Spring security @PreAuthorize hasRole() properties injection

Question

Assuming that my Spring Security and properties are configured properly, I would like to use role name from property like

@PreAuthorize(\"hasRole(\'${role.ro         


        

Answer 1

Building on other answers here, one thing that tripped me up was not setting the context on the OAuth2MethodSecurityExpressionHandler.

Make sure that in your MethodSecurityConfig you're loading the context for the answers above to work.

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {

    @Autowired
    private ApplicationContext context;

    @Override
    protected MethodSecurityExpressionHandler createExpressionHandler() {
        OAuth2MethodSecurityExpressionHandler handler = new OAuth2MethodSecurityExpressionHandler();
        handler.setApplicationContext(context);

        return handler;
    }
}

Then you can successfully access

@PreAuthorize("hasRole(@environment.getProperty('role.rolename')")
public void method() {}