Spring Security Allow multiple security annotations on a method (combining result of evaluations with AND operator)

Summary

Allow multiple security annotations on a single method

Actual Behavior

Currently if there are multiple annotations (PreAuthorize or Secured) on a single method only one is actually used.

Proposed Behavior

Each annotation is evaluated with an AND condition connecting them all.

Rationale

This will work very well with meta annotations. Currently, complex security restrictions require code duplication. Instead, I could define a few common security constraints in their own meta annotations and compose my security requirements by placing the appropriate annotations on the method.

Version

Sample Proposed Behaviour

@SameOrganization
@Admin
@LoggedIn
public void updateUser(User user){
  //update a user belonging to same organization as me where I am logged in and am an admin
}

Comment From: drenda

I think it's a good feature request. Has anyone considered this request?

Comment From: christian1607

It would be great, there would be no need to create role combined annotations like @IsAdminAndUSer

Comment From: rwinch

Anyone interested in putting together a pull request?

Comment From: parikshitdutta

Hi @rwinch, may I?

Comment From: rwinch

@parikshitdutta Thank you for volunteering. The issue is yours

Comment From: jzheaux

Closing in favor of https://github.com/spring-projects/spring-security/pull/9630

Comment From: voronin-de

Would someone mind sharing how this issue and #9630 (the issue this particular issue has been closed in favour of) are related? I don't see this use case being solved by #9630 ...

Comment From: jzheaux

When using @EnableMethodSecurity, you can have multiple annotations on the same method, which is what #9630 adds.

Spring Security's annotations are not repeatable, so you can't have two instances of @PreAuthorize, but you can combine @PreAuthorize, @Secured, and JSR-250 annotations.

Comment From: kubav182

@jzheaux but this is not what we request, we want to repeat PreAuthorize annotation and not combine multiple annotation types

use case - you have multiple rules and some endpoints are related to some of them so instead of creating 5 annotations for 5 rules and repeat them we have to create many custom annotations with any possible combination we need, there could be some new annotation to group PreAuthorize something like PreAuthorizeAll(PreAuthorize[]) and PreAuthorizeAny(PreAuthorize[]) or just allow repeat them with AND operator