Use of @Secured, @PreAuthorize, @PostAuthorize, @PreFilter, @PostFilter in user authorization

Others 2021-01-22 23:10:34 views: null

Article Directory

Use of @Secured, @PreAuthorize, @PostAuthorize, @PreFilter, @PostFilter in user authorization

First, master the meaning of a few English words

Authorize: authorization

Authentication: Authentication

secured: protected

Where is it used?

These five annotations are all used above the method in the controller, as shown below:

Insert picture description here

Enable annotations for Spring Security

First, you need to enable annotations in the startup class or configuration class (with @Configuration annotations), because Spring Security disables annotations by default. To enable annotations, you need to add @EnableGlobalMethodSecurity annotations to the startup class or configuration class;

If you want to enable @Secured annotation, you need to add @EnanleGlobalMethodSecurity(securedEnabled=true) annotation to the startup class or configuration class. Add @EnableGlobalMethodSecurity(prePostEnabled = true) annotation to the configuration class;

Therefore, if we want to use these five annotations, we need to add @EnableGlobalMethodSecurity(securedEnabled=true,prePostEnabled=true) annotations to the startup class first, to enable these five annotations in Spring Security, and then use them. Open the annotation in the class as shown below:

Insert picture description here

@Secured annotation

The function of the @Secured annotation: when the user sends a request to the browser, it will access the method in the controller, and then before accessing the method in the controller, it will first go to the user object returned in the implementation method of the UserDetailsService user details implementation class Check whether you have the role specified in the @Secured annotation. If there is a specified role, the system allows the user to access this controller method, otherwise, the system does not allow access to this controller method; note that when using @Secured to set the role name, the role The name must be prefixed with ROLE_; as shown below:

Insert picture description here

The situation in the UserDetailsService user details implementation class is as follows:

Insert picture description here

The user in UserDetailsService has the role of ROLE_xzy, so they can access the update method in the controller. The access in the browser is as follows:

Insert picture description here

@PreAuthorize annotation (authority authentication before access method)

The role of @PreAuthorize annotation: After the browser sends a request, it will access the corresponding method in the controller. The @PreAuthorize annotation will perform permission authentication before accessing the method in the controller. Look at the corresponding in the UserDetailsService user details implementation class Does the user have the corresponding authority? If so, the request sent by the user can enter the corresponding method in the controller; if there is no corresponding authority, then the request sent by the user cannot enter the corresponding method in the controller;

The use of @PreAuthorize annotation is as follows:

Insert picture description here

The situation in the UserDetailsService user details implementation class is as follows:

Insert picture description here

The user in UserDetailsService has admins permissions, so they can access the update2 method in the controller. The access in the browser is as follows:Insert picture description here

@PostAuthorize annotation (authority authentication after access method)

The function of the @PostAuthorize annotation: After accessing the relevant method in the controller (the return of the method is not accessed first), perform permission authentication to see if the user in the UserDetailsService user details implementation class has the corresponding permission, if so, then The last return statement of the controller method will be executed, otherwise, the last return statement of the controller method will not be executed;

The use of @PostAuthorize annotation is as follows:

Insert picture description here

The situation in the UserDetailsService user details implementation class is as follows:

Insert picture description here

Because the user in the user details implementation class has only admins permissions but not admins4 or admins5 permissions, the return statement in the controller will not be executed. The situation after requesting access to the browser is as follows:

Insert picture description here

Then you can find that the statements in the update3 method of idea's console can be output as shown below:

Insert picture description here

This means that when using the @PostAuthorize annotation, the method in the controller will be executed first, and when the last sentence of return is executed, authorization will be authenticated;

@PostFilter annotation

Note that the @PostFilter annotation can only be used when the return value of the controller method is a collection;

The function of the @PostFilter annotation: If the return value of the controller method is a set, this annotation can filter and output the return set;

Use @PostFilte annotation to filter the return value of the collection type. When using @PostFilter, Spring Security will remove elements that make the result of the corresponding expression false.

The use of @PostFilter annotation is as follows:

Insert picture description here

The filterObject in the figure above is a built-in expression when using @PreFilter and @PostFilter, which represents the current object in the collection.

The corresponding result in the browser is as follows:

Insert picture description here

@PreFilter annotation

Note: The @PreFilter annotation can only be used when the parameter of the controller method is a collection type

The role of @PreFilter annotation: you can filter the parameters of the controller method;

When I tested this annotation, it was the only one of the five annotations that failed to test successfully. Therefore, I went to Baidu to find a summary of this annotation by other bloggers, and then pasted it directly below. If anyone knows this annotation Please enlighten me on how to test;

Baidu pastes as follows:

filterObject is a built-in expression when using @PreFilter and @PostFilter, which represents the current object in the collection. When the method annotated by @PreFilter has multiple set-type parameters, the filterTarget property of @PreFilter needs to specify which parameter is currently filtered by @PreFilter.
 For example, the following code specifies that the current @PreFilter is used to filter the parameter ids through filterTarget

   @PreFilter(filterTarget="ids", value="filterObject%2==0")
   public void delete(List<Integer> ids, List<String> usernames) {
      ...
   }

Guess you like

Origin blog.csdn.net/qq_45950109/article/details/112982204
Recommended
Ranking
Bootstrap paging query
CKA Exam Preparation Lab | Create and Delete a deployment
Heling cold solitary self-awareness python ninetieth block chain 004
VS2017 set chrome browser google search currently selected text
A nearly three points back to the blood skills trends laws 83734758
Compatible with st7701s different id screens based on SDM450
python basic / basic computer knowledge
p112 number of paths (leetcode 62)
Introduction to machine learning theory and pre-requisite knowledge
TensorFlow of Tensor objects
Daily
More
2024-06-10(0)
2024-06-09(0)
2024-06-08(0)
2024-06-07(0)
2024-06-06(0)
2024-06-05(0)
2024-06-04(0)
2024-06-03(1)
2024-06-02(0)
2024-06-01(1)

Code World

© 2018 codetd.com