Spring Security entity field level security

Question

I have a Spring MVC application which presents a view which shows all of the fields from a Customer entity such as name, address, phone number etc. The application

Answer 1

I've managed to solve the problem using Spring AOP in AspectJ mode. The various Spring annotations such as @Transactional and @PreAuthorize will work on any non-Spring managed classes if you enable AspectJ mode and perform either compile time or load time weaving, there is a very good example here: https://github.com/spring-projects/spring-security/tree/4.0.1.RELEASE/samples/aspectj-jc

You need to make sure you have the spring-security-aspects dependency in your project (or plugin if you're using compile-time weaving) to enable weaving of @Secured annotations. Despite the comment in AnnotationSecurityAspect which describes the class as:

Concrete AspectJ aspect using Spring Security @Secured annotation for JDK 1.5+.

The class does actually weave the other Spring annotations including @PreAuthorize, @PreFilter, @PostAuthorize and @PostFilter.