Spring Security(十七):5.8 Method Security

From version 2.0 onwards Spring Security has improved support substantially for adding security to your service layer methods. It provides support for JSR-250 annotation security as well as the framework’s original @Secured annotation. From 3.0 you can also make use of new expression-based annotations. You can apply security to a single bean, using the intercept-methods element to decorate the bean declaration, or you can secure multiple beans across the entire service layer using the AspectJ style pointcuts.

从版本2.0开始,Spring Security大大提高了对服务层方法的安全性的支持。它为JSR-250注释安全性以及框架的原始@Secured注释提供支持。从3.0开始,您还可以使用基于表达式的新注释。您可以将安全性应用于单个bean,使用intercept-methods元素来装饰bean声明,或者可以使用AspectJ样式切入点在整个服务层中保护多个bean。

5.8.1 EnableGlobalMethodSecurity

We can enable annotation-based security using the @EnableGlobalMethodSecurity annotation on any @Configuration instance. For example, the following would enable Spring Security’s @Secured annotation.

我们可以在任何@Configuration实例上使用@EnableGlobalMethodSecurity批注启用基于注释的安全性。例如,以下内容将启用Spring Security的@Secured注释。

@EnableGlobalMethodSecurity(securedEnabled = true)
public class MethodSecurityConfig {
// ...
}

Adding an annotation to a method (on a class or interface) would then limit the access to that method accordingly. Spring Security’s native annotation support defines a set of attributes for the method. These will be passed to the AccessDecisionManager for it to make the actual decision:

然后,在方法(类或接口)上添加注释会相应地限制对该方法的访问。 Spring Security的本机注释支持为该方法定义了一组属性。这些将传递给AccessDecisionManager,以便做出实际决定:

public interface BankService {

@Secured("IS_AUTHENTICATED_ANONYMOUSLY")
public Account readAccount(Long id);

@Secured("IS_AUTHENTICATED_ANONYMOUSLY")
public Account[] findAccounts();

@Secured("ROLE_TELLER")
public Account post(Account account, double amount);
}

Support for JSR-250 annotations can be enabled using

可以使用支持JSR-250注释

@EnableGlobalMethodSecurity(jsr250Enabled = true)
public class MethodSecurityConfig {
// ...
}

These are standards-based and allow simple role-based constraints to be applied but do not have the power Spring Security’s native annotations. To use the new expression-based syntax, you would use

这些是基于标准的,允许应用简单的基于角色的约束,但没有Spring Security的本机注释功能。要使用新的基于表达式的语法,您可以使用

@EnableGlobalMethodSecurity(prePostEnabled = true)
public class MethodSecurityConfig {
// ...
}

and the equivalent Java code would be

和等效的Java代码

public interface BankService {

@PreAuthorize("isAnonymous()")
public Account readAccount(Long id);

@PreAuthorize("isAnonymous()")
public Account[] findAccounts();

@PreAuthorize("hasAuthority(‘ROLE_TELLER‘)")
public Account post(Account account, double amount);
}

5.8.2 GlobalMethodSecurityConfiguration

Sometimes you may need to perform operations that are more complicated than are possible with the @EnableGlobalMethodSecurity annotation allow. For these instances, you can extend the GlobalMethodSecurityConfiguration ensuring that the @EnableGlobalMethodSecurity annotation is present on your subclass. For example, if you wanted to provide a custom MethodSecurityExpressionHandler, you could use the following configuration:

有时您可能需要执行比@EnableGlobalMethodSecurity批注允许更复杂的操作。对于这些实例,您可以扩展GlobalMethodSecurityConfiguration,确保子类上存在@EnableGlobalMethodSecurity批注。例如,如果要提供自定义MethodSecurityExpressionHandler,可以使用以下配置:

@EnableGlobalMethodSecurity(prePostEnabled = true)
public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {
	@Override
	protected MethodSecurityExpressionHandler createExpressionHandler() {
		// ... create and return custom MethodSecurityExpressionHandler ...
		return expressionHandler;
	}
}

For additional information about methods that can be overridden, refer to the GlobalMethodSecurityConfiguration Javadoc.

有关可以覆盖的方法的其他信息,请参阅GlobalMethodSecurityConfiguration Javadoc。

原文地址:https://www.cnblogs.com/shuaiandjun/p/10134357.html

时间: 2024-11-07 06:21:59

Spring Security(十七):5.8 Method Security的相关文章

spring rest项目提示Request method 'PUT' not supported Method Not Allowed 405 错误

{ "timestamp": "2019-04-28 17:43:07", "status": 405, "error": "Method Not Allowed", "message": "Request method 'PUT' not supported", "path": "/customer" } 今天项目发布后,发现

扩展Wcf call security service, 手动添加 Soap Security Head.

有次我们有个项目需要Call 一个 Java 的 web service, Soap包中需要一个 Security Head <soapenv:Header> <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <w

Spring 通过工厂方法(Factory Method)来配置bean

Spring 通过工厂方法(Factory Method)来配置bean 在Spring的世界中, 我们通常会利用bean config file 或者 annotation注解方式来配置bean. 在第一种利用bean config file(spring xml)方式中, 还包括如下三小类 反射模式 工厂方法模式(本文重点) Factory Bean模式 其中反射模式最常见, 我们需要在bean 配置中指明我们需要的bean object的全类名. 例如: <bean id="car1

上一封 下一封 APPLE-SA-2019-3-25-2 macOS Mojave 10.14.4,Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra

APPLE-SA-2019-3-25-2 macOS Mojave 10.14.4, Security Update2019-002 High Sierra, Security Update 2019-002 Sierra macOS Mojave 10.14.4, Security Update 2019-002 High Sierra,Security Update 2019-002 Sierra are now available andaddresses the following: A

Spring Security(二十二):6.4 Method Security

From version 2.0 onwards Spring Security has improved support substantially for adding security to your service layer methods. It provides support for JSR-250 annotation security as well as the framework's original @Secured annotation. From 3.0 you c

Security Access Control Strategy &amp;&amp; Method And Technology Research - 安全访问控制策略及其方法技术研究

catalog 0. 引言 1. 访问控制策略 2. 访问控制方法.实现技术 0. 引言 访问控制是网络安全防范和客户端安全防御的主要策略,它的主要任务是保证资源不被非法使用.保证网络/客户端安全最重要的核心策略之一.访问控制包括 1. 入网访问控制 2. 网络权限控制 3. 目录级控制 4. 属性控制等多种手段 访问控制相关领域知识是CISSP的重要章节,本文将重点讨论访问控制模型.及其相关的方法和技术 0x0: 访问控制概念组成 访问控制涉及到三个基本概念 1. 主体 是一个主动的实体,它包

Spring Instantiation with a factory method

Spring Init A Bean with Factory  1.静态工厂方法获取bean <bean id="clientService" class="examples.ClientService" factory-method=    "createInstance"/>  public class ClientService {             private static ClientService client

Spring Boot(十七):使用 Spring Boot 上传文件

上传文件是互联网中常常应用的场景之一,最典型的情况就是上传头像等,今天就带着带着大家做一个 Spring Boot 上传文件的小案例. 1.pom 包配置 我们使用 Spring Boot 版本 2.1.0.jdk 1.8.tomcat 8.0. <parent> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-parent</artifactId&

Spring(十七):Spring AOP(二):通知(前置、后置、返回、异常、环绕)

AspectJ支持5种类型的通知注解: @Before:前置通知,在方法执行之前执行: @After:后置通知,在方法执行之后执行: @AfterRunning:返回通知,在方法返回结果之后执行(因此该通知方法在方法抛出异常时,不能执行): @AfterThrowing:异常通知,在方法抛出异常之后执行: @Around:环绕通知,围绕着方法执行. @Before:前置通知 @After:后置通知 @AfterRunning:返回通知 @AfterThrowing:异常通知 @Around:环绕