Spring Security @PreAuthorize Annotation for Method Security

@PreAuthorize is a part of Spring Security’s method-level security framework. It allows specifying authorization logic directly on methods in controller or service classes using SpEL-based expressions.

The @PreAuthorize annotation works by evaluating a Spring Expression Language (SpEL) expression before executing the target method. If the expression evaluates to false, Spring Security throws an AccessDeniedException, preventing the method from running.

Example Definition:

The value attribute accepts a SpEL expression that defines the security condition.

Common Use Cases

• Restricting access based on roles or authorities.
• Ensuring only authenticated users can access certain methods.
• Controlling access dynamically using custom user attributes or method parameters.

Understanding SpEL (Spring Expression Language) in @PreAuthorize

SpEL enables writing flexible access control expressions. Common usage examples include:

• hasRole('ROLE_ADMIN'): Grants access only to users having the specified role
• hasAuthority('READ_PRIVILEGE'): Checks whether the user has a specific authority
• isAuthenticated(): Ensures the user is authenticated (logged in)
• #id == authentication.principal.id: Allows access only when the resource belongs to the currently logged-in user

How @PreAuthorize Works

When a method annotated with @PreAuthorize is invoked, Spring Security follows this flow:

1. User Authentication: The user is authenticated by Spring Security.

2. Expression Evaluation: The SpEL expression defined in the annotation is evaluated using the user’s roles, authorities, or authentication object.

3. Access Decision:

• If the condition returns true, the method executes.
• If false, an AccessDeniedException is thrown.

Implementation of @PreAuthorize in Spring Boot

Below is a step-by-step guide to implementing method-level security using @PreAuthorize in a Spring Boot application.

Step 1: Create a Spring Boot Project

Create a new Spring Boot project using Maven with the following options:

• Name: spring-security-preauthorize
• Dependencies: Spring Web, Spring Security, Lombok, DevTools

Step 2: Add Dependencies

Your pom.xml file should include:

Project Structure

Step 3: Configure Application Properties

spring.application.name=spring-security-preauthorize

Step 4: Create the User Class

This simple User class models a user entity with fields for ID, username, and role.

Step 5: Create the UserService Class

This service returns a mock user for demonstration. In real-world scenarios, it would fetch user data from a database.

Step 6: Configure Spring Security

• @EnableMethodSecurity(prePostEnabled = true) enables method-level annotations like @PreAuthorize.
• A simple in-memory user user/password with role USER is configured.
• Basic authentication is used for simplicity.

Step 7: Create the UserController Class

The @PreAuthorize("hasRole('ROLE_USER')") annotation ensures that only users with the role ROLE_USER can access the /user endpoint. If an unauthorized user attempts to call this method, an AccessDeniedException will be thrown.

Step 8: Main Application Class

Step 9: Run the Application

Run the application using your IDE or Maven:

By default, it runs on port 8080.

Step 10: Testing the Application

Use Basic Authentication to test the secured endpoint.

Request:

GET: http://localhost:8080/user

Credentials:

• Username: user
• Password: password

Response:

If you try to access the endpoint without valid credentials or roles, you’ll receive Access Denied.