Spring Security combat dry

1. Introduction Welcome to Spring Security combat dry [1] series. In a previous role-based configuration interface access control [2] We explain how to configure role-based access control interface by javaConfig way. In fact, there is a more flexible configuration based on annotations. Today we'll explore. DEMO acquisition mode at the end of the text. 2. Spring Security method Security Spring Security annotation-based security authentication is carried out by the security annotation marks on the relevant methods to achieve. 2.1 open global security methods we can use @EnableGlobalMethodSecurity comment on any @Configuration instance method to enable global security annotations. This note provides three different mechanisms to achieve the same function, so we have to open a separate chapter to explore. 3. @EnableGlobalMethodSecurity annotation @Retention (value = java.lang.annotation.RetentionPolicy.RUNTIME) @Target (java.lang.annotation.ElementType.TYPE value = {}) @Documented @Import (GlobalMethodSecuritySelector.class {}) @EnableGlobalAuthentication @Configuration public @interface EnableGlobalMethodSecurity {         / **          * Access control method based on the expression          * /         Boolean prePostEnabled () default to false;         / **          * based annotation @Secured          * /         Boolean securedEnabled () default to false;         / **      * annotations based on JSR-250          * /         Boolean jsr250Enabled () default to false;         Boolean the proxyTargetClass () to false default;         int Order () default Ordered.LOWEST_PRECEDENCE; } @EnableGlobalMethodSecurity source code provided prePostEnabled, securedEnabled and jsr250Enabled three ways. When you open a global annotation-based approach security features, that is when we need to use @EnableGlobalMethodSecurity notes choose to use one or all three of which are several. Next, we will introduce them. 4. Use prePostEnabled If you prePostEnabled is set to true in @EnableGlobalMethodSecurity, then open the control method based on the expression of security. By Boolean expressions to determine whether the operation results can be accessed (true open, false reject). Sometimes you may need to perform open prePostEnabled complex operations. For these examples, you can extend GlobalMethodSecurityConfiguration, to ensure that there is @EnableGlobalMethodSecurity (prePostEnabled = true) on the subclasses. For example, if you want to provide custom MethodSecurityExpressionHandler: @EnableGlobalMethodSecurity (= prePostEnabled to true) public class MethodSecurityConfig the extends GlobalMethodSecurityConfiguration {      @Override      protected MethodSecurityExpressionHandler createExpressionHandler () {          // Create and return Custom MethodSecurityExpressionHandler ... ...          return expressionHandler;      } } The above example is an advanced operation, are not generally necessary. Whether or not all inherited GlobalMethodSecurityConfiguration will open four notes. @PreAuthorize @PostAuthorize and focused on controlling method call; and the @PreFilter @PostFilter focused on the control data. 4.1 @PreAuthorize before marking method call, whether an expression can be calculated by unauthorized access. Next, I summarize the following commonly used expressions. Expression SecurityExpressionOperations interface-based, that is, we in the article [3] of javaConfig configuration. Example: @PreAuthorize ( "hasRole ( 'ADMIN ')") must have ROLE_ADMIN role. UserDetails based on the expression of this expression to define some additional operations for the current user. Example: the beginning of the username @PreAuthorize ( "principal.username.startsWith ( 'Felordcn' )") is Felordcn users can access. Based on the parameters of SpEL expression processing. About SpEL expression can refer to the official documentation. Or by public concern number: to obtain relevant information Felordcn. Example: @PreAuthorize ( "# id.equals (principal.username )") into the reference id must be the same as the current user name. 4. 2 @PostAuthorize after marking method call, whether an expression can be calculated by unauthorized access. This comment is for @PreAuthorize. The difference is that the first implementation method. Then the expression to judge. If the method does not return a value substantially equal to an open access control; if the return value is actually the result of a user operation but not in response to a successful. 4.3 @PreFilter based on parameters related to the expression of the reference filter. Paging with caution! This occurs before receiving the interface parameters. The parameters must be java.util.Collection and support remove (Object) parameters. If there are multiple sets of filter needs to be specified by a set of filterTarget = <parameter name>. Built filterObject reserved name as the name of a collection of elements to evaluate the operation of the filter. Example: // reference to the Collection <String> ids Test Data [ "Felordcn", "felord", "Jetty"] // felord jetty is filtered Felordcn @PreFilter (value = "filterObject.startsWith ( 'F.') ", filterTarget =" IDS ") // If the current user holds ROLE_AD role parameters are in line with or not to filter out the beginning of f // DEMO user role and therefore does not hold ROLE_AD collection only felord @PreFilter (" hasRole ( 'AD ') or filterObject.startsWith (' F ') ") 4.4 @PostFilter different @PreFilter and is based on the return value related to the expression of the return value filter. Paging with caution! This process occurs before the returned data interface. Related testing and @PreFilter similar, see end of text provided by DEMO. 5. If you securedEnabled is set to true in @EnableGlobalMethodSecurity, it opens up the role comment @Secured, the annotation feature is much simpler, by default only role-based (default requires prefix ROLE_) set of access control decisions. The annotation mechanism is as long as the role of its declaration of a set of (value) is included in any of the roles held by the current user can access. That is, a set of user roles and role @Secured annotated collection to the presence of non-empty intersection. SpEL not support the use of expressions decisions. 6. Use jsr250Enabled enabled JSR-250 annotations security control, which is a JavaEE safety regulations (now jakarta project). A total of five security annotations. If you jsr250Enabled is set to true in @EnableGlobalMethodSecurity, it opened the JavaEE security annotations of the following three: @DenyAll deny all access @PermitAll agree that all access @RolesAllowed usage and 5. The @Secured same. 7. Summary Today, another explained the Spring Security annotation based on static configuration. Compared based javaConfig way to be flexible, finer granularity, you can achieve more powerful based SpEL expression. But these two ways of programming is based on a static way, it has some limitations. More flexible approach should be to deal with a dynamic mapping between the user's role and resources, this is the future we are going to solve the problem. By this time DEMO  More java learning materials may be concerned about: itheimaGZ get