Mastering Dynamic Permissions in Spring Security 5.6 with SpEL
This article explains how Spring Security 5.6 simplifies dynamic permission control using annotation, SpEL‑based beans, and the new AuthorizationManager API, providing step‑by‑step code examples and configuration tips for developers seeking flexible, low‑overhead security solutions.
Fast‑Paced Spring Updates
Spring Boot now releases a new version every six months, and Spring Security follows a similar rapid lifecycle, requiring developers to keep up with the latest features.
Spring Security Dynamic Permissions
If your API permissions are stable, use annotation‑based security; otherwise, adopt dynamic permission control for greater flexibility, though it incurs higher development cost.
Common Approach
Earlier versions required implementing the FilterInvocationSecurityMetadataSource interface, which was complex and rarely covered in modern tutorials.
SpEL‑Based Method
This method requires:
A Spring bean.
The bean must expose a public method returning boolean with two parameters: Authentication (current authentication) and HttpServletRequest (current request).
Configure the method in HttpSecurity using the syntax @beanName.methodName(authentication,request).
Example bean definition:
@Bean
RoleChecker roleChecker() {
// implements boolean check(Authentication authentication, HttpServletRequest request);
return new JdbcRoleChecker();
}Configure in HttpSecurity:
httpSecurity.authorizeRequests()
.anyRequest()
.access("@roleChecker.check(authentication,request)");AuthorizationManager
Spring Security 5.6 introduces AuthorizationManager<T>, an interface that abstracts dynamic permission checks. It evaluates whether an Authentication can access a target object T, generalizing the role‑checking logic.
@FunctionalInterface
public interface AuthorizationManager<T> {
default void verify(Supplier<Authentication> authentication, T object) {
AuthorizationDecision decision = check(authentication, object);
if (decision != null && !decision.isGranted()) {
throw new AccessDeniedException("Access Denied");
}
}
@Nullable
AuthorizationDecision check(Supplier<Authentication> authentication, T object);
}Using the new API, dynamic permission can be implemented with a lambda:
httpSecurity.authorizeHttpRequests()
.anyRequest()
.access((authenticationSupplier, requestAuthorizationContext) -> {
Collection<? extends GrantedAuthority> authorities = authenticationSupplier.get().getAuthorities();
Map<String, String> variables = requestAuthorizationContext.getVariables();
HttpServletRequest request = requestAuthorizationContext.getRequest();
// Insert custom logic here to decide if access is granted
boolean isGranted = true;
return new AuthorizationDecision(isGranted);
});This approach lowers the entry barrier for dynamic security compared to earlier methods.
Would you still prefer annotation‑based security that requires rebuilding and redeploying the JAR for every permission change?
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Programmer DD
A tinkering programmer and author of "Spring Cloud Microservices in Action"
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.