When do we use denyAll in spring security
I am a bit confused as to why anyone would use @PreAuthorize("denyAll")
for a method. According to spring security documentation, it always evaluates to false. If we do not allow access to a specific method, then what is the point of such a method. Why not comment on this? Or might it still be available from one class? I am trying to understand in what scenario such a requirement will arise. Thank.
source to share
One little clarification I found generally for denial was
The @DenyAll annotation can be used to restrict access to the business interface from any user, logged in or not. This method can still be called from within the bean itself.
So jist can be used for a method that is public or has been exposed for whatever reason (it probably implements an interface), but should never be called directly from the outside. However, they can be called from within (within the class).
here is the link
One real-world example I can give you (this is very related to my work). We have 2 business units with the same code base. Now, in one block there is a function where any mobile intermediary can directly call a service that cancels the voucher directly on the operator's side, and in another block we need to block this due to some business rule. Since we are using the same interface on both systems, so on the same system we blocked its use using denyall
Hope this gives you a clear idea.
source to share
I decorate the service classes in a way that requires the individual internal service methods to override the negative PreAuth annotation at the class level. This ensures that every method in the class is properly protected w / fallback to denyAll.
I know this is old, but I stumbled upon this while looking for the syntax for @PreAuthorize ('denyAll') and thought I would throw my 2cents away.
source to share