Shulou(Shulou.com)06/01 Report--

In this article, the editor introduces in detail "how to implement Spring Security annotation-based interface role access control". The content is detailed, the steps are clear, and the details are handled properly. I hope this article "how to implement Spring Security annotation-based interface role access control" can help you solve your doubts.

1. Preface

The way to obtain DEMO is at the end of the article.

2. Spring Security method is safe.

Spring Security annotation-based security authentication is achieved by marking security annotations on related methods.

2.1 enable global method security

We can use @ EnableGlobalMethodSecurity annotations on any @ Configuration instance to enable global method security annotations. This note provides three different mechanisms to implement the same function, so we will discuss it in a separate chapter.

3. @ EnableGlobalMethodSecurity comment

@ Retention (value = java.lang.annotation.RetentionPolicy.RUNTIME) @ Target (value = {java.lang.annotation.ElementType.TYPE}) @ Documented @ Import ({GlobalMethodSecuritySelector.class}) @ EnableGlobalAuthentication @ Configuration public @ interface EnableGlobalMethodSecurity {/ * expression-based method access control * / boolean prePostEnabled () default false / * * based on @ Secured note * / boolean securedEnabled () default false; / * based on JSR-250 note * / boolean jsr250Enabled () default false; boolean proxyTargetClass () default false; int order () default Ordered.LOWEST_PRECEDENCE;}

PrePostEnabled, securedEnabled and jsr250Enabled are provided in the @ EnableGlobalMethodSecurity source code. When you turn on global annotation-based method security, that is, when using @ EnableGlobalMethodSecurity annotations, we need to choose to use one or more of these three. We will introduce them separately next.

4. Use prePostEnabled

If you set prePostEnabled to true in @ EnableGlobalMethodSecurity, expression-based method security control is enabled. Whether it is accessible or not is determined by the Boolean value of the result of the expression operation (true open, false rejected).

Sometimes you may need to perform the complex operation of opening prePostEnabled. For these instances, you can extend GlobalMethodSecurityConfiguration to ensure that @ EnableGlobalMethodSecurity (prePostEnabled = true) exists on the subclass. For example, if you want to provide a custom MethodSecurityExpressionHandler:

@ EnableGlobalMethodSecurity (prePostEnabled = true) public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {@ Override protected MethodSecurityExpressionHandler createExpressionHandler () {/ /. Create and return custom MethodSecurityExpressionHandler... Return expressionHandler;}}

The above example is an advanced operation and is generally not necessary. Four annotations will be opened regardless of whether you inherit GlobalMethodSecurityConfiguration or not. @ PreAuthorize and @ PostAuthorize focus on the control of method calls, while @ PreFilter and @ PostFilter focus on data control.

4.1 @ PreAuthorize

Before the marked method call, an expression is used to evaluate whether access can be granted. Next, let me summarize the following commonly used expressions.

The expression based on the SecurityExpressionOperations interface, which is the javaConfig configuration we did in the previous article. Example: @ PreAuthorize ("hasRole ('ADMIN')") must have the ROLE_ADMIN role.

Based on the UserDetails expression, this expression is used for some additional qualifying operations on the current user. Example: @ PreAuthorize ("principal.username.startsWith ('Felordcn')") can only be accessed by users whose username begins with Felordcn.

Based on SpEL expression processing for input parameters. Example: @ PreAuthorize ("# id.equals (principal.username)") the input parameter id must be the same as the current user name.

4.2 @ PostAuthorize

After the marked method call, an expression is used to evaluate whether access can be granted. This annotation is for @ PreAuthorize. The difference is that the method is executed first. Then the expression judgment is made. If the method does not return a value, it is actually tantamount to open permission control; if there is a return value, the actual result is that the user's operation was successful but did not get a response.

4.3 @ PreFilter

Based on the expressions related to the method input parameters, the input parameters are filtered. Use pagination carefully! This process occurs before the interface receives parameters. The input parameter must be java.util.Collection and support remove (Object) parameters. If you have multiple collections, you need to specify the filtered collections through filterTarget=. The built-in reserved name filterObject is used as the operation name of the collection element for evaluation filtering.

Example:

/ / input parameter is Collection ids test data ["Felordcn", "felord", "jetty"] / / filter out felord jetty as Felordcn @ PreFilter (value = "filterObject.startsWith ('F')") FilterTarget = "ids") / / if the current user holds ROLE_AD role parameters, otherwise filter out / / DEMO users who do not start with f do not hold ROLE_AD role, so only felord @ PreFilter ("hasRole ('AD') or filterObject.startsWith (' f')") is left in the collection.

4. 4 @ PostFilter

Unlike @ PreFilter, the return value is filtered based on the expression associated with it. Use pagination carefully! This process occurs before the interface returns data.

5. Use securedEnabled

If you set securedEnabled to true in @ EnableGlobalMethodSecurity, the role annotation @ Secured is enabled, which is much simpler. By default, access control decisions can only be made based on a collection of roles (prefixed with ROLE_ by default).

The mechanism of this annotation is that it can be accessed as long as its declared role set (value) contains any role held by the current user. That is, there must be a non-empty intersection between the user's role set and the @ Secured annotated role set. Using SpEL expressions to make decisions is not supported.

6. Use jsr250Enabled

Enable JSR-250 security control annotations, which are part of the JavaEE security specification (now the jakarta project). There are five security notes. If you set jsr250Enabled to true in @ EnableGlobalMethodSecurity, the following three of the JavaEE security annotations are enabled:

@ DenyAll denies all access

@ PermitAll agrees to all visits

@ RolesAllowed usage and 5. The same as @ Secured in.

After reading this, the article "how to implement Spring Security Annotation-based Interface role access Control" has been introduced. If you want to master the knowledge points of this article, you still need to practice and use it yourself. If you want to know more about related articles, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.