@PreAuthorize not working on controller using

Course Queries Syllabus Queries 2 years ago

0 2 0 0 0 tuteeHUB earn credit +10 pts

5 Star Rating 1 Rating

Posted on 16 Aug 2022, this text provides information on Syllabus Queries related to Course Queries. Please note that while accuracy is prioritized, the data presented might not be entirely correct or up-to-date. This information is offered for general knowledge and informational purposes only, and should not be considered as a substitute for professional advice.

Take Quiz To Earn Credits!

Turn Your Knowledge into Earnings.

tuteehub_quiz

Answers (2)

Post Answer
profilepic.png
manpreet Tuteehub forum best answer Best Answer 2 years ago

 

I'm trying to use preAuthorize to protect url. Only people registered in the course can access the course. Here is my code:

Controller:

@Controller
@RequestMapping(value = "/course/{courseId}")
@PreAuthorize("@userService.isCurrentUserinCourse(authentication, courseId)")
public class SyllabusController {
    @RequestMapping(value = { "/syllabus" }, method = RequestMethod.GET)
    public ModelAndView syllabusPage(@PathVariable("courseId") int courseId) {
    ...}

UserServiceImpl:

@Service("userService")
public class UserServiceImpl implements UserService {
    @Autowired
    private UserDAO userDAO;
    @Override
    public boolean isUserinCourse(int userId, int courseId) {
        return userDAO.isUserinCourse(userId, courseId);
    }

    @Override
    public boolean isCurrentUserinCourse(Authentication authentication, int courseId) {
    if (!(authentication instanceof AnonymousAuthenticationToken)) {
            return isUserinCourse(((UserModel) authentication.getPrincipal()).getId(), courseId);
    }
    return false;
}

spring-security.xml:

<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<global-method-security pre-post-annotations="enabled" />

<http auto-config="true" use-expressions="true">

and we I go to /course/{id}/syllabus without out login, it shows the page where it should not. And debug is not go into isCurrentUserinCourse(Authentication authentication, int courseId) method in UserServiceImpl. where

profilepic.png
manpreet 2 years ago
@PreAuthorize("@userService.isCurrentUserinCourse(authentication, courseId)")

You can get the authentication by following static method

SecurityContextHolder.getContext().getAuthentication()

and the courseId you need to change to #coureseId, and you need move this to the method, not class,so you can change to

    @PreAuthorize("@userService.isCurrentUserinCourse(#courseId)")
    @RequestMapping(value = { "/syllabus" }, method = RequestMethod.GET)
    public ModelAndView syllabusPage(@PathVariable("courseId") int courseId) {
    ...}

0 views   0 shares

No matter what stage you're at in your education or career, TuteeHub will help you reach the next level that you're aiming for. Simply,Choose a subject/topic and get started in self-paced practice sessions to improve your knowledge and scores.