Earlier we talked about the use <security: intercept-url> configuration url of access to, let's explain the use-based rights approach
By default, Spring Security is not enabled method-level security management and control is enabled method-level control. You can set different access methods for different conditions annotation.
the Spring Security annotation class supports three methods, namely the JSR-205 annotations / @ Secured Notes / prePostEnabled annotations. these annotations can be added directly on the controller only method, you can also annotate Service DAO classes or methods.
The method enabled a level control code, a new class WebSecurityConfigurerAdapter Configuration plus @EnableGlobalMethodSecurity () annotations, open the corresponding method of level control parameter by @EnableGlobalMethodSecurity.
===================================
by JSR-205 annotations
=========== ========================
by @EnableGlobalMethodSecurity (jsr250Enabled = true), open JSR-205 annotations.
@DenyAll annotations, denied all access
@PermitAll annotations, running all access
@RolesAllowed ({ "USER", " ADMIN"}), which only allows ROLE_USER ROLE_ADMIN role or user access.
===================================
@Secured notes
============ =======================
by @EnableGlobalMethodSecurity (securedEnabled = true), open @Secured comment.
only satisfying role can access the annotated method, or else AccessDenied will throw an exception.
examples:
@Secured ( "ROLE_TELLER", "ROLE_ADMIN"), which only allows users to access ROLE_TELLER or ROLE_ADMIN role.
@Secured ( "IS_AUTHENTICATED_ANONYMOUSLY"), which allows anonymous users to access.
===================================
@PreAuthorize types of notes (Spring support expressions)
==== ===============================
@EnableGlobalMethodSecurity (= prePostEnabled to true), open the associated notes prePostEnabled.
by JSR-205 @ and Secured Notes function is weak, do not support the Spring EL expressions. @PreAuthorize recommended types of notes.
in particular there are four notes.
@PreAuthorize notes, before the method is called, based on the result of an expression to limit the use of the method.
@PostAuthorize notes, allow method calls, but if the expression evaluates to false, will throw a security exception.
@PostFilter annotations allow method calls, but necessary in accordance with the method of expression to filter the results.
@PreFilter annotations allow method calls, but must enter the values come before entering the method.
Examples:
@PreAuthorize ( "hasRole ( 'ADMIN')") // must have ROLE_ADMIN role
public void addBook (Book book);
// must have ROLE_ADMIN and ROLE_DBA role
@PreAuthorize ( "the hasRole ( 'the ADMIN') the hasRole the AND ( 'the DBA')")
public void the addBook (Book Book);
Owner property book // parameter, you must be logged-in user to change the user name
@PreAuthorize ( "# book.owner == authentication.name")
public void deleteBook (Book Book);
Property owner Book class // must be returned in Username
@PostAuthorize ( "returnObject.owner == authentication.name")
public Book getBook ();
===================================
@PreAuthorize expression
=========== ========================
1. returnObject name reserved
for @PostAuthorize and @PostFilter annotations can be used in the expression returnObject reserved name, on behalf of the returnObject the return value is annotated method, we can use the name returnObject reserved comment on the results of the method validation.
for example:
@PostAuthorize ( "returnObject.owner == authentication.name")
public Book getBook ();
No. # 2 expression
in the expression, you can use the form to represent the parameters of # argument123 argument123 annotation methods.
For example:
@PreAuthorize ( "# book.owner == authentication.name")
public void deleteBook (Book book);
Another # argument123 wording, i.e. Spring Security @P annotations using aliases for the method parameters, and use the annotation alias @PreAuthorize like expression. Such an approach is not recommended, code readability is poor.
@PreAuthorize ( "== # c.NAME authentication.name")
public void doSomething (@P ( "C") Business Card Contact);
3. Built-expression are:
Expression Remarks
hasRole ([role]) if the current character, then returns true (ROLE_ automatically add the prefix)
hasAnyRole ([role1, role2]) If any character can be to check, return to true, (automatically ROLE_ prefix plus)
hasAuthority ([authority]) if the specified permission, the return to true
hasAnyAuthority ([authority1, authority2]) If any of the designated authority, true is returned
principal body acquires the current principal object user
authentication acquires the current user authentication objects,
permitAll always returns true, indicating that all allow
denyAll always returns false, on behalf of all refuse
isAnonymous () if anonymous access, return to true
isRememberMe () automatically if a remember-me authenticated, returns to true
isAuthenticated () if it is not anonymous access, true is returned
isFullAuthenticated () if not anonymous access or remember-me authentication landing, true is returned
hasPermission (Object target, Object permission)
hasPermission (Object target, String targetType, Object permission)
==