Class SecurityEvaluationContextExtension

java.lang.Object

org.springframework.security.data.repository.query.SecurityEvaluationContextExtension

All Implemented Interfaces:

org.springframework.data.spel.spi.EvaluationContextExtension, org.springframework.data.spel.spi.ExtensionIdAware

public class SecurityEvaluationContextExtension
extends Object
implements org.springframework.data.spel.spi.EvaluationContextExtension

By defining this object as a Bean, Spring Security is exposed as SpEL expressions for creating Spring Data queries.

With Java based configuration, we can define the bean using the following:

For example, if you return a UserDetails that extends the following User object:

@Entity
public class User {
    @GeneratedValue(strategy = GenerationType.AUTO)
    @Id
    private Long id;

    ...
}

And you have a Message object that looks like the following:

@Entity
public class Message {
    @Id
    @GeneratedValue(strategy = GenerationType.AUTO)
    private Long id;

    @OneToOne
    private User to;

    ...
}

You can use the following Query annotation to search for only messages that are to the current user:

@Repository
public interface SecurityMessageRepository extends MessageRepository {

        @Query("select m from Message m where m.to.id = ?#{ principal?.id }")
        List<Message> findAll();
}

This works because the principal in this instance is a User which has an id field on it.

Since:

4.0

Constructor Summary

Constructors

Constructor	Description
SecurityEvaluationContextExtension()	Creates a new instance that uses the current Authentication found on the SecurityContextHolder.
SecurityEvaluationContextExtension(@Nullable Authentication authentication)	Creates a new instance that always uses the same Authentication object.

Method Summary

Modifier and Type	Method	Description
String	getExtensionId()
SecurityExpressionRoot<Object>	getRootObject()
void	setAuthorizationManagerFactory(AuthorizationManagerFactory<Object> authorizationManagerFactory)	Sets the AuthorizationManagerFactory to be used.
void	setDefaultRolePrefix(String defaultRolePrefix)	Deprecated. Use setAuthorizationManagerFactory(AuthorizationManagerFactory) instead
void	setPermissionEvaluator(PermissionEvaluator permissionEvaluator)	Sets the PermissionEvaluator to be used.
void	setRoleHierarchy(RoleHierarchy roleHierarchy)	Deprecated. Use setAuthorizationManagerFactory(AuthorizationManagerFactory) instead
void	setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy)	Sets the SecurityContextHolderStrategy to use.
void	setTrustResolver(AuthenticationTrustResolver trustResolver)	Deprecated. Use setAuthorizationManagerFactory(AuthorizationManagerFactory) instead

Methods inherited from class Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.springframework.data.spel.spi.EvaluationContextExtension

getFunctions, getProperties

Constructor Details

SecurityEvaluationContextExtension

public SecurityEvaluationContextExtension()

Creates a new instance that uses the current Authentication found on the SecurityContextHolder.

SecurityEvaluationContextExtension

public SecurityEvaluationContextExtension(@Nullable Authentication authentication)

Creates a new instance that always uses the same Authentication object.

Parameters:

authentication - the Authentication to use

Method Details

getExtensionId

public String getExtensionId()

Specified by:

getExtensionId in interface org.springframework.data.spel.spi.ExtensionIdAware

getRootObject

public SecurityExpressionRoot<Object> getRootObject()

Specified by:

getRootObject in interface org.springframework.data.spel.spi.EvaluationContextExtension

setSecurityContextHolderStrategy

public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy)

Sets the SecurityContextHolderStrategy to use. The default action is to use the SecurityContextHolderStrategy stored in SecurityContextHolder.

Parameters:

securityContextHolderStrategy - the SecurityContextHolderStrategy to use. Cannot be null.

Since:

5.8

setAuthorizationManagerFactory

public void setAuthorizationManagerFactory(AuthorizationManagerFactory<Object> authorizationManagerFactory)

Sets the AuthorizationManagerFactory to be used. The default is DefaultAuthorizationManagerFactory.

Parameters:

authorizationManagerFactory - the AuthorizationManagerFactory to use. Cannot be null.

Since:

7.0

setTrustResolver

@Deprecated(since="7.0")
public void setTrustResolver(AuthenticationTrustResolver trustResolver)

Deprecated.

Use setAuthorizationManagerFactory(AuthorizationManagerFactory) instead

Sets the AuthenticationTrustResolver to be used. Default is AuthenticationTrustResolverImpl. Cannot be null.

Parameters:

trustResolver - the AuthenticationTrustResolver to use

Since:

5.8

setRoleHierarchy

@Deprecated(since="7.0")
public void setRoleHierarchy(RoleHierarchy roleHierarchy)

Deprecated.

Use setAuthorizationManagerFactory(AuthorizationManagerFactory) instead

Sets the RoleHierarchy to be used. Default is NullRoleHierarchy. Cannot be null.

Parameters:

roleHierarchy - the RoleHierarchy to use

Since:

5.8

setPermissionEvaluator

public void setPermissionEvaluator(PermissionEvaluator permissionEvaluator)

Sets the PermissionEvaluator to be used. Default is DenyAllPermissionEvaluator. Cannot be null.

Parameters:

permissionEvaluator - the PermissionEvaluator to use

Since:

5.8

setDefaultRolePrefix

@Deprecated(since="7.0")
public void setDefaultRolePrefix(String defaultRolePrefix)

Deprecated.

Use setAuthorizationManagerFactory(AuthorizationManagerFactory) instead

Sets the default prefix to be added to SecurityExpressionRoot.hasAnyRole(String...) or SecurityExpressionRoot.hasRole(String). For example, if hasRole("ADMIN") or hasRole("ROLE_ADMIN") is passed in, then the role ROLE_ADMIN will be used when the defaultRolePrefix is "ROLE_" (default).

Parameters:

defaultRolePrefix - the default prefix to add to roles. The default is "ROLE_".

Since:

5.8