How to add a custom security annotation to Spring MVC controller method

How to add a custom security annotation to Spring MVC controller method

I am using Java 8, Spring MVC 4, Spring Boot, and Gradle for my REST application.
I would like to add security to my REST application via custom method annotations within certain Spring MVC 4 controllers.
Here is a basic example.
HomeController.java
package myapp;

import org.springframework.web.bind.annotation.RestController;
import org.springframework.web.bind.annotation.RequestMapping;

@RestController
@RequestMapping(“/”)
public class HomeController {

@RequestMapping(“/”)
public String index() {
return “

Hello, World!

Lorem Ipsum Lorem Ipsum Lorem Ipsum Lorem Ipsum Lorem Ipsum Lorem Ipsum

“;
}

@CustomSecurityAnnotation
@RequestMapping(“/secure”)
public String secure() {
return “

Secured!

Lorem Ipsum Lorem Ipsum Lorem Ipsum Lorem Ipsum Lorem Ipsum Lorem Ipsum

“;
}
}

I would like CustomSecurityAnnotation to run a custom method that will check the headers of the incoming REST request, look at HTTP header Authorization, pull the value provided (if one was provided), and run code against that value to validate the request before allowing the method to proceed. The annotation should have the ability to override the response and provide a HTTP 401 or 403 if the authorization is invalid, and allow the method under the annotation to run if I decide the annotation custom method passed successfully.
I realize there is something similar I could do with PreAuthorize and other MVC annotations but I’m looking at packaging up custom logic within a method inside a single annotation to be used on any method on any controller of my choosing.
Thanks!

Solutions/Answers:

Solution 1:

We also created a custom annotation in our project.
What you need to accomplish this, is a bit of Aspect Oriented Programming.

First you’ll want to create your own annotation to tag your methods, as follows:

public @interface CustomSecurityAnnotation {
}

Then you have to write the logic which is triggered when your method is executed.
You write an aspect for that.

@Aspect
@Component
public class CustomSecurityAspect {
    @Pointcut("@annotation(my.package.CustomSecurityAnnotation)")
    private void customSecurityAnnotation() {
    }

    @Around("my.package.CustomSecurityAspect.customSecurityAnnotation()")
    public Object doSomething(ProceedingJoinPoint pjp) throws Throwable {
        HttpServletRequest req = getRequest();
        // Check header values
        // Throw Spring's AccessDeniedException if needed
        return pjp.proceed();
    }

    private HttpServletRequest getRequest() {
        ServletRequestAttributes sra = (ServletRequestAttributes) RequestContextHolder.getRequestAttributes();
        return sra.getRequest();
    }
}

As you can see, I’ve already included a method to retrieve the current HTTP request so you can easily retrieve the header you want to check.

Related:  Can someone give me some basic XSS and sql injection scripts? (not what it seems)

In case of an AccessDeniedException, Spring automatically sets the response status code to HTTP 403.

Don’t forget to enable @EnableAspectJAutoProxy on your @Configuration class to enable aspects.

References