我有一个基本的SpringBoot应用程序.使用Spring Initializer,嵌入式Tomcat,Thymeleaf模板引擎以及作为可执行JAR文件的软件包.
I have a basic SpringBoot app. using Spring Initializer, embedded Tomcat, Thymeleaf template engine, and package as an executable JAR file.
我要保护控制器安全
@Controller @RequestMapping("/company") @RolesAllowed({"ROLE_ADMIN"}) @PreAuthorize("hasRole('ADMIN')") @Secured("ADMIN") public class CompanyController { }我知道有不同的选择,但是我真的不知道应该使用哪个
I know that there are different options, but I don't really know which I should use
推荐答案安全注释
@PreAuthorize,@RolesAllowed和@Secured的所有注释都是允许配置方法安全性的注释.它们既可以应用于单个方法,也可以应用于类级别,在后一种情况下,安全性约束将应用于类中的所有方法.
Security Annotations
All of @PreAuthorize, @RolesAllowed and @Secured are annotations which allow to configure method security. They can be applied both on individual methods or on class level, in the latter case the security constraints will be applied to all methods in the class.
使用 Spring来实现方法级安全性AOP代理.
@PreAuthorize 注释允许使用 Spring表达式语言(SpEL)指定对方法的访问约束.这些约束是在方法执行之前进行评估的,如果未满足约束条件,则可能导致方法的执行被拒绝. @PreAuthorize注释是Spring Security框架的一部分.
@PreAuthorize annotation allows to specify access constraints to a method using the Spring Expression Language (SpEL). These constraints are evaluated prior to the method being executed and may result in execution of the method being denied if the constraints are not fulfilled. The @PreAuthorize annotation is part of the Spring Security framework.
为了能够使用@PreAuthorize,请在 @EnableGlobalMethodSecurity批注需要设置为true:
In order to be able to use @PreAuthorize, the prePostEnabled attribute in the @EnableGlobalMethodSecurity annotation needs to be set to true:
@EnableGlobalMethodSecurity(prePostEnabled=true)@RolesAllowed
@RolesAllowed 注释的起源是 JSR- 250 Java安全标准.这 注释比@PreAuthorize注释更为受限制,因为它仅支持基于角色的安全性.
@RolesAllowed
@RolesAllowed annotation has its origin in the JSR-250 Java security standard. This annotation is more limited than the @PreAuthorize annotation because it only supports role-based security.
为了使用@RolesAllowed批注,包含此批注的库必须位于类路径上,因为它不是Spring Security的一部分.另外,需要将@EnableGlobalMethodSecurity批注的 jsr250Enabled 属性设置为true:
In order to use the @RolesAllowed annotation the library containing this annotation needs to be on the classpath, as it is not part of Spring Security. In addition, the jsr250Enabled attribute of the @EnableGlobalMethodSecurity annotation need to be set to true:
@EnableGlobalMethodSecurity(jsr250Enabled=true)@Secured
@Secured 注释是旧版Spring Security 2注释,可用于配置方法安全性.它不仅支持基于角色的安全性,而且不支持使用Spring Expression Language(SpEL)指定安全性约束.建议在新应用程序中使用@PreAuthorize批注而不是该批注.
@Secured
@Secured annotation is a legacy Spring Security 2 annotation that can be used to configure method security. It supports more than only role-based security, but does not support using Spring Expression Language (SpEL) to specify security constraints. It is recommended to use the @PreAuthorize annotation in new applications over this annotation.
对@Secured批注的支持需要在 使用 securedEnabled 属性的@EnableGlobalMethodSecurity批注:
Support for the @Secured annotation needs to be explicitly enabled in the @EnableGlobalMethodSecurity annotation using the securedEnabled attribute:
@EnableGlobalMethodSecurity(securedEnabled=true)哪些安全注释允许使用SpEL
下表显示了可与Spring Security 5一起使用的安全注释中对Spring Expression Language的支持:
Which security annotations allow to use SpEL
The following table shows the support for Spring Expression Language in the security annotations that can be used with Spring Security 5:
╔═════════════════════╦═══════════════════╗ ║ Security Annotation ║ Has SpEL Support? ║ ╠═════════════════════╬═══════════════════╣ ║ @PreAuthorize ║ yes ║ ╠═════════════════════╬═══════════════════╣ ║ @PostAuthorize ║ yes ║ ╠═════════════════════╬═══════════════════╣ ║ @PreFilter ║ yes ║ ╠═════════════════════╬═══════════════════╣ ║ @PostFilter ║ yes ║ ╠═════════════════════╬═══════════════════╣ ║ @Secured ║ no ║ ╠═════════════════════╬═══════════════════╣ ║ @RolesAllowed ║ no ║ ╚═════════════════════╩═══════════════════╝更多推荐
@RolesAllowed与@PreAuthorize与@Secured
发布评论