I need to restrict method execution with specific parameters. F.e. some seller can create bill for customer id=1 but can't for customer id=2. Is it possible implement in spring security or I should make check in business logic code?

There are multiple options here:

• You can use Spring Security ACL module to take into account actual domain object for your security restrictions. It is a good option when you have multiple security rules like this.

• If you have only one security rule like this then using ACL module may be an overkill. In this case it will be better to make check in your business code. You have two options to call this code:

  • Call it declaratively using annotation. You will be able reuse this check more easy, but you lose control over raised exception (it will be default AccessDeniedException):

    @PreAuthorize("hasRole('ROLE_AAA') and @billValidatorBean.validateForCustomer(#customerId)")
    public createBill(Integer customerId, ...) {
    

  • Or implement it in corresponding method directly which gives you complete control over everything.

Choose your way depending on situation.