Spring Security RBAC for class level

Hello, Why you don't add an enhancement that supports permission for class level based on roles with the annotation @PreAuthorize/@PostAuthorize ...... , as example @PreAuthorize("hasPermission('com.Book','READ')") ==> this means the bean method will be authorized only when the current user have the permission read on the class Book.

code example : BookRepository.java

@PreAuthorize("hasPermission('com.Book','READ')")
public Book getById(String id)

I can give more specification about the enhancement once get accepted. Thanks,

Comment From: ihebhasni

This looks very useful!

Comment From: jzheaux

This looks quite similar to what is already supported. If it's not quite what you need, you can publish your own PermissionEvaluator.

If you are granting access to all Books, though, you might consider granting an authority at authentication time so the permission doesn't need to be recomputed on each request. For example, at authentication time, you could perform any necessary evaluation and then grant the user a book:read authority and do hasAuthority('book:read').