Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1529: @PreAuthorize Example Correction #1770

spring-issuemaster opened this Issue Aug 4, 2010 · 1 comment


None yet
1 participant

Rob Winch (Migrated from SEC-1529) said:

I think the example should change from

@PreAuthorize("#contact.name == principal.name)")
public void doSomething(Contact contact);


@PreAuthorize("isAuthenticated() and #contact.name == principal.username")
public void doSomething(Contact contact);


  1. Remove the stray ) character; syntax error
  2. add isAuthenticated; the AnonymousAuthenticationFilter places a String as the principal and not a UserDetails object (An IllegalArgumentException is thrown when the user is not authenticated without this).
  3. change principal.name to principal.username; UserDetails (the principal for authenticated object) contains a username property and not a name property

Luke Taylor said:

I've fixed the extra bracket. Rather than adding isAuthenticated(), I've used "authentication.name" which will work in both cases, keeping it simpler and more directly related to the text. Users should also understand that the expressions are just examples and won't necessarily work directly in their application. Some methods will only be invoked by an authenticated user because of the web interface security constraints (as should be the case with the contacts sample app, from which the example expressions are taken) and adding an isAuthenticated() in that situation would be unnecessary.

@spring-issuemaster spring-issuemaster added this to the 3.1.0.M1 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment