π announcement - icon
If you're working on a Spring Security (and especially an OAuth) implementation, definitely have a look at the Learn Spring Security course:
>> LEARN SPRING SECURITYeBook β Guide Spring Cloud β NPI EA (cat=Spring Cloud)
eBook β Mockito β NPI EA (tag = Mockito)
π announcement - icon
Mocking is an essential part of unit testing, and the Mockito library makes it easy to write clean and intuitive unit tests for your Java code.
Get started with mocking and improve your application tests using our Mockito guide:
eBook β Java Concurrency β NPI EA (cat=Java Concurrency)
π announcement - icon
Handling concurrency in an application can be a tricky process with many potential pitfalls. A solid grasp of the fundamentals will go a long way to help minimize these issues.
Get started with understanding multi-threaded applications with our Java Concurrency guide:
eBook β Reactive β NPI EA (cat=Reactive)
π announcement - icon
Spring 5 added support for reactive programming with the Spring WebFlux module, which has been improved upon ever since. Get started with the Reactor project basics and reactive programming in Spring Boot:
eBook β Java Streams β NPI EA (cat=Java Streams)
π announcement - icon
Since its introduction in Java 8, the Stream API has become a staple of Java development. The basic operations like iterating, filtering, mapping sequences of elements are deceptively simple to use.
But these can also be overused and fall into some common pitfalls.
To get a better understanding on how Streams work and how to combine them with other language features, check out our guide to Java Streams:
eBook β Jackson β NPI EA (cat=Jackson)
eBook β HTTP Client β NPI EA (cat=Http Client-Side)
eBook β Maven β NPI EA (cat = Maven)
eBook β Persistence β NPI EA (cat=Persistence)
eBook β RwS β NPI EA (cat=Spring MVC)
Course β LS β NPI EA (cat=Jackson)
π announcement - icon
Get started with Spring and Spring Boot, through the Learn Spring course:
>> LEARN SPRINGCourse β RWSB β NPI EA (cat=REST)
π announcement - icon
Explore Spring Boot 3 and Spring 6 in-depth through building a full REST API with the framework:
Course β LSS β NPI EA (cat=Spring Security)
π announcement - icon
Yes, Spring Security can be complex, from the more advanced functionality within the Core to the deep OAuth support in the framework.
I built the security material as two full courses - Core and OAuth, to get practical with these more complex scenarios. We explore when and how to use each feature and code through it on the backing project.
You can explore the course here:
Course β LSD β NPI EA (tag=Spring Data JPA)
π announcement - icon
Spring Data JPA is a great way to handle the complexity of JPA with the powerful simplicity of Spring Boot.
Get started with Spring Data JPA through the guided reference course:
Partner β Moderne β NPI EA (cat=Spring Boot)
π announcement - icon
Refactor Java code safely β and automatically β with OpenRewrite.
Refactoring big codebases by hand is slow, risky, and easy to put off. Thatβs where OpenRewrite comes in. The open-source framework for large-scale, automated code transformations helps teams modernize safely and consistently.
Each month, the creators and maintainers of OpenRewrite at Moderne run live, hands-on training sessions β one for newcomers and one for experienced users. Youβll see how recipes work, how to apply them across projects, and how to modernize code with confidence.
Join the next session, bring your questions, and learn how to automate the kind of work that usually eats your sprint time.
Course β LJB β NPI EA (cat = Core Java)
1. Overview
In this article, weβll learn how to use the @PreFilter and @PostFilter annotations to secure operations in a Spring application.
When used together with the authenticated principal information, @PreFilter and @PostFilter allows us to define fine-grained security rules using Spring Expression Language.
2. Introducing @PreFilter and @PostFilter
Simply put, the @PreFilter and @PostFilter annotations are used to filter lists of objects based on custom security rules we define.
@PostFilter defines a rule for filtering the return list of a method, by applying that rule to every element in the list. If the evaluated value is true, the item will be kept in the list. Otherwise, the item will be removed.
@PreFilter works in a very similar fashion, however, the filtering is applied to a list that is being passed as an input parameter to the annotated method.
Both annotations can be used on methods or types (classes and interfaces). Weβll use them only on methods throughout this article.
Theses annotations are not active by default β weβll need to enable them with the @EnableMethodSecurity annotation and prePostEnabled = true (this is enabled by default in this annotation)- in our security configuration:
@Configuration
@EnableWebSecurity
@EnableMethodSecurity
public class WebSecurityConfig {
// ...
}3. Writing Security Rules
To write the security rules in these two annotations β weβll make use of Spring-EL expressions; we can also use the built-in object filterObject to get a reference to the particular list element being tested.
Spring Security provides many other built-in objects to create very specific and exact rules.
For example, we can use @PreFilter to check if the assignee property of a Task object is equal to the name of the currently authenticated user:
@PostFilter("filterObject.assignee == authentication.name")
List<Task> findAll() {
...
}Weβve used the @PostFilter annotation here since we want the method to execute and get all tasks first, and they pass every single task from the list through our filter rule.
So, if the authenticated user is michael, the final list of tasks returned by the findAll method would only contain the tasks that are assigned to michael, even if the database has tasks assigned to jim and pam.
Now letβs make the rule a little bit more interesting. Assume that if a user is a manager they can see all tasks, regardless of whom they are assigned to:
@PostFilter("hasRole('MANAGER') or filterObject.assignee == authentication.name")
List<Task> findAll() {
// ...
}Weβve used the built-in method hasRole to check if the authenticated user has the role of MANAGER. If hasRole returns true, the task will be kept in the final list. So, if the user is a manager, the rule will return true for every item in the list. Thus the final list will contain all items.
Now letβs filter a list passed as a parameter to a save method using @PreFilter:
@PreFilter("hasRole('MANAGER') or filterObject.assignee == authentication.name")
Iterable<Task> save(Iterable<Task> entities) {
// ...
}The security rule is the same as the one weβve used on the @PostFilter example. The main difference here is that the list items will be filtered before the method executes, thus allowing us to remove some items from the list, preventing them from being saved in the database.
So jim, who is not a manager, may try to save a list of tasks, some of which are assigned to pam. However only those tasks assigned to jim will be included, the other ones will be ignored.
4. Performance on Large Lists
@PostFilter is really cool and easy to use, but it can be inefficient when dealing with very large lists since the fetching operation will retrieve all the data and apply the filter afterward.
Imagine, for example, that we have thousands of tasks in our database and we want to retrieve the five tasks that are currently assigned to pam. If we use @PostFilter, the database operation will fetch all the tasks first, and iterate through all of them to filter out the ones that are not assigned to pam.
5. Conclusion
This quick article explained how to create a simple, but secure, application using Spring Securityβs @PreFilter and @PostFilter annotations.
The code backing this article is available on GitHub. Once you're logged in as a Baeldung Pro Member, start learning and coding on the project.
