Handle permissions with Spring Security

Suppose you have your fancy authentication all up and running with Spring Security, but you have to manage also authorization. You don't want to handle permissions based only on the authorities granted to the user, but want something like hasPermission('some_domain', 'permission') to check. This is where the Spring PermissionEvaluator comes into play.

The Permission Evaluator

A permission evaluator is an interface that defines two methods to check against a specific permission. They receive the authentication object and the permission to check as parameters. Usually you use the authentication object to access logged user data which contains the full list of granted permissions or an identifier useful to check the required permission from a suitable source (a database for example).

An example implementation is the following:

public class CustomPermissionEvaluator implements PermissionEvaluator {
    public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {
        return ((CustomUser)authentication.getPrincipal()).hasPermission(targetDomainObject, permission);
    public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permission) {
        return ((CustomUser)authentication.getPrincipal()).hasPermission(targetId, targetType, permission);

Nothing really exciting, isn't it. The two methods are already well documented in Spring Security docs. The principal used for my authentication system is a custom implementation of the UserDetails interface which extends the normal user in the security context of Spring Security with extra informations and custom methods, like this hasPermission() you see. It's up to you implementing this evaluator to fit your security architecture. I, for example, having to check for lot of permissions at once, I pre-load all the user permission at the login phase, and store it in a fast access data structure inside the CustomUser class to quickly evaluate those permissions. You could eventually call a DAO and check user permissions against some sort of database values. Your choice.

Furthermore, the permission target domain and the permission itself are defined as generic Object, so you could use complex POJO classes to define your permissions. As for myself, having a simple security design, my permissions are strings with the usual CRUD operations. So my calls are something like this: hasPermission('articles', 'write').

Why two methods? For increase flexibility: the first should directly send the target domain where to apply the asked permission (e.g. the article, the user, etc.), while the second one send you an identifier of the target domain object (like a database PK or ID).

The configuration file

Let's make the spring security configuration file:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

    <!-- Enable the use of pre/post annotation -->
    <global-method-security pre-post-annotations="enabled">
        <expression-handler ref="expressionHandler" />
    <!-- Enable permission evaluator in annotation -->
    <beans:bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
          <beans:property name="permissionEvaluator" ref="customPermissionEvaluator" />
    <!-- Declare a custom PermissionEvaluator interface -->
    <beans:bean id="customPermissionEvaluator" class="it.massimilianosciacco.project.spring.security.CustomPermissionEvaluator"/>
    <!-- your other security configurations... -->


The first block enables the @PreAuthorize and @PostAuthorize annotation.
The second block enables the use of hasPermission() expression in such annotations (so you can use something like @PreAuthorize("hasPermission('article', 'write')").
The third block simply defines your custom permission evaluator specifing the classpath.

Enabling the permission evaluator expressions in jsf security tag

So you have read somewhere that you can use something like this:

<sec:authorize access="hasPermission('article', 'write')">
    <some protected randomness>

in your .xhtml pages (the namespace for the security tag is xmlns:sec="http://www.springframework.org/security/tags"), but it won't work.

That's because you need to setup some further configuration.

1. Add this configuration in you spring security configuration file:

<!-- Enable permission evaluator in tag -->
<beans:bean id="webExpressionHandler" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler">
    <beans:property name="permissionEvaluator" ref="customPermissionEvaluator"/>

2. Add this springsecurity.taglib.xml file in your WEB-INF folder:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE facelet-taglib PUBLIC "-//Sun Microsystems, Inc.//DTD Facelet Taglib 1.0//EN" "http://java.sun.com/dtd/facelet-taglib_1_0.dtd">
        <function-signature>boolean areAllGranted(java.lang.String)</function-signature>
        <function-signature>boolean areAnyGranted(java.lang.String)</function-signature>
        <function-signature>boolean areNotGranted(java.lang.String)</function-signature>
        <function-signature>boolean isAllowed(java.lang.String, java.lang.String)</function-signature>

3. Import the taglib in your web.xml:


4. Import the spring-faces libraries as described here:


5. Makes sure you also have the spring security taglibs library:


You should good to go now.

For more information about permission evaluator, you can check this good article of Jakub Nabrdalik.