Spring Security 3中的@Secured和@PreAuthorize有什么区别?


147

对我来说,目前尚不清楚:

 @PreAuthorize("hasRole('ROLE_USER')")
 public void create(Contact contact)

@Secured("ROLE_USER")
public void create(Contact contact)

我了解PreAuthorize可以与spring el一起使用,但是在我的示例中,有真正的区别吗?

Answers:


169

真正的区别是@PreAuthorize可以与Spring Expression Language(SpEL)一起使用。您可以:

  • 的访问方法和属性SecurityExpressionRoot
  • 访问方法参数(需要使用debug info或custom进行编译ParameterNameDiscoverer):

    @PreAuthorize("#contact.name == principal.name")
    public void doSomething(Contact contact)
    
  • (高级功能)添加您自己的方法(覆盖MethodSecurityExpressionHandler并将其设置为<global-method-security><expression-handler ... /></...>)。

对此一无所知,但看起来很棒!:D
西川阿方索

52

如果您只想在用户具有Role1 Role2的情况下进行访问方法的操作则必须使用@PreAuthorize

@PreAuthorize("hasRole('ROLE_role1') and hasRole('ROLE_role2')")

使用

@Secured({"role1", "role2"}) // is treated as an OR

40

简而言之, @PreAuthorize是比@Secured

所以我说最好使用@PreAuthorize它,因为它是“基于表达式的”,并且您可以使用诸如hasRole,hasAnyRole,permitAll等表达式。

要了解表达式,请参阅以下示例表达式


13

@PreAuthorize是不同的,它比强大@Secured

  • 较早的@Secured注释不允许使用表达式。

  • 从Spring Security 3开始,首选更灵活的注释 @PreAuthorize@PostAuthorize(以及@PreFilter和@PostFilter),因为它们支持Spring Expression Language(SpEL)并提供基于表达式的访问控制。

  • @Secured("ROLE_ADMIN")注释与相同@PreAuthorize ("hasRole('ROLE_ADMIN')")

  • @Secured({"ROLE_USER","ROLE_ADMIN")被视为ROLE_USER OR ROLE_ADMIN。

因此您无法使用来表达AND条件

@Secured。您可以使用定义相同的名称@PreAuthorize("hasRole('ADMIN') OR hasRole('USER')"),这更容易理解。您也可以表达AND,OR或NOT(!)

@PreAuthorize(“!isAnonymous()AND hasRole('ADMIN')”)


1
当您恢复我的编辑时,您是在说这没有错误"hasRole('ADMIN OR hasRole('USER')"吗?

8
+-----------------------------------------------+----------------------------------------------------------+-----------------------------------------------------------------+
|                                               |                         @Secured                         |                         @PreAuthorize                           |
+-----------------------------------------------+----------------------------------------------------------+-----------------------------------------------------------------+
| Spring EL expressions                         | Does'nt supports.                                        | Supports                                                        |
+-----------------------------------------------+----------------------------------------------------------+-----------------------------------------------------------------+
| Multiple roles conjunctions with AND operator | Does'nt supports.(If there are multiple roles defined    | Supports                                                        |
|                                               |they will be automatically combined with OR operator)     |                                                                 |
+-----------------------------------------------+----------------------------------------------------------+-----------------------------------------------------------------+
| To enable annotation                          | Add following line to spring-security.xml                | Add following line to spring-security.xml                       |
|                                               | <global-method-security secured-annotations="enabled" /> | <global-method-security pre-post-annotations="enabled"/>        |
+-----------------------------------------------+----------------------------------------------------------+-----------------------------------------------------------------+
| Example                                       | @Secured({ROLE_ADMIN , ROLE_USER})                       | @PreAuthorize("hasRole('ROLE_USER') and hasRole('ROLE_ADMIN')") |
|                                               | public void addUser(UserInfo user){...}                  | public void addUser(UserInfo user){...}                         |
+-----------------------------------------------+----------------------------------------------------------+-----------------------------------------------------------------+
By using our site, you acknowledge that you have read and understand our Cookie Policy and Privacy Policy.
Licensed under cc by-sa 3.0 with attribution required.