Spring Bootframework~30 mins

Custom permission evaluator in Spring Boot - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Perf

Custom Permission Evaluator in Spring Boot

📖 Scenario: You are building a secure Spring Boot web application where users have different roles and permissions. You want to control access to certain methods based on custom permission logic.For example, only users with the right permission can edit or delete resources.

🎯 Goal: Create a custom permission evaluator class that checks if a user has a specific permission on a target domain object.Integrate this evaluator with Spring Security so it can be used in method security annotations.

📋 What You'll Learn

Create a class implementing PermissionEvaluator

Add a configuration bean to register the custom permission evaluator

Implement the hasPermission method with custom logic

Use the custom permission evaluator in a method security annotation

💡 Why This Matters

🌍 Real World

Custom permission evaluators allow fine-grained access control in enterprise applications, enabling security decisions based on complex business rules.

💼 Career

Understanding and implementing custom permission evaluators is important for backend developers working with Spring Security to secure APIs and services.

Progress0 / 4 steps

Create the CustomPermissionEvaluator class

Create a class called CustomPermissionEvaluator that implements PermissionEvaluator. Override both hasPermission methods with empty bodies returning false.

Spring Boot

public class CustomPermissionEvaluator implements PermissionEvaluator {
    // Your code here
}

Need a hint?

Implement the PermissionEvaluator interface and override both hasPermission methods with default false returns.

Add a configuration bean to register the custom permission evaluator

Create a Spring configuration class called SecurityConfig with a @Bean method named permissionEvaluator that returns a new instance of CustomPermissionEvaluator.

Spring Boot

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

@Configuration
public class SecurityConfig {
    // Your code here
}

Need a hint?

Use @Configuration and @Bean annotations to register your custom permission evaluator.

Implement custom logic in hasPermission method

Modify the hasPermission(Authentication authentication, Object targetDomainObject, Object permission) method in CustomPermissionEvaluator to return true if the authentication has a granted authority matching the permission string. Otherwise, return false.

Spring Boot

import java.util.Collection;
import org.springframework.security.core.GrantedAuthority;

@Override
public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {
    // Your code here
}

Need a hint?

Check if any authority in authentication.getAuthorities() matches the permission string.

Use the custom permission evaluator in method security

In a service class called DocumentService, add a method editDocument that takes a String documentId. Annotate this method with @PreAuthorize("hasPermission(#documentId, 'Document', 'EDIT')") to use the custom permission evaluator.

Spring Boot

import org.springframework.security.access.prepost.PreAuthorize;

public class DocumentService {
    // Your code here
}

Need a hint?

Use @PreAuthorize with the hasPermission expression referencing #documentId, target type 'Document', and permission 'EDIT'.