参考

Spring Security 官方文档

http://www.concretepage.com/spring/spring-security/preauthorize-postauthorize-in-spring-security

方法调用安全

对应的注解@EnableGlobalMethodSecurity,该注解放在GlobalMethodSecurityConfiguration的子类上方

@EnableGlobalMethodSecurity(prePostEnabled = true)

使用的Voter

org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter

有俩对对应的注解

@PreAuthorize 决定方法是否可以被调用

@PostAuthorize 决定方法是否可以返回该值

@PreFilter

@PostFilter

如下:

package com.jiangchong.methodsecurity;

import org.springframework.security.access.method.P;

import org.springframework.security.access.prepost.PostAuthorize;

import org.springframework.security.access.prepost.PreAuthorize;

public interface IBookService

{

    @PreAuthorize("hasRole('ROLE_ADMIN')")

    public void addBook(Book book);

    // PostAuthorize,决定这个值是否可以被返回,使用returnObject

    /*

     * Less commonly, you may wish to perform an access-control check after the

     * method has been invoked. This can be achieved using the @PostAuthorize

     * annotation. To access the return value from a method, use the built-in

     * name returnObject in the expression.

     */

    @PostAuthorize("returnObject.owner == authentication.name")

    public Book getBook();

    // PreAuthorize,决定这个方法是否可以被调用

    /*

     * @P单个参数的方法

     */

    @PreAuthorize("#b.owner == authentication.name")

    public void deleteBook(@P("b") Book book);

    /*

     * @Param放在至少有一个参数的方法的上

     *

     * @PreAuthorize("#n == authentication.name") Contact

     * findContactByName(@Param("n") String name)

     */

    // springEL

    /*

     * @PreAuthorize("#contact.name == authentication.name") public void

     * doSomething(Contact contact);

     */

}

测试的Demo,基于Spring Boot

Pom.xml

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">

    <modelVersion>4.0.0</modelVersion>

    <groupId>com.jiangchong</groupId>

    <artifactId>methodsecurity</artifactId>

    <version>0.0.1-SNAPSHOT</version>

    <packaging>war</packaging>

    <name>methodsecurity</name>

    <url>http://maven.apache.org</url>

    <properties>

        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>

    </properties>

    <parent>

        <groupId>org.springframework.boot</groupId>

        <artifactId>spring-boot-starter-parent</artifactId>

        <version>1.3.2.RELEASE</version>

    </parent>

    <dependencies>

        <dependency>

            <groupId>org.springframework.boot</groupId>

            <artifactId>spring-boot-starter-web</artifactId>

            <scope>compile</scope>

        </dependency>

        <dependency>

            <groupId>org.springframework.boot</groupId>

            <artifactId>spring-boot-starter</artifactId>

        </dependency>

        <dependency>

            <groupId>org.springframework.security</groupId>

            <artifactId>spring-security-core</artifactId>

        </dependency>

        <dependency>

            <groupId>org.springframework.security</groupId>

            <artifactId>spring-security-web</artifactId>

            <scope>compile</scope>

        </dependency>

        <dependency>

            <groupId>org.springframework.security</groupId>

            <artifactId>spring-security-config</artifactId>

        </dependency>

    </dependencies>

</project>

App.class

package com.jiangchong.methodsecurity;

import java.util.Map;

import org.springframework.beans.factory.annotation.Autowired;

import org.springframework.boot.SpringApplication;

import org.springframework.boot.autoconfigure.SpringBootApplication;

import org.springframework.web.bind.annotation.RequestMapping;

import org.springframework.web.bind.annotation.RestController;

/**

 *

 */

@RestController

@SpringBootApplication

public class App

{

    @Autowired

    public IBookService bookService;

    public static void main(String[] args)

    {

        SpringApplication.run(App.class, args);

    }

    @RequestMapping("/")

    public Map<String, String> test()

    {

        Book b1 = new Book("A", "admin");

        bookService.addBook(b1);

        bookService.getBook();

        System.out.println("user return");

        Book b2 = new Book("B", "user");

        bookService.deleteBook(b2);

        return null;

    }

    /*

     * @RequestMapping("/admin") public Map<String, String> testAdmin() {

     * Map<String, String> map = new HashMap<>(); map.put("admin", "admin");

     * return map; }

     *

     * @RequestMapping("/user") public Map<String, String> testUser(String name)

     * { Map<String, String> map = new HashMap<>(); map.put("user", "user");

     * return map; }

     *

     * @RequestMapping("/resource/test") public Map<String, String>

     * testResouce() { Map<String, String> map = new HashMap<>();

     * map.put("test", "resource"); return map; }

     */

}

Book.class

package com.jiangchong.methodsecurity;

public class Book

{

    private String name;

    private String owner;

    public Book(String name, String owner)

    {

        this.name = name;

        this.owner = owner;

    }

    public String getName()

    {

        return name;

    }

    public void setName(String name)

    {

        this.name = name;

    }

    public String getOwner()

    {

        return owner;

    }

    public void setOwner(String owner)

    {

        this.owner = owner;

    }

}

BookService.class

package com.jiangchong.methodsecurity;

import org.springframework.stereotype.Service;

@Service

public class BookService implements IBookService

{

    @Override

    public void addBook(Book book)

    {

        System.out.println("You have successfully added book.");

    }

    @Override

    public Book getBook()

    {

        Book book = new Book("B", "user");

        System.out.println("return " + book.getOwner());

        return book;

    }

    @Override

    public void deleteBook(Book book)

    {

        System.out.println("Books deleted");

    }

}

IBookService

package com.jiangchong.methodsecurity;

import org.springframework.security.access.method.P;

import org.springframework.security.access.prepost.PostAuthorize;

import org.springframework.security.access.prepost.PreAuthorize;

public interface IBookService

{

    @PreAuthorize("hasRole('ROLE_ADMIN')")

    public void addBook(Book book);

    // PostAuthorize,决定这个值是否可以被返回,使用returnObject

    /*

     * Less commonly, you may wish to perform an access-control check after the

     * method has been invoked. This can be achieved using the @PostAuthorize

     * annotation. To access the return value from a method, use the built-in

     * name returnObject in the expression.

     */

    @PostAuthorize("returnObject.owner == authentication.name")

    public Book getBook();

    // PreAuthorize,决定这个方法是否可以被调用

    /*

     * @P单个参数的方法

     */

    @PreAuthorize("#b.owner == authentication.name")

    public void deleteBook(@P("b") Book book);

    /*

     * @Param放在至少有一个参数的方法的上

     *

     * @PreAuthorize("#n == authentication.name") Contact

     * findContactByName(@Param("n") String name)

     */

    // springEL

    /*

     * @PreAuthorize("#contact.name == authentication.name") public void

     * doSomething(Contact contact);

     */

}

MethodSecurityConfig

package com.jiangchong.methodsecurity;

import org.springframework.context.annotation.Configuration;

import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;

import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;

import org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration;

@Configuration

@EnableGlobalMethodSecurity(prePostEnabled = true)

public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration

{

    protected void configure(AuthenticationManagerBuilder auth)

            throws Exception

    {

        auth.inMemoryAuthentication();

    }

}

WebSecurityConfig

package com.jiangchong.methodsecurity;

import org.springframework.context.annotation.Configuration;

import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;

import org.springframework.security.config.annotation.web.builders.HttpSecurity;

import org.springframework.security.config.annotation.web.builders.WebSecurity;

import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;

import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration

@EnableWebSecurity

public class WebSecurityConfig extends WebSecurityConfigurerAdapter

{

    protected void configure(HttpSecurity http) throws Exception

    {

        http.authorizeRequests().anyRequest().authenticated().and().formLogin()

                .loginProcessingUrl("/login").permitAll();

    }

    public void configure(WebSecurity web) throws Exception

    {

        web.ignoring().antMatchers("/resource/**");

    }

    protected void configure(AuthenticationManagerBuilder auth)

            throws Exception

    {

        auth.inMemoryAuthentication().withUser("admin").password("admin")

                .roles("ADMIN").and().withUser("user").password("user")

                .roles("USER");

    }

}
    Book b1 = new Book("A", "admin");

    bookService.addBook(b1);

    bookService.getBook();

    System.out.println("user return");

    Book b2 = new Book("B", "user");

    bookService.deleteBook(b2);
这些调用序列,只要有一个不满足权限,后面的方法不会再调用

spring security method security的更多相关文章

  1. Spring Security 4 Method security using @PreAuthorize,@PostAuthorize, @Secured, EL--转

    原文地址:http://websystique.com/spring-security/spring-security-4-method-security-using-preauthorize-pos ...

  2. 初识Spring security-添加security

    请先查看 初识Spring security-无Security的SpringMVC 在pom.xml文件中添加包 <!-- Spring Security --> <depende ...

  3. Spring Security(二十二):6.4 Method Security

    From version 2.0 onwards Spring Security has improved support substantially for adding security to y ...

  4. Spring Security(十七):5.8 Method Security

    From version 2.0 onwards Spring Security has improved support substantially for adding security to y ...

  5. Spring boot Security Disable security

    When I use security.basic.enabled=false to disable security on a Spring Boot project that has the fo ...

  6. 41.4 Method Security方法安全性

    41.4.1 <global-method-security> 这个元素是为Spring Security beans上的安全方法添加支持的主要手段.可以通过使用注释(在接口或类级别定义) ...

  7. spring boot + thymeleaf +security自定义规则 的简单使用

    1.前言 以前开发一直使用 springMVC模式开发 ,前端页面常使用 JSP  ,现在html5淘汰了 ,要么使用html ,要么使用vue , 现在使用spring boot ,有必要总结一下 ...

  8. 【JavaEE】SSH+Spring Security自定义Security的部分处理策略

    本文建立在 SSH与Spring Security整合 一文的基础上,从这篇文章的example上做修改,或者从 配置了AOP 的example上做修改皆可.这里主要补充我在实际使用Spring Se ...

  9. Spring Cloud:Security OAuth2 自定义异常响应

    对于客户端开发或者网站开发而言,调用接口返回有统一的响应体,可以针对性的设计界面,代码结构更加清晰,层次也更加分明. 默认异常响应 在使用 Spring Security Oauth2 登录和鉴权失败 ...

随机推荐

  1. Android Studio安装更新终极解决方式

    之前写过一篇Android SDK无法更新的博文,其实该方式对Android Studio同样有效,大伙可以下载网盘中分享的小软件,若搜索到通道后提示需要更细,也可以选择更新.参考:http://bl ...

  2. Debian 8(jessie)下设置系统启动直接进入命令行,无GUI

    修改grub项 sudo vi /etc/default/grub 修改其中三项 ... GRUB_CMDLINE_LINUX_DEFAULT="quiet" GRUB_CMDLI ...

  3. hdu 2065

    ps:我的天...看网上各种难..对于我这个比较懒得人...我就找规律直接水过去了...前20一个循环,注意跳过第一轮的3个数就行..然后觉得比较坑的是,那个输入N,要用long long型... 代 ...

  4. Android Framework层Power键关机流程(一,Power长按键操作处理)

    一:Android处理Power按键长按操作 在Framework层中,Android4.x对Power键(KeyEvent.KEYCODE_POWER)的操作,我们从PhoneWindowManag ...

  5. 动手实现自己的 STL 容器 《1》---- vector

    本文参考了侯捷的 <STL 源码分析>一书,出于兴趣,自行实现了简单的 vector 容器. 之后会陆续上传 list, deque 等容器的代码,若有错误,欢迎留言指出. vector ...

  6. 测试api代码,简单的接口测试代码

    http://www.oschina.net/code/snippet_1408874_43829 <html lang="zh-CN"> <head>   ...

  7. Day19_IO第一天

    1.异常 1.概念      程序出现不正常的情况 2.异常体系(掌握)      Throwable           |-Error                               ...

  8. excel曲线拟合怎么弄

    在做社会调研或科学实验时常常需要把得到的实验数据拟合成曲线图,这样可以使结果形象易懂.下面将介绍怎么用excel来快速地进行曲线拟合.包括添加平滑曲线,线性,指数,幂,多项式(如二次曲线,三次曲线.. ...

  9. c++ 语言细节

    #include <iostream>using namespace std;int main(){     cout << "\nHello World!\n&qu ...

  10. JavaScript学习中的挑战

    当人们尝试学习 JavaScript , 或者其他编程技术的时候,常常会遇到同样的挑战: 有些概念容易混淆,特别是当你学习过其他语言的时候.很难找到学习的时间(有时候是动力).一旦当你理解了一些东西的 ...