Valid use case for @PostAuthorize And @PostFilter annotations
Both the @PostAuthorize
and @PostFilter
are used, mostly, in combination with ACL. Where the @PostAuthorize
will generate an exception if something is returned which one hasn't access to, the @PostFilter
will remove the objects one doesn't have access to (in general useful when returning collections of elements).
@PostFilter
filters the returned collection or arrays after executing the method. Spring security provides a built-in object named as filterObject at which @PostFilter
performs filtering task.
@PostFilter
can be used on service layer with @PreAuthorize
and @PostAuthorize
.
Use interface to declare the filter operation.
public interface IBookService { @PreAuthorize ("hasRole('ROLE_READ')") @PostFilter ("filterObject.owner == authentication.name") public List<Book> getBooks(); @PreFilter("filterObject.owner == authentication.name") public void addBook(List<Book> books);}