Menu
These are actually two questions, cause it isn't very well explained in the Spring Security reference. The first question is, when in my configuration I have a code like this:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/admin").hasRole("ADMIN")
.antMatchers("/admin").access("hasRole('ADMIN')");
then where is Spring looking for the current user's role in both cases? Is it perhaps calling loadUserByUsername() method on UserDetailsService and then getAuthorities() on acquired UserDetails?
My second question is regarding the hasPermission() expression. Suppose I have a custom PermissionEvaluator, is there any way to make it working in the configuration class, e.g.:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/admin").access("hasPermission(...)")
Or is this an expression that works only on a method level?
216
asked Nov 14 '25 16:11
In response to your 2nd question: yes, you can use your own PermissionEvaluator with HttpSecurity. First, you have to define a WebSecurityExpressionHandler like
final DefaultWebSecurityExpressionHandler webSecurityExpressionHandler = new DefaultWebSecurityExpressionHandler();
webSecurityExpressionHandler.setPermissionEvaluator(myPermissionEvaluator);
or like a bean:
@Bean
public DefaultWebSecurityExpressionHandler webExpressionHandler(PermissionEvaluator myPermissionEvaluator) {
final DefaultWebSecurityExpressionHandler webSecurityExpressionHandler = new DefaultWebSecurityExpressionHandler();
webSecurityExpressionHandler.setPermissionEvaluator(siraPermissionEvaluator);
return webSecurityExpressionHandler;
}
/*this option then needs to autowire the bean*/
and then use it with the HttpSecurity like:
http.authorizeRequests().expressionHandler(webSecurityExpressionHandler)
.antMatchers("/admin").access("hasPermission(...)");
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With