I use several @PreAuthorize-base annotations for protecting my REST API methods.
@Target(ElementType.METHOD)
@Retention(RetentionPolicy.RUNTIME)
@PreAuthorize("hasRole('ROLE_A') or hasRole('ROLE_B')")
public @interface ForAorB {
}
and at the same time I have
@Target(ElementType.METHOD)
@Retention(RetentionPolicy.RUNTIME)
@PreAuthorize("hasRole('ROLE_A')")
public @interface ForA {
}
and
@Target(ElementType.METHOD)
@Retention(RetentionPolicy.RUNTIME)
@PreAuthorize("hasRole('ROLE_B')")
public @interface ForB {
}
My @PreAuthorize expressions are a bit more complex than simple hasRole('ROLE_x) and I would like not to doubling them both in @ForA, @ForB and in @ForAorB.
Whether it possible to create @ForAorB annotation bases on @ForA and @ForB and not expressions doubling in @PreAuthorize("hasRole('ROLE_A') or hasRole('ROLE_B')")?
I tried this but looks like
@Target(ElementType.METHOD)
@Retention(RetentionPolicy.RUNTIME)
@ForA @ForB
public @interface ForAorB {
}
works actually as @ForAandB but not @ForAorB
That won't work, because annotations (at least in this case) are "additive". A single @PreAuthorize annotation will give you OK or NOK, and that determines the whole outcome regardless of any other possible auth annotations.
@Target(ElementType.METHOD)
@Retention(RetentionPolicy.RUNTIME)
@ForA @ForB
public @interface ForAorB {
}
is the same as
@Target(ElementType.METHOD)
@Retention(RetentionPolicy.RUNTIME)
@PreAuthorize("hasRole('ROLE_A')")
@PreAuthorize("hasRole('ROLE_B')")
public @interface ForAorB {
}
So for AND it works, but you can't get it to work with OR except writing the @PreAuthorize annotation by hand.