I am using spring boot, and I have enabled the global method security in WebSecurityConfigurerAdapter by
@EnableGlobalMethodSecurity(prePostEnabled = true, order = Ordered.HIGHEST_PRECEDENCE)
And Below is my controller code
@PreAuthorize("hasAnyRole('admin') or principal.id == id")
@RequestMapping(value = "/{id}", method = RequestMethod.PUT)
public User updateUser(@PathVariable("id") String id, @Valid @RequestBody UserDto userDto)
{ ....}
However, when a non-admin user try to do a PUT request, the JSR303 validator will kick in before @PreAuthorize. For example, non-admin user ended up getting something like "first name is required" instead of "access denied". But after user supplied the first name variable to pass the validator, access denied was returned.
Does anyone know how to enforce the @PreAuthorize get checked before @Valid or @Validated?
And I have to use this kind of method-level authorization instead of url-based authorization in order to perform some complex rule checking.
For the same scenario, I have found reccomendations to implement security via spring filters.
Here is similar post : How to check security acess (@Secured or @PreAuthorize) before validation (@Valid) in my Controller?
Also, maybe a different approach - try using validation via registering a custom validator in an @InitBinder (thus skip the @valid annotation).
To access principal object in filter class:
SecurityContextImpl sci = (SecurityContextImpl)
session().getAttribute("SPRING_SECURITY_CONTEXT");
if (sci != null) {
UserDetails cud = (UserDetails) sci.getAuthentication().getPrincipal();
}
In this case /{id} is a path param in the URL. To access path params in filter or interceptor class:
String[] requestMappingParams = ((HandlerMethod)handler).getMethodAnnotation(RequestMapping.class).params()
for (String value : requestMappingParams) {.