我不清楚弹簧安全性的区别是什么:
@PreAuthorize("hasRole('ROLE_USER')")
public void create(Contact contact)
并且
@Secured("ROLE_USER")
public void create(Contact contact)
我知道PreAuthorize可以与spring el合作,但在我的样本中,是否有真正的区别?
答案 0 :(得分:152)
真正的区别在于@PreAuthorize可以与Spring Expression Language (SpEL)一起使用。你可以:
SecurityExpressionRoot。访问方法参数(需要使用调试信息或自定义ParameterNameDiscoverer进行编译):
@PreAuthorize("#contact.name == principal.name")
public void doSomething(Contact contact)
MethodSecurityExpressionHandler并将其设置为<global-method-security><expression-handler ... /></...>)。答案 1 :(得分:43)
如果您只想在用户拥有Role1 和 Role2时访问该方法,那么您必须使用@PreAuthorize
@PreAuthorize("hasRole('ROLE_role1') and hasRole('ROLE_role2')")
使用
@Secured({"role1", "role2"}) // is treated as an OR
答案 2 :(得分:35)
简单地说,
@PreAuthorize比@Secured更新。
所以我说最好使用@PreAuthorize,因为它是基于表达式的#34;你可以使用像hasRole,hasAnyRole,permitAll等表达式
要了解表达式,请参阅这些example expressions。
答案 3 :(得分:8)
@PreAuthorize不同,它比@Secured更强大。
较旧的
@Secured注释不允许使用表达式。
从Spring Security 3开始,注释越灵活
@PreAuthorize和@PostAuthorize(以及@PreFilter和 @PostFilter)是首选,因为它们支持Spring Expression 语言(SpEL)并提供基于表达式的访问控制。
@Secured("ROLE_ADMIN")注释与@PreAuthorize ("hasRole('ROLE_ADMIN')")相同。
@Secured({"ROLE_USER","ROLE_ADMIN")被视为ROLE_USER 或 ROLE_ADMIN。
因此您无法使用
表达AND条件<强> @Secured 即可。您可以使用
@PreAuthorize("hasRole('ADMIN OR hasRole('USER')")定义相同的内容,这样更容易 了解。您也可以表达 AND,OR或NOT(!)。@PreAuthorize (&#34;!isAnonymous()AND hasRole(&#39; ADMIN&#39;)&#34;)
答案 4 :(得分:2)
+-----------------------------------------------+----------------------------------------------------------+-----------------------------------------------------------------+
| | @Secured | @PreAuthorize |
+-----------------------------------------------+----------------------------------------------------------+-----------------------------------------------------------------+
| Spring EL expressions | Does'nt supports. | Supports |
+-----------------------------------------------+----------------------------------------------------------+-----------------------------------------------------------------+
| Multiple roles conjunctions with AND operator | Does'nt supports.(If there are multiple roles defined | Supports |
| |they will be automatically combined with OR operator) | |
+-----------------------------------------------+----------------------------------------------------------+-----------------------------------------------------------------+
| To enable annotation | Add following line to spring-security.xml | Add following line to spring-security.xml |
| | <global-method-security secured-annotations="enabled" /> | <global-method-security pre-post-annotations="enabled"/> |
+-----------------------------------------------+----------------------------------------------------------+-----------------------------------------------------------------+
| Example | @Secured({ROLE_ADMIN , ROLE_USER}) | @PreAuthorize("hasRole('ROLE_USER') and hasRole('ROLE_ADMIN')") |
| | public void addUser(UserInfo user){...} | public void addUser(UserInfo user){...} |
+-----------------------------------------------+----------------------------------------------------------+-----------------------------------------------------------------+