I am trying to do something like this:
@Component
@Aspect
class CustomAspect {
@Pointcut("within(@com.example.security.Check *)")
public void classAnnotatedWithCheck() {}
@Pointcut("execution(public * *(..))")
public void publicMethod() {}
@Pointcut("publicMethod() && classAnnotatedWithCheck()")
public void publicMethodInsideAClassMarkedWithCheck() {}
@Around(value = "publicMethodInsideAClassMarkedWithCheck()")
public Object execute(ProceedingJoinPoint point) throws Throwable {
return executeWithFilter(point);
}
@PostFilter(value = "hasPermission(filterObject, 'READ')")
private Object executeWithFilter(ProceedingJoinPoint point) throws Throwable {
return point.proceed();
}
}
Aspects work well, but the last method executeWithFilter is done without filtering. At the same time, filtering works if I add @PostFilter(value = "hasPermission(filterObject, 'READ')") to a regular service method. Is it even possible to use @PostFilter in aspects?
Spring Method Security is AOP based.
Also , from the Spring AOP reference documentation : Declaring an Aspect
In Spring AOP, aspects themselves cannot be the targets of advice from other aspects. The @Aspect annotation on a class marks it as an aspect and, hence, excludes it from auto-proxying.
Security advices should get applied on a bean for providing @PostFilter method security , which is not possible on an aspect. In short Spring security will not work on an aspect.