You can handle this with the ACL, as suggested by Tomas Nurkevich. But Spring Securitz ACLs are complex and poorly documented. (The best resource I know for him is a book: Spring Security 3 - sponsored by Spring Security)
But if you really only need this simple if (currentUser.id == photo.uploader.id) test if (currentUser.id == photo.uploader.id) , I would recommend a different technique.
You can improve method safety expressions that you can use in @PreAuthorize annotations. How:
@PreAuthorize("isPhotoOwner(#photo)") public void doSomething(final Photo photo) {
To implement this expression isPhotoOwner , the kernel is really simple:
public class ExtendedMethodSecurityExpressionRoot extends MethodSecurityExpressionRoot { public ExtendedMethodSecurityExpressionRoot(final Authentication a) { super(a); } public boolean isPhotoOwner(final Photo photoObject) { if (photoObject == null) { return false; } Photo photo = (photo) photoObject; return photo.getCreator().getLogin().equals(authentication.getName()); } }
Unfortunately, there is some extra work to register with ExtendedMethodSecurityExpressionRoot. --- I do not have time at the moment, if you are ready to try this approach, then leave a commit and I will tell the rest