A custom permission evaluator lets you control who can do what in your app by checking permissions in your own way.
public class MyPermissionEvaluator implements PermissionEvaluator { @Override public boolean hasPermission(Authentication auth, Object targetDomainObject, Object permission) { // Your custom logic here return false; } @Override public boolean hasPermission(Authentication auth, Serializable targetId, String targetType, Object permission) { // Your custom logic here return false; } }
Implement the PermissionEvaluator interface to create your own permission checks.
Override both hasPermission methods to handle different permission scenarios.
public class MyPermissionEvaluator implements PermissionEvaluator { @Override public boolean hasPermission(Authentication auth, Object targetDomainObject, Object permission) { if (auth == null || targetDomainObject == null || !(permission instanceof String)) { return false; } String perm = (String) permission; // Example: allow if user has 'ADMIN' role return auth.getAuthorities().stream() .anyMatch(a -> a.getAuthority().equals("ROLE_ADMIN")); } @Override public boolean hasPermission(Authentication auth, Serializable targetId, String targetType, Object permission) { return false; } }
public class MyPermissionEvaluator implements PermissionEvaluator { @Override public boolean hasPermission(Authentication auth, Object targetDomainObject, Object permission) { if (targetDomainObject instanceof Document) { Document doc = (Document) targetDomainObject; String perm = (String) permission; // Allow if user owns the document return doc.getOwner().equals(auth.getName()); } return false; } @Override public boolean hasPermission(Authentication auth, Serializable targetId, String targetType, Object permission) { return false; } }
This custom permission evaluator allows users with the 'ROLE_USER' role to have 'read' permission on any object.
package com.example.security; import org.springframework.security.access.PermissionEvaluator; import org.springframework.security.core.Authentication; import java.io.Serializable; public class CustomPermissionEvaluator implements PermissionEvaluator { @Override public boolean hasPermission(Authentication auth, Object targetDomainObject, Object permission) { if (auth == null || targetDomainObject == null || !(permission instanceof String)) { return false; } String perm = (String) permission; // Simple example: allow if user has 'ROLE_USER' and permission is 'read' boolean hasRoleUser = auth.getAuthorities().stream() .anyMatch(a -> a.getAuthority().equals("ROLE_USER")); if (hasRoleUser && "read".equalsIgnoreCase(perm)) { return true; } return false; } @Override public boolean hasPermission(Authentication auth, Serializable targetId, String targetType, Object permission) { // Not implemented for this example return false; } }
Register your custom PermissionEvaluator as a bean in your Spring Security configuration.
Use @PreAuthorize or @PostAuthorize annotations with expressions like hasPermission() to apply your evaluator.
Test your permission logic carefully to avoid accidental access.
Custom permission evaluators let you write your own rules for who can do what.
Implement the PermissionEvaluator interface and override its methods.
Use your evaluator in security annotations to protect your app.