Method-Level Security with PreAuthorize
Learn method-level security in Spring Boot using @PreAuthorize, @PostAuthorize, SpEL expressions, roles, permissions, ownership checks, and service-layer authorization.
What You Will Learn
- Why service-layer authorization matters.
- How to enable method security.
- How to use
@PreAuthorize. - How to check roles, permissions, and ownership.
- Common mistakes in method-level security.
Introduction
URL security protects endpoints. Method-level security protects business operations.
This is important because multiple controllers, jobs, listeners, or APIs may call the same service method.
Enable Method Security
@Configuration
@EnableMethodSecurity
public class SecurityConfig {
}
Role-Based Check
@PreAuthorize("hasRole('ADMIN')")
public void deleteUser(Long userId) {
// delete user
}
Permission-Based Check
@PreAuthorize("hasAuthority('POLICY_WRITE')")
public void updatePolicy(UpdatePolicyRequest request) {
// update policy
}
Ownership Check
@PreAuthorize("#accountId == authentication.principal.accountId")
public AccountDetails getAccount(Long accountId) {
return accountRepository.findById(accountId).orElseThrow();
}
Custom Authorization Bean
@PreAuthorize("@policySecurity.canViewPolicy(authentication, #policyId)")
public PolicyDto getPolicy(Long policyId) {
return policyService.load(policyId);
}
Authorization Flow
flowchart TD
A["Controller calls service"] --> B["@PreAuthorize"]
B --> C["Evaluate expression"]
C --> D{"Allowed?"}
D -->|Yes| E["Run method"]
D -->|No| F["AccessDeniedException"]
Best Practices
- Prefer permissions for complex systems.
- Keep expressions readable.
- Move complex checks to a bean.
- Test authorization rules.
- Never rely only on UI hiding.
Summary
Method-level security protects business operations where they actually happen. Use it with URL security for defense in depth.
Learning Path Navigation
- Series home: Spring Security Learning Path
- Previous: Multi-Factor Authentication Implementation
- Next: Secure Microservice-to-Microservice Communication
Comments
Share a question, correction, or practical insight about this article.
Checking login status...
Loading approved comments...