|
| 1 | +[[native-image-method-security]] |
| 2 | += Method Security in GraalVM Native Image |
| 3 | + |
| 4 | +Although xref:servlet/authorization/method-security.adoc[Method Security] is supported in GraalVM Native Image, there are some use cases that need additional hints provided by the application. |
| 5 | + |
| 6 | +== Using `@PreAuthorize` and `@PostAuthorize` Annotations |
| 7 | + |
| 8 | +Using `@PreAuthorize` and `@PostAuthorize` annotations require additional hints if you have a custom implementation of `UserDetails` or `Authentication` classes. |
| 9 | + |
| 10 | +Let's take an example where you have a custom implementation of `UserDetails` class as follows and that implementation is returned by your `UserDetailsService`: |
| 11 | + |
| 12 | +==== |
| 13 | +.Custom Implementation of UserDetails |
| 14 | +[source,java] |
| 15 | +---- |
| 16 | +public class CustomUserDetails implements UserDetails { |
| 17 | +
|
| 18 | + private final String username; |
| 19 | +
|
| 20 | + private final String password; |
| 21 | +
|
| 22 | + private final Collection<? extends GrantedAuthority> authorities; |
| 23 | +
|
| 24 | + public boolean isAdmin() { |
| 25 | + return this.authorities.contains(new SimpleGrantedAuthority("ROLE_ADMIN")); |
| 26 | + } |
| 27 | +
|
| 28 | + // constructors, getters and setters |
| 29 | +} |
| 30 | +---- |
| 31 | +==== |
| 32 | + |
| 33 | +And you want to use the `isAdmin()` method inside a `@PreAuthorize` annotation as follows: |
| 34 | + |
| 35 | +==== |
| 36 | +.Using isAdmin() to secure a method |
| 37 | +[source,java] |
| 38 | +---- |
| 39 | +@PreAuthorize("principal?.isAdmin()") |
| 40 | +public String hello() { |
| 41 | + return "Hello!"; |
| 42 | +} |
| 43 | +---- |
| 44 | +==== |
| 45 | + |
| 46 | +[NOTE] |
| 47 | +==== |
| 48 | +Remember that you need to xref:servlet/authorization/method-security.adoc#jc-enable-method-security[add `@EnableMethodSecurity` annotation] to your configuration class to enable method security annotations. |
| 49 | +==== |
| 50 | + |
| 51 | +If you https://docs.spring.io/spring-boot/docs/current/reference/html/native-image.html#native-image.developing-your-first-application[run the native image] of your application with the above configuration, you will get an error similar to the following when trying to invoke the `hello()` method: |
| 52 | + |
| 53 | +[source] |
| 54 | +---- |
| 55 | +failed: java.lang.IllegalArgumentException: Failed to evaluate expression 'principal?.isAdmin()' with root cause |
| 56 | +org.springframework.expression.spel.SpelEvaluationException: EL1004E: Method call: Method isAdmin() cannot be found on type com.mypackage.CustomUserDetails |
| 57 | +---- |
| 58 | + |
| 59 | +Which means that the `isAdmin()` method cannot be found on the `CustomUserDetails` class. |
| 60 | +This is because Spring Security uses reflection to invoke the `isAdmin()` method and GraalVM Native Image does not support reflection by default. |
| 61 | + |
| 62 | +To fix this issue, you need to give hints to GraalVM Native Image to allow reflection on the `CustomUserDetails#isAdmin()` method. |
| 63 | +We can do that by providing a https://docs.spring.io/spring-boot/docs/current/reference/html/native-image.html#native-image.advanced.custom-hints[custom hint]. |
| 64 | +In this example we are going to use {spring-framework-reference-url}core.html#core.aot.hints.register-reflection-for-binding[the `@RegisterReflectionForBinding` annotation]. |
| 65 | + |
| 66 | +[NOTE] |
| 67 | +==== |
| 68 | +You might need to register all your classes that you want to use in your `@PreAuthorize` and `@PostAuthorize` annotations. |
| 69 | +==== |
| 70 | + |
| 71 | +==== |
| 72 | +.Using @RegisterReflectionForBinding |
| 73 | +[source,java] |
| 74 | +---- |
| 75 | +@Configuration |
| 76 | +@RegisterReflectionForBinding(CustomUserDetails.class) |
| 77 | +public class MyConfiguration { |
| 78 | + //... |
| 79 | +} |
| 80 | +---- |
| 81 | +==== |
| 82 | + |
| 83 | +And that's it, now you can run the native image of your application and it should work as expected. |
0 commit comments