0

I have a question about spring security acl.

I have my class I have a preautorize methods and works well

@PreAuthorize("hasPermission(#test, write) or hasAnyRole('ROLE_ADMIN', 'ROLE_SUPERADMIN')") public void update(Test test) { testRepository.save(test); updateDeviceAcl(test); }

But when I want do same thing on list:

@PreAuthorize("hasPermission(#test, write) or hasAnyRole('ROLE_ADMIN', 'ROLE_SUPERADMIN')") public void update(List<Test> test) { testRepository.save(test); updateDeviceAcl(test); }

It trow exception:

java.lang.NoSuchMethodException: java.util.ArrayList.getId()

Is it possible do it this way? I fully understand, that method

ArrayList.getId()

should be something like that

test.get(i).getId();

Thanks for answer

Improve this question

1 Answer 1

Reset to default
1

If the authorization only makes sense to be given to the full list, then to do this you would have to wrap the list in a list wrapper that contains a getId() method:

public class ListWrapper { private List<Test> tests; public Serializable getId() { ... some id ... } }

To validate one by one, you need to annotate a method only for one test, and not the method with the loop:

public void update(List<Test> tests) { for (Test test : tests) { update(test); } } @PreAuthorize("hasPermission(#test, write) or hasAnyRole('ROLE_ADMIN', 'ROLE_SUPERADMIN')") public void update(Test test) { testRepository.save(test); updateDeviceAcl(test); }

If you are not using aspectJ compile time or load time weaving to apply the aspects, then put these two methods in separate beans and inject one into the other. Normal JDK or CGLIB proxies will not apply @PreAuthorize (or any other aspect) on reentrant calls.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.