Spring Security SEC-1629: Add @WithPermission annotation

Michiel Trimpe (Migrated from SEC-1629) said:

Please consider adding the @WithPermission annotation which can be used to prevent a large number of Pre/Post annotations like:

@PreAuthorize("hasPermission(#contact, 'admin')")
@PostFilter("hasPermission(filterObject, 'read')")

and replace them with:

    public void delete(@WithPermission Interview interview) {
        em.remove(interview);
    }

    public @WithPermission Interview find(long interviewId) {
        return em.find(Interview.class, interviewId);
    }

Comment From: spring-projects-issues

Michiel Trimpe said:

Re-adding sample implementation.

Comment From: rwinch

You can create your own annotation and it will be picked up by the framework through Spring's meta-annotation support. For example:

@Retention(RetentionPolicy.RUNTIME)
@PreAuthorize("hasPermission(#contact, 'admin')")
@PostFilter("hasPermission(filterObject, 'read')")
public @interface WithPermission {
}

NOTE: We cannot really create the annotation for users as we don't know the arguments to hasPermission.