Skip to content

Spring security : How to use @RolesAllowed with @RequestBody

I have a method like this:

@RequestMapping(value = "/",
        method = RequestMethod.POST,
        produces = MediaType.APPLICATION_JSON_VALUE)
public MRSData modifyMarketData(@RequestBody RequestObject body){
    return, body);

public class RequestObject {
    private String _id;
    private Object metadata;
    private Object body;

Request looks like this:

    "_id": "5f4ba6b3d93a8c1452f596a0",
    "metadata": {

Now only certain roles are allowed to access “data_type=A”.

I want to use @RolesAllowed or equivalent to block the request based on @RequestBody

How should i achieve this?

Tx in advannce



If you want to filter based on request value, you can use @PreAuthorize.


Some examples:

Old answer:

You can use @PostAuthorize (or maybe @PostFilter) to restrict access based on the method’s return value.

User contributions licensed under: CC BY-SA
7 People found this is helpful