Prevent Method call without Exception using @PreAuthorize Annotation

Question

We are using Spring Security 3. We have a custom implementation of PermissionEvaluator that has this complex algorithm to grant or deny access at method lev

Answer 1

The solution is to use custom MethodSecurityInterceptor, which calls the AccessDecisionManager (implicitly, bu calling super's method) and decides than whether to proceed with a method call.

package com.myapp;

public class MyMethodSecurityInterceptor extends MethodSecurityInterceptor {

    @Override
    public Object invoke(MethodInvocation mi) throws Throwable {
        Object result = null;
        try {
             InterceptorStatusToken token = super.beforeInvocation(mi);             
        } catch (AccessDeniedException e) {
            // access denied - do not invoke the method and  return null
            return null;
        }

        // access granted - proceed with the method invocation
        try {
            result = mi.proceed();
        } finally {
            result = super.afterInvocation(token, result);
        }

        return result;        
        }
}

Setting up the app context is a bit tricky: since you can not use in this case, there is a need to define an explicit AOP configuration (and create most of the corresponding bean structure the original tag does by default):