Filter request url based on func code - 1111 Spring security

hope, from the title itself, you would have guess, yes URL restriction based on JAS  response. 

googled.. tried implementing http://docs.spring.io/spring-security/site/docs/current/reference/html/el-access.html 

i'm not sure you guys can follow the above link easily, however, in my case, i can. i say you why, i have implemented a functionality of disabling a button in JSP page.

for ref : http://stackoverflow.com/a/40166838/2573744

so, it looks like the continuation of that, thought will complete in some time. but it says, not so easy buddy. 😄

Case i)

earlier, i had the object in the session and i can get object as ${OBJECT} and give permission. 

<sec:accesscontrollist hasPermission="101001"   domainObject="${USER_FUNCTIONS}"> 

Now it is opposite, need to do the same implementation in JAVA used @PreAuthorize("hasPermission(OBJECT,'TEST123')"),  thought it would work. But it didn't.

got blocked in here..

current scenario, 
* having the object in the session, nee to get that object and make the @PreAuthorize to work. but, how i ll set the session object in the annotation.

i tried getting the session object gloabally using, 

HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder

.currentRequestAttributes()).getRequest();

HttpSession session = request.getSession();

List<String> functionList = (List<String>)session.getAttribute("OBJECT");

since in spring, the controller will compile in the run time itself, i got error. 

case ii)

since the case i) didn't worked, another !dea spared.
doing the restriction in the configuration itself, using

<intercept-url pattern="/test/edit/**" access="hasPermission(OBJECT,'TEST123')"/>

this also didn't worked.

Finding a way to fix it.

Finally, after a long waiting fixed it

https://stackoverflow.com/a/45354372/2573744