal. You misspelled it.
@PreAuthorize("authentication.principal.company == #company.company")
public CompanyForm getCompanyForm(Company company) {
//some code here
}