hasPermission() in Spring Security doesnt call the the CustomPermissionEvaluator

Question

Please refer the real issue why my @PreAuthorize("hasPermission(#user,'write')") is not working

Basically I'am trying to check a normal user

My controllerClass

package com.***.appconfig.controller;

import com.***.appconfig.dao.UserDaoImplementation;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.servlet.ModelAndView;
import com.***.appconfig.model.User;
import com.***.appconfig.security.CustomPermissionEvaluator;

@Controller
public class CheckPermissionController {
    public static User user = new User();
    UserDaoImplementation userDao = new UserDaoImplementation();
    Boolean directPermission = false;
    CustomPermissionEvaluator customPermissionEvaluator = new CustomPermissionEvaluator();

    @RequestMapping("/checkPermission")
    protected ModelAndView direct() throws Exception {
        System.out.println("in direct");
        user.setUserName("andrew");
        userDao.addListValues(user);
        System.out.println("before assign");
        directPermission = userDao.assignUser(user);
        System.out.print("after assign");
        if (directPermission) {
            return new ModelAndView("checkPermission");
        } else {
            return new ModelAndView("login");
        }
    }
}

Here is my Dao

import com.***.appconfig.model.User;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.stereotype.Component;
import java.util.HashMap;

@Component
public class UserDaoImplementation implements UserDao {

    @Override
    public User addListValues(User user) {
        HashMap < String, String > permissionList = new HashMap < String, String > ();
        permissionList.put("server", "write");
        user.setPermissionList(permissionList);
        return null;
    }

    @PreAuthorize("hasPermission(#user,'write')")
    public Boolean assignUser(User user) {
        System.out.println("in assign");
        return true;
    }
}

Here is my CustomPermissionEvaluator

package com.***.appconfig.security;

import org.springframework.security.access.PermissionEvaluator;
import org.springframework.security.core.Authentication;
import com.***.appconfig.controller.CheckPermissionController;
import com.***.appconfig.model.User;
import com.***.appconfig.dao.UserDaoImplementation;
import java.io.Serializable;
import java.util.HashMap;

public class CustomPermissionEvaluator implements PermissionEvaluator {

    public static User user;
    public UserDaoImplementation userDao;

    @Override
    public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {
        setPermissions();
        String targetType = targetDomainObject.getClass().getSimpleName().toUpperCase();
        HashMap < String, String > permissionList = user.getPermissionList();
        System.out.print("before check");
        if (permissionList.containsValue("write")) {
            System.out.print("success check");
            hasPermission = true;
        }
        return hasPermission;
    }

    @Override
    public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permission) {
        Boolean hasPermission = false;
        return hasPermission;
    }

    public void setPermissions() {
        user.setUserName("andrew");
        userDao.addListValues(user);
    }
}

I created a duplicate user object inorder to dynmically populate in PermissionEvaluator.The hasPermission() overrride is not getting called.

Here is my spring-security.xml

<http auto-config="true">
    <access-denied-handler error-page="/403page" />
    <intercept-url pattern="/user" access="ROLE_USER" />
    <intercept-url pattern="/admin" access="ROLE_ADMIN" />
    <form-login login-page='/login' username-parameter="username" password-parameter="password" default-target-url="/user" authentication-failure-url="/login?authfailed" />
    <logout logout-success-url="/login?logout" />
</http>
<global-method-security pre-post-annotations="enabled" secured-annotations="enabled">
    <expression-handler ref="expressionHandler" />
</global-method-security>
<authentication-manager>
    <authentication-provider>
        <jdbc-user-service data-source-ref="dataSource" users-by-username-query="select username,password, enabled from users where username=?" authorities-by-username-query="select username, role from user_roles where username =?  " />
    </authentication-provider>
</authentication-manager>
<beans:bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
    <beans:property name="permissionEvaluator" ref="permissionEvaluator" />
</beans:bean>
<beans:bean name="permissionEvaluator" class="com.coolminds.appconfig.security.CustomPermissionEvaluator" />undefined</beans:beans>

Answer 1

Your Controller class should inject all dependencies to make sure Spring can create appropriate proxy objects:

package com.***.appconfig.controller;

import com.***.appconfig.dao.UserDaoImplementation;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.servlet.ModelAndView;
import com.***.appconfig.model.User;

@Inject
UserDao userDao;

@Controller
public class CheckPermissionController {

    @RequestMapping("/checkPermission")
    protected ModelAndView direct() throws Exception {
        User user = new User();
        boolean directPermission = false;

        System.out.println("in direct");
        user.setUserName("andrew");
        userDao.addListValues(user);
        System.out.println("before assign");
        directPermission = userDao.assignUser(user);
        System.out.print("after assign");
        if (directPermission) {
            return new ModelAndView("checkPermission");
        } else {
            return new ModelAndView("login");
        }
    }
}