Package org.springframework.security.data.repository.query

Class SecurityEvaluationContextExtension

java.lang.Object

org.springframework.security.data.repository.query.SecurityEvaluationContextExtension

All Implemented Interfaces:

org.springframework.data.spel.spi.EvaluationContextExtension, org.springframework.data.spel.spi.ExtensionIdAware

public class SecurityEvaluationContextExtension
extends Object
implements org.springframework.data.spel.spi.EvaluationContextExtension

By defining this object as a Bean, Spring Security is exposed as SpEL expressions for creating Spring Data queries.

With Java based configuration, we can define the bean using the following:

For example, if you return a UserDetails that extends the following User object:

 @Entity
 public class User {
     @GeneratedValue(strategy = GenerationType.AUTO)
     @Id
     private Long id;

     ...
 }
 

And you have a Message object that looks like the following:

 @Entity
 public class Message {
     @Id
     @GeneratedValue(strategy = GenerationType.AUTO)
     private Long id;

     @OneToOne
     private User to;

     ...
 }
 

You can use the following Query annotation to search for only messages that are to the current user:

 @Repository
 public interface SecurityMessageRepository extends MessageRepository {

        @Query("select m from Message m where m.to.id = ?#{ principal?.id }")
        List<Message> findAll();
 }
 

This works because the principal in this instance is a User which has an id field on it.

Since:

4.0

Constructor Summary

Constructors

Constructor	Description
SecurityEvaluationContextExtension()	Creates a new instance that uses the current Authentication found on the SecurityContextHolder.
SecurityEvaluationContextExtension(Authentication authentication)	Creates a new instance that always uses the same Authentication object.

Method Summary

Modifier and Type	Method	Description
String	getExtensionId()
SecurityExpressionRoot	getRootObject()
void	setDefaultRolePrefix(String defaultRolePrefix)	Sets the default prefix to be added to SecurityExpressionRoot.hasAnyRole(String...) or SecurityExpressionRoot.hasRole(String).
void	setPermissionEvaluator(PermissionEvaluator permissionEvaluator)	Sets the PermissionEvaluator to be used.
void	setRoleHierarchy(RoleHierarchy roleHierarchy)	Sets the RoleHierarchy to be used.
void	setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy)	Sets the SecurityContextHolderStrategy to use.
void	setTrustResolver(AuthenticationTrustResolver trustResolver)	Sets the AuthenticationTrustResolver to be used.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.springframework.data.spel.spi.EvaluationContextExtension

getFunctions, getProperties

Constructor Details

SecurityEvaluationContextExtension

public SecurityEvaluationContextExtension()

Creates a new instance that uses the current Authentication found on the SecurityContextHolder.

SecurityEvaluationContextExtension

public SecurityEvaluationContextExtension(Authentication authentication)

Creates a new instance that always uses the same Authentication object.

Parameters:

authentication - the Authentication to use

Method Details

getExtensionId

public String getExtensionId()

Specified by:

getExtensionId in interface org.springframework.data.spel.spi.ExtensionIdAware

getRootObject

public SecurityExpressionRoot getRootObject()

Specified by:

getRootObject in interface org.springframework.data.spel.spi.EvaluationContextExtension

setSecurityContextHolderStrategy

public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy)

Sets the SecurityContextHolderStrategy to use. The default action is to use the SecurityContextHolderStrategy stored in SecurityContextHolder.

Since:

5.8

setTrustResolver

public void setTrustResolver(AuthenticationTrustResolver trustResolver)

Sets the AuthenticationTrustResolver to be used. Default is AuthenticationTrustResolverImpl. Cannot be null.

Parameters:

trustResolver - the AuthenticationTrustResolver to use

Since:

5.8

setRoleHierarchy

public void setRoleHierarchy(RoleHierarchy roleHierarchy)

Sets the RoleHierarchy to be used. Default is NullRoleHierarchy. Cannot be null.

Parameters:

roleHierarchy - the RoleHierarchy to use

Since:

5.8

setPermissionEvaluator

public void setPermissionEvaluator(PermissionEvaluator permissionEvaluator)

Sets the PermissionEvaluator to be used. Default is DenyAllPermissionEvaluator. Cannot be null.

Parameters:

permissionEvaluator - the PermissionEvaluator to use

Since:

5.8

setDefaultRolePrefix

public void setDefaultRolePrefix(String defaultRolePrefix)

Sets the default prefix to be added to SecurityExpressionRoot.hasAnyRole(String...) or SecurityExpressionRoot.hasRole(String). For example, if hasRole("ADMIN") or hasRole("ROLE_ADMIN") is passed in, then the role ROLE_ADMIN will be used when the defaultRolePrefix is "ROLE_" (default).

Parameters:

defaultRolePrefix - the default prefix to add to roles. The default is "ROLE_".

Since:

5.8