Article Directory
- Use of @Secured, @PreAuthorize, @PostAuthorize, @PreFilter, @PostFilter in user authorization
-
- First, master the meaning of a few English words
- Where is it used?
- Enable annotations for Spring Security
- @Secured annotation
- @PreAuthorize annotation (authority authentication before access method)
- @PostAuthorize annotation (authority authentication after access method)
- @PostFilter annotation
- @PreFilter annotation
Use of @Secured, @PreAuthorize, @PostAuthorize, @PreFilter, @PostFilter in user authorization
First, master the meaning of a few English words
Authorize: authorization
Authentication: Authentication
secured: protected
Where is it used?
These five annotations are all used above the method in the controller, as shown below:
Enable annotations for Spring Security
First, you need to enable annotations in the startup class or configuration class (with @Configuration annotations), because Spring Security disables annotations by default. To enable annotations, you need to add @EnableGlobalMethodSecurity annotations to the startup class or configuration class;
If you want to enable @Secured annotation, you need to add @EnanleGlobalMethodSecurity(securedEnabled=true) annotation to the startup class or configuration class. Add @EnableGlobalMethodSecurity(prePostEnabled = true) annotation to the configuration class;
Therefore, if we want to use these five annotations, we need to add @EnableGlobalMethodSecurity(securedEnabled=true,prePostEnabled=true) annotations to the startup class first, to enable these five annotations in Spring Security, and then use them. Open the annotation in the class as shown below:
@Secured annotation
The function of the @Secured annotation: when the user sends a request to the browser, it will access the method in the controller, and then before accessing the method in the controller, it will first go to the user object returned in the implementation method of the UserDetailsService user details implementation class Check whether you have the role specified in the @Secured annotation. If there is a specified role, the system allows the user to access this controller method, otherwise, the system does not allow access to this controller method; note that when using @Secured to set the role name, the role The name must be prefixed with ROLE_; as shown below:
The situation in the UserDetailsService user details implementation class is as follows:
The user in UserDetailsService has the role of ROLE_xzy, so they can access the update method in the controller. The access in the browser is as follows:
@PreAuthorize annotation (authority authentication before access method)
The role of @PreAuthorize annotation: After the browser sends a request, it will access the corresponding method in the controller. The @PreAuthorize annotation will perform permission authentication before accessing the method in the controller. Look at the corresponding in the UserDetailsService user details implementation class Does the user have the corresponding authority? If so, the request sent by the user can enter the corresponding method in the controller; if there is no corresponding authority, then the request sent by the user cannot enter the corresponding method in the controller;
The use of @PreAuthorize annotation is as follows:
The situation in the UserDetailsService user details implementation class is as follows:
The user in UserDetailsService has admins permissions, so they can access the update2 method in the controller. The access in the browser is as follows:
@PostAuthorize annotation (authority authentication after access method)
The function of the @PostAuthorize annotation: After accessing the relevant method in the controller (the return of the method is not accessed first), perform permission authentication to see if the user in the UserDetailsService user details implementation class has the corresponding permission, if so, then The last return statement of the controller method will be executed, otherwise, the last return statement of the controller method will not be executed;
The use of @PostAuthorize annotation is as follows:
The situation in the UserDetailsService user details implementation class is as follows:
Because the user in the user details implementation class has only admins permissions but not admins4 or admins5 permissions, the return statement in the controller will not be executed. The situation after requesting access to the browser is as follows:
Then you can find that the statements in the update3 method of idea's console can be output as shown below:
This means that when using the @PostAuthorize annotation, the method in the controller will be executed first, and when the last sentence of return is executed, authorization will be authenticated;
@PostFilter annotation
Note that the @PostFilter annotation can only be used when the return value of the controller method is a collection;
The function of the @PostFilter annotation: If the return value of the controller method is a set, this annotation can filter and output the return set;
Use @PostFilte annotation to filter the return value of the collection type. When using @PostFilter, Spring Security will remove elements that make the result of the corresponding expression false.
The use of @PostFilter annotation is as follows:
The filterObject in the figure above is a built-in expression when using @PreFilter and @PostFilter, which represents the current object in the collection.
The corresponding result in the browser is as follows:
@PreFilter annotation
Note: The @PreFilter annotation can only be used when the parameter of the controller method is a collection type
The role of @PreFilter annotation: you can filter the parameters of the controller method;
When I tested this annotation, it was the only one of the five annotations that failed to test successfully. Therefore, I went to Baidu to find a summary of this annotation by other bloggers, and then pasted it directly below. If anyone knows this annotation Please enlighten me on how to test;
Baidu pastes as follows:
filterObject is a built-in expression when using @PreFilter and @PostFilter, which represents the current object in the collection. When the method annotated by @PreFilter has multiple set-type parameters, the filterTarget property of @PreFilter needs to specify which parameter is currently filtered by @PreFilter.
For example, the following code specifies that the current @PreFilter is used to filter the parameter ids through filterTarget
@PreFilter(filterTarget="ids", value="filterObject%2==0")
public void delete(List<Integer> ids, List<String> usernames) {
...
}