春季安全3中@ secure和@PreAuthorize的区别是什么？

Question

我不清楚弹簧安全性的区别在于:

 @PreAuthorize("hasRole('ROLE_USER')")
 public void create(Contact contact)

和

@Secured("ROLE_USER")
public void create(Contact contact)

我知道PreAuthorize可以与spring el合作,但在我的样本中,是否有真正的区别？

Answer 1

真正的区别在于@PreAuthorize可以使用Spring Expression Language(SpEL).您可以:

• 访问方法和属性SecurityExpressionRoot.

• 访问方法参数(需要使用调试信息或自定义进行编译ParameterNameDiscoverer):

  @PreAuthorize("#contact.name == principal.name")
  public void doSomething(Contact contact)
  

• (高级功能)添加自己的方法(覆盖MethodSecurityExpressionHandler并将其设置为<global-method-security><expression-handler ... /></...>).

Answer 2

如果您只想在用户具有Role1 和 Role2时访问该方法,那么您必须使用@PreAuthorize

@PreAuthorize("hasRole('ROLE_role1') and hasRole('ROLE_role2')")

运用

@Secured({"role1", "role2"}) // is treated as an OR

Answer 3

简单来说, @PreAuthorize比新的更新@Secured.

所以我说最好使用@PreAuthorize它,因为它是"基于表达式",你可以使用像hasRole,hasAnyRole,permitAll等表达式.

要了解表达式,请参阅这些示例表达式.

Answer 4

@PreAuthorize不同,它比它更强大@Secured.

• 较旧的@Secured注释不允许使用表达式.

• 从Spring Security 3开始,更灵活的注释 @PreAuthorize和@PostAuthorize(以及@PreFilter和@PostFilter)是首选,因为它们支持Spring Expression Language(SpEL)并提供基于表达式的访问控制.

• @Secured("ROLE_ADMIN")注释与@PreAuthorize ("hasRole('ROLE_ADMIN')").相同.

• 它@Secured({"ROLE_USER","ROLE_ADMIN")被视为ROLE_USER 或 ROLE_ADMIN.

所以你不能使用表达AND条件

@Secured.您可以定义相同的@PreAuthorize("hasRole('ADMIN') OR hasRole('USER')"),更容易理解.您也可以表达AND,OR或NOT(!).

@PreAuthorize("!isAnonymous()AND hasRole('ADMIN')")

Answer 5

+-----------------------------------------------+----------------------------------------------------------+-----------------------------------------------------------------+
|                                               |                         @Secured                         |                         @PreAuthorize                           |
+-----------------------------------------------+----------------------------------------------------------+-----------------------------------------------------------------+
| Spring EL expressions                         | Does'nt supports.                                        | Supports                                                        |
+-----------------------------------------------+----------------------------------------------------------+-----------------------------------------------------------------+
| Multiple roles conjunctions with AND operator | Does'nt supports.(If there are multiple roles defined    | Supports                                                        |
|                                               |they will be automatically combined with OR operator)     |                                                                 |
+-----------------------------------------------+----------------------------------------------------------+-----------------------------------------------------------------+
| To enable annotation                          | Add following line to spring-security.xml                | Add following line to spring-security.xml                       |
|                                               | <global-method-security secured-annotations="enabled" /> | <global-method-security pre-post-annotations="enabled"/>        |
+-----------------------------------------------+----------------------------------------------------------+-----------------------------------------------------------------+
| Example                                       | @Secured({ROLE_ADMIN , ROLE_USER})                       | @PreAuthorize("hasRole('ROLE_USER') and hasRole('ROLE_ADMIN')") |
|                                               | public void addUser(UserInfo user){...}                  | public void addUser(UserInfo user){...}                         |
+-----------------------------------------------+----------------------------------------------------------+-----------------------------------------------------------------+