GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

SEC-1529: More user-friendly expression @PreAuthorize expression in EL chapter.

3.0.x
Luke Taylor 16 years ago
parent
1a9b7e1b6f
commit
f6abc24ed6
1 changed files with 9 additions and 7 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 16
      docs/manual/src/docbook/el-access.xml

16
docs/manual/src/docbook/el-access.xml
Unescape View File

@ -154,14 +154,16 @@
within the expression, so you can also access properties on the arguments. For within the expression, so you can also access properties on the arguments. For
example, if you wanted a particular method to only allow access to a user whose example, if you wanted a particular method to only allow access to a user whose
username matched that of the contact, you could write</para> username matched that of the contact, you could write</para>
<programlisting> @PreAuthorize("#contact.name == principal.name)") <programlisting>
@PreAuthorize("#contact.name == authentication.name")
public void doSomething(Contact contact);</programlisting> public void doSomething(Contact contact);</programlisting>
<para>Here we are accessing another built–in expression, which is the <para>Here we are accessing another built–in expression, <literal>authentication</literal>,
<literal>principal</literal> of the current Spring Security which is the <interfacename>Authentication</interfacename> stored in the
<interfacename>Authentication</interfacename> object obtained from the security context. You can also access its <quote>principal</quote> property
security context. You can also access the directly, using the expression <literal>principal</literal>. The value will
<interfacename>Authentication</interfacename> object itself directly using often be a <interfacename>UserDetails</interfacename> instance, so you might use an
the expression name <literal>authentication</literal>.</para> expression like <literal>principal.username</literal> or
<literal>principal.enabled</literal>.</para>
<para>Less commonly, you may wish to perform an access-control check after the <para>Less commonly, you may wish to perform an access-control check after the
method has been invoked. This can be achieved using the method has been invoked. This can be achieved using the
<literal>@PostAuthorize</literal> annotation. To access the return value <literal>@PostAuthorize</literal> annotation. To access the return value

Write Preview
Loading…
Cancel
Save