Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
SEC-1529: @PreAuthorize Example Correction #1770
I think the example should change from
@PreAuthorize("#contact.name == principal.name)")
@PreAuthorize("isAuthenticated() and #contact.name == principal.username")
Luke Taylor said:
I've fixed the extra bracket. Rather than adding isAuthenticated(), I've used "authentication.name" which will work in both cases, keeping it simpler and more directly related to the text. Users should also understand that the expressions are just examples and won't necessarily work directly in their application. Some methods will only be invoked by an authenticated user because of the web interface security constraints (as should be the case with the contacts sample app, from which the example expressions are taken) and adding an isAuthenticated() in that situation would be unnecessary.