0
0
Spring Bootframework~10 mins

Custom permission evaluator in Spring Boot - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf
Concept Flow - Custom permission evaluator
User requests access
Security checks permission
Call CustomPermissionEvaluator
Evaluate permission logic
Return true: Access granted
Return false: Access denied
When a user requests access, Spring Security calls the custom permission evaluator to check if the user has the required permission and returns true or false.
Execution Sample
Spring Boot
public class CustomPermissionEvaluator implements PermissionEvaluator {
  @Override
  public boolean hasPermission(Authentication auth, Object target, Object perm) {
    // custom logic
    return true; // or false
  }

  @Override
  public boolean hasPermission(Authentication auth, Serializable targetId, String targetType, Object perm) {
    // custom logic for this method if needed
    return false;
  }
}
This code defines a custom permission evaluator that Spring Security uses to decide if a user has permission.
Execution Table
StepInput ParametersPermission Check LogicResultAccess Outcome
1auth=UserA, target=Document1, perm='read'Check if UserA has 'read' on Document1trueAccess granted
2auth=UserB, target=Document1, perm='write'Check if UserB has 'write' on Document1falseAccess denied
3auth=UserA, target=Document2, perm='delete'Check if UserA has 'delete' on Document2falseAccess denied
4auth=Admin, target=Any, perm='all'Admin has all permissionstrueAccess granted
💡 Permission evaluator returns true or false to grant or deny access
Variable Tracker
VariableStartAfter Step 1After Step 2After Step 3After Step 4
authnullUserAUserBUserAAdmin
targetnullDocument1Document1Document2Any
permnull'read''write''delete''all'
resultnulltruefalsefalsetrue
Key Moments - 3 Insights
Why does the permission evaluator return false even if the user is authenticated?
Authentication means the user is logged in, but permission evaluator checks if the user has rights to the specific action on the target. See execution_table rows 2 and 3 where users are authenticated but lack permission.
What happens if the permission evaluator returns true?
Access is granted to the user for the requested action. This is shown in execution_table rows 1 and 4 where result is true and access is granted.
Can the permission evaluator check complex rules?
Yes, it can use any logic inside hasPermission method to decide. The flow in concept_flow shows the evaluator can return true or false based on custom logic.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, what is the result of permission check for UserB trying to 'write' Document1?
Afalse
Btrue
Cnull
Dthrows error
💡 Hint
Check execution_table row 2 under 'Result' column
At which step does the permission evaluator grant access for an admin user?
AStep 1
BStep 4
CStep 3
DStep 2
💡 Hint
Look at execution_table row 4 for 'auth' and 'Access Outcome'
If the permission evaluator always returns true, what changes in variable_tracker 'result' row?
AValues alternate true and false
BAll values become false
CAll values become true
DValues remain null
💡 Hint
Consider the 'result' values in variable_tracker and what always returning true means
Concept Snapshot
Custom Permission Evaluator in Spring Security:
- Implement PermissionEvaluator interface
- Override hasPermission method
- Use Authentication, target, and permission parameters
- Return true to grant access, false to deny
- Enables custom access rules beyond roles
Full Transcript
In Spring Security, a custom permission evaluator checks if a user has permission to perform an action on a target object. When a user requests access, the security system calls the custom evaluator's hasPermission method with the user's authentication, the target object, and the requested permission. The evaluator runs custom logic and returns true or false. True means access granted, false means denied. The execution table shows examples with different users and permissions. Variables like auth, target, perm, and result change as the evaluator runs. Key moments clarify that authentication alone doesn't guarantee permission, and the evaluator can implement complex rules. The visual quiz tests understanding of permission results and outcomes. This approach lets developers control access precisely in their Spring Boot apps.