Spring Security Application Development (17) method-based authorization (i) Assessment

Spring Security provides 4 annotations for a method:

@PreAuthorize,@PostAuthorize,@PreFilter , and @PostFilter. This article describes the previous 2 annotations.

@PreAuthorize

Use Spring Security expressions are used to control the execution of a method before the method executes. If the expression evaluates to false, the method is not executed. @PreAuthorize expressions are usually checked for the parameters of the method.

@PostAuthorize

Use The Spring Security expression Controls whether a method is allowed to return normally after the method executes. The expression is evaluated only after the method has been executed, and if the evaluation result is false, the method is executed, but the page will still not be accessed normally. the @PostAuthorize expression is usually checked for the return value of the method.

in the Configuring the pre-post-annotations of global-method-security nodes in the Spring-security.xml file The property is enabled to enable the method-level expression-based access control to use the above 4 Annotations on the method .

<!---<pre-post-annotations= " Enabled "/>

This article uses @PreAuthorize annotations to control the addUser () method of the UserService class to be Zhangsan is used by this user.

(1) UserService class:

 Public class UserService {@PreAuthorize ("Authentication.principal! = null and ' zhangsan ' = = Authentication.principal.username ")public  void  AddUser () { System.out.println ("AddUser called." );}
}

in the parameters of the @PreAuthorize annotation is a Spring expression, where you can access the authentication object, This allows you To obtain the principal object that is currently logged on through Authentication.principal, which is userdetails.

if you log on using Zhangsan, you can access the addUser method Normally, and if it is another user, it will not be accessed normally.

In the expressions of these annotations, in addition to the access In addition to security expressions such as hasrole () provided by Spring Security , you can also reference the parameters of a method , which requires the use of spring Data a note @Param provided in thisarticle does not give an illustrative example of this annotation.

(2) Configuration UserService Bean .

<id= "UserService"  class= "Com.test.service.UserService " />

(3) in the HomeController called in UserService the method.

PrivateUserService UserService; PublicUserService Getuserservice () {returnUserService;} @Resource Public voidSetuserservice (UserService userservice) { This. UserService =UserService;} @RequestMapping ("/") PublicModelandview Index () {Modelandview mv=NewModelandview (); Mv.addobject ("Message", "hello,welcome!"); Mv.setviewname ("Home/index"); //the AddUser method has been granted control.  This. Userservice.adduser ();returnMV;}

(4) enables method-based expressions.

<!---<pre-post-annotations= "Enabled"  />

(5) run the test.

When you log in using Zhangsan , you can access the /home/ page normally.

When you are not using @PreAuthorize annotations, use Wangwu to access the/home page, depending on the role configuration . when @PreAuthorize annotations are used, the use of Wangwu is not normally accessible.

Spring Security Application Development (17) method-based authorization (i) Assessment