Spring security @PreAuthorize hasRole() properties injection

Question

Assuming that my Spring Security and properties are configured properly, I would like to use role name from property like

@PreAuthorize(\"hasRole(\'${role.ro         


        

Answer 1

Building on other answers here, one thing that tripped me up was not setting the context on the OAuth2MethodSecurityExpressionHandler.

Make sure that in your MethodSecurityConfig you're loading the context for the answers above to work.

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {

    @Autowired
    private ApplicationContext context;

    @Override
    protected MethodSecurityExpressionHandler createExpressionHandler() {
        OAuth2MethodSecurityExpressionHandler handler = new OAuth2MethodSecurityExpressionHandler();
        handler.setApplicationContext(context);

        return handler;
    }
}

Then you can successfully access

@PreAuthorize("hasRole(@environment.getProperty('role.rolename')")
public void method() {}

Answer 2

I've found that you can just grab the propertyResolver and pull values directly from that, instead of writing your own class as was suggested by @Maksym.

Exammple:

@PreAuthorize("hasRole(@environment.getProperty('role.rolename')")
public void method() {}

Answer 3

Try to remove '' signs:

@PreAuthorize("hasRole(${role.rolename})")
public void method() {}

EDIT. I am sure that there is a better way, but as a workaround you can call some method on some bean:

@Component("appVariablesHolder")
public class AppVariablesHolder {

    @Value("${role.rolename}") 
    private String someRole;

    public String getSomeRole() {
        return this.someRole;
    }
}

@PreAuthorize("hasRole(@appVariablesHolder.getSomeRole())")
public void method() {}