I have an application where the user enters custom roles name and privileges.
Example, the user can create a role named "Human Resources" that has the following properties :
showDashboard = true;
showSuppliers = false;
showEmployees = true;
I want to restrict getSuppliers service based on the showSuppliers property.
@PreAuthorize("WHEN showSuppliers IS TRUE")
public Page<Supplier> getSuppliers();
Role entity :
@Entity
public class Role {
@Id
@GeneratedValue(strategy = GenerationType.AUTO, generator = "native")
@GenericGenerator(name = "native", strategy = "native")
private Long id;
private String name;
private boolean showDashboard;
private boolean showSuppliers;
private boolean showEmployees;
}
You can reference a bean in the PreAuthorize expression. First this bean/component:
@Component("authorityChecker")
public class AuthorityChecker {
public boolean canShowSuppliers(Authentication authentication) {
for (Authority authority : authentication.getAuthorites()) {
Role role = (Role)authority; // may want to check type before to avoid ClassCastException
if (role.isShowSuppliers()) {
return true;
}
}
return false;
}
}
And the annotation to this will be:
@PreAuthorize("@authorityChecker.canShowSuppliers(authentication)")
public Page<Supplier> getSuppliers();
It will pass the current user's Authentication object to the bean/component above.