Springsecurity method Layer 4 ways of using

Springsecurity method Layer Security is based on SPRINGAOP technology, it has its own @secured annotation, springsecurity support four methods layer

The security:

(1) Methods annotated with @Secured.

(2) Methods annotated with JSR-250 ' s @RolesAllowed.

(3) Methods annotated with Spring ' s pre-and post-invocation annotations.

(4) Methods matching one or more explicitly declared pointcuts.

Enable method layer annotations

<global-method-security secured-annotations= "Enabled"/>

1. Securing Methods with @Secured

@Secured ({"Role_spitter", "Role_admin"})
public void Addspittle (spittle spittle) {
// ...
}

Example Description: The authenticated user must be granted "Role_spitter" and one of the "Role_admin" permissions to access the method;

Either of these two permissions will throw an exception or a authenticationexception or accessdeniedexception of the child exception. Such as

The method is called in the Web request, and the exception is invoked automatically by springsecurity.

2. Using JSR-250 ' s @RolesAllowed

<global-method-security jsr250-annotations= "Enabled"/>

JSR-250 ' s @RolesAllowed and secured-annotations can be enabled at the same time, the recommended way to enable annotations, because he is Java

Standard annotations.

3. Pre-/post-invocation Security with Spel

<global-method-security pre-post-annotations= "Enabled"/>

There are four main:

(1) @PreAuthorized: Based on the result of an expression, restricting methods are accessed before invoking the method.

@PreAuthorize ("Hasrole (' Role_spitter ')")
public void Addspittle (spittle spittle) {
// ...
}

Users who have role Role_spitter can access the Addspittle method.

@PreAuthorize ("(Hasrole (' Role_spitter ') and #spittle. Text.length () <= 140)
or Hasrole (' Role_premium '))
public void Addspittle (spittle spittle) {
// ...
}

The user who owns the role Role_spitter must have a spittle character of less than 140ge, while the user who owns the role Role_premium is not affected by the

This restriction.

(2) @PostAuthorized: If the expression evaluates to False, the method is allowed to be invoked, and a security exception is thrown.

The annotation is primarily based on the return value of the protected method, which determines the execution of the expression, for example:

@PostAuthorize ("ReturnObject.spitter.username = = Principal.username")
Public spittle Getspittlebyid (long id) {
// ...
}

This method can be accessed when the returned Spittle object belongs to the authenticated user, in this case Returnobject is a name provided by Springel

Used to facilitate fetching of returned objects, while principal is provided by Springsecuroty to represent the currently authenticated user. If the authentication fails, the

Accessdeniedexception exception will be thrown.

(3) @PostFilter: Allow a method to be invoked, but use each expression to filter the result of the method.

(4) @PreFilter: Allow a method to be invoked, but filter the input before entering the method.

4. Declaring the security pointcuts for the method layer

Used to add security to multiple methods at once:

<global-method-security>
<protect-pointcut access= "Role_spitter" expression=
"Execution (@com. habuma.spitter.Sensitive * *.* (String))"/>
</global-method-security>

This configuration will identify any method that owns the @sensitive, and the Access property refers to the role that the authenticated user must have to access the expression recognition

Method.