参考

Spring Security 官方文档

http://www.concretepage.com/spring/spring-security/preauthorize-postauthorize-in-spring-security

方法调用安全

对应的注解@EnableGlobalMethodSecurity,该注解放在GlobalMethodSecurityConfiguration的子类上方

@EnableGlobalMethodSecurity(prePostEnabled = true)

使用的Voter

org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter

有俩对对应的注解

@PreAuthorize 决定方法是否可以被调用

@PostAuthorize 决定方法是否可以返回该值

@PreFilter

@PostFilter

如下:

package com.jiangchong.methodsecurity;

import org.springframework.security.access.method.P;

import org.springframework.security.access.prepost.PostAuthorize;

import org.springframework.security.access.prepost.PreAuthorize;

public interface IBookService

{

    @PreAuthorize("hasRole('ROLE_ADMIN')")

    public void addBook(Book book);

    // PostAuthorize,决定这个值是否可以被返回,使用returnObject

    /*

     * Less commonly, you may wish to perform an access-control check after the

     * method has been invoked. This can be achieved using the @PostAuthorize

     * annotation. To access the return value from a method, use the built-in

     * name returnObject in the expression.

     */

    @PostAuthorize("returnObject.owner == authentication.name")

    public Book getBook();

    // PreAuthorize,决定这个方法是否可以被调用

    /*

     * @P单个参数的方法

     */

    @PreAuthorize("#b.owner == authentication.name")

    public void deleteBook(@P("b") Book book);

    /*

     * @Param放在至少有一个参数的方法的上

     *

     * @PreAuthorize("#n == authentication.name") Contact

     * findContactByName(@Param("n") String name)

     */

    // springEL

    /*

     * @PreAuthorize("#contact.name == authentication.name") public void

     * doSomething(Contact contact);

     */

}

测试的Demo,基于Spring Boot

Pom.xml

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">

    <modelVersion>4.0.0</modelVersion>

    <groupId>com.jiangchong</groupId>

    <artifactId>methodsecurity</artifactId>

    <version>0.0.1-SNAPSHOT</version>

    <packaging>war</packaging>

    <name>methodsecurity</name>

    <url>http://maven.apache.org</url>

    <properties>

        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>

    </properties>

    <parent>

        <groupId>org.springframework.boot</groupId>

        <artifactId>spring-boot-starter-parent</artifactId>

        <version>1.3.2.RELEASE</version>

    </parent>

    <dependencies>

        <dependency>

            <groupId>org.springframework.boot</groupId>

            <artifactId>spring-boot-starter-web</artifactId>

            <scope>compile</scope>

        </dependency>

        <dependency>

            <groupId>org.springframework.boot</groupId>

            <artifactId>spring-boot-starter</artifactId>

        </dependency>

        <dependency>

            <groupId>org.springframework.security</groupId>

            <artifactId>spring-security-core</artifactId>

        </dependency>

        <dependency>

            <groupId>org.springframework.security</groupId>

            <artifactId>spring-security-web</artifactId>

            <scope>compile</scope>

        </dependency>

        <dependency>

            <groupId>org.springframework.security</groupId>

            <artifactId>spring-security-config</artifactId>

        </dependency>

    </dependencies>

</project>

App.class

package com.jiangchong.methodsecurity;

import java.util.Map;

import org.springframework.beans.factory.annotation.Autowired;

import org.springframework.boot.SpringApplication;

import org.springframework.boot.autoconfigure.SpringBootApplication;

import org.springframework.web.bind.annotation.RequestMapping;

import org.springframework.web.bind.annotation.RestController;

/**

 *

 */

@RestController

@SpringBootApplication

public class App

{

    @Autowired

    public IBookService bookService;

    public static void main(String[] args)

    {

        SpringApplication.run(App.class, args);

    }

    @RequestMapping("/")

    public Map<String, String> test()

    {

        Book b1 = new Book("A", "admin");

        bookService.addBook(b1);

        bookService.getBook();

        System.out.println("user return");

        Book b2 = new Book("B", "user");

        bookService.deleteBook(b2);

        return null;

    }

    /*

     * @RequestMapping("/admin") public Map<String, String> testAdmin() {

     * Map<String, String> map = new HashMap<>(); map.put("admin", "admin");

     * return map; }

     *

     * @RequestMapping("/user") public Map<String, String> testUser(String name)

     * { Map<String, String> map = new HashMap<>(); map.put("user", "user");

     * return map; }

     *

     * @RequestMapping("/resource/test") public Map<String, String>

     * testResouce() { Map<String, String> map = new HashMap<>();

     * map.put("test", "resource"); return map; }

     */

}

Book.class

package com.jiangchong.methodsecurity;

public class Book

{

    private String name;

    private String owner;

    public Book(String name, String owner)

    {

        this.name = name;

        this.owner = owner;

    }

    public String getName()

    {

        return name;

    }

    public void setName(String name)

    {

        this.name = name;

    }

    public String getOwner()

    {

        return owner;

    }

    public void setOwner(String owner)

    {

        this.owner = owner;

    }

}

BookService.class

package com.jiangchong.methodsecurity;

import org.springframework.stereotype.Service;

@Service

public class BookService implements IBookService

{

    @Override

    public void addBook(Book book)

    {

        System.out.println("You have successfully added book.");

    }

    @Override

    public Book getBook()

    {

        Book book = new Book("B", "user");

        System.out.println("return " + book.getOwner());

        return book;

    }

    @Override

    public void deleteBook(Book book)

    {

        System.out.println("Books deleted");

    }

}

IBookService

package com.jiangchong.methodsecurity;

import org.springframework.security.access.method.P;

import org.springframework.security.access.prepost.PostAuthorize;

import org.springframework.security.access.prepost.PreAuthorize;

public interface IBookService

{

    @PreAuthorize("hasRole('ROLE_ADMIN')")

    public void addBook(Book book);

    // PostAuthorize,决定这个值是否可以被返回,使用returnObject

    /*

     * Less commonly, you may wish to perform an access-control check after the

     * method has been invoked. This can be achieved using the @PostAuthorize

     * annotation. To access the return value from a method, use the built-in

     * name returnObject in the expression.

     */

    @PostAuthorize("returnObject.owner == authentication.name")

    public Book getBook();

    // PreAuthorize,决定这个方法是否可以被调用

    /*

     * @P单个参数的方法

     */

    @PreAuthorize("#b.owner == authentication.name")

    public void deleteBook(@P("b") Book book);

    /*

     * @Param放在至少有一个参数的方法的上

     *

     * @PreAuthorize("#n == authentication.name") Contact

     * findContactByName(@Param("n") String name)

     */

    // springEL

    /*

     * @PreAuthorize("#contact.name == authentication.name") public void

     * doSomething(Contact contact);

     */

}

MethodSecurityConfig

package com.jiangchong.methodsecurity;

import org.springframework.context.annotation.Configuration;

import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;

import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;

import org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration;

@Configuration

@EnableGlobalMethodSecurity(prePostEnabled = true)

public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration

{

    protected void configure(AuthenticationManagerBuilder auth)

            throws Exception

    {

        auth.inMemoryAuthentication();

    }

}

WebSecurityConfig

package com.jiangchong.methodsecurity;

import org.springframework.context.annotation.Configuration;

import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;

import org.springframework.security.config.annotation.web.builders.HttpSecurity;

import org.springframework.security.config.annotation.web.builders.WebSecurity;

import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;

import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration

@EnableWebSecurity

public class WebSecurityConfig extends WebSecurityConfigurerAdapter

{

    protected void configure(HttpSecurity http) throws Exception

    {

        http.authorizeRequests().anyRequest().authenticated().and().formLogin()

                .loginProcessingUrl("/login").permitAll();

    }

    public void configure(WebSecurity web) throws Exception

    {

        web.ignoring().antMatchers("/resource/**");

    }

    protected void configure(AuthenticationManagerBuilder auth)

            throws Exception

    {

        auth.inMemoryAuthentication().withUser("admin").password("admin")

                .roles("ADMIN").and().withUser("user").password("user")

                .roles("USER");

    }

}
    Book b1 = new Book("A", "admin");

    bookService.addBook(b1);

    bookService.getBook();

    System.out.println("user return");

    Book b2 = new Book("B", "user");

    bookService.deleteBook(b2);
这些调用序列,只要有一个不满足权限,后面的方法不会再调用

spring security method security的更多相关文章

  1. Spring Security 4 Method security using @PreAuthorize,@PostAuthorize, @Secured, EL--转

    原文地址:http://websystique.com/spring-security/spring-security-4-method-security-using-preauthorize-pos ...

  2. 初识Spring security-添加security

    请先查看 初识Spring security-无Security的SpringMVC 在pom.xml文件中添加包 <!-- Spring Security --> <depende ...

  3. Spring Security(二十二):6.4 Method Security

    From version 2.0 onwards Spring Security has improved support substantially for adding security to y ...

  4. Spring Security(十七):5.8 Method Security

    From version 2.0 onwards Spring Security has improved support substantially for adding security to y ...

  5. Spring boot Security Disable security

    When I use security.basic.enabled=false to disable security on a Spring Boot project that has the fo ...

  6. 41.4 Method Security方法安全性

    41.4.1 <global-method-security> 这个元素是为Spring Security beans上的安全方法添加支持的主要手段.可以通过使用注释(在接口或类级别定义) ...

  7. spring boot + thymeleaf +security自定义规则 的简单使用

    1.前言 以前开发一直使用 springMVC模式开发 ,前端页面常使用 JSP  ,现在html5淘汰了 ,要么使用html ,要么使用vue , 现在使用spring boot ,有必要总结一下 ...

  8. 【JavaEE】SSH+Spring Security自定义Security的部分处理策略

    本文建立在 SSH与Spring Security整合 一文的基础上,从这篇文章的example上做修改,或者从 配置了AOP 的example上做修改皆可.这里主要补充我在实际使用Spring Se ...

  9. Spring Cloud:Security OAuth2 自定义异常响应

    对于客户端开发或者网站开发而言,调用接口返回有统一的响应体,可以针对性的设计界面,代码结构更加清晰,层次也更加分明. 默认异常响应 在使用 Spring Security Oauth2 登录和鉴权失败 ...

随机推荐

  1. jQueryMobile控件之ListView

    <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8&quo ...

  2. poj1502 spfa最短路

    //Accepted 320 KB 16 ms //有n个顶点,边权用A表示 //给出下三角矩阵,求从一号顶点出发到各点的最短路的最大值 #include <cstdio> #includ ...

  3. jsp连接mysql数据库

    1.新建一个Java web项目. 2.导入mysql驱动包.(这个跟上一篇写的Java连接mysql类似) 3.编写测试代码 <%@ page contentType="text/h ...

  4. SpringMVC 用http请求的Get和Post请求作为路由的方法的重载方式

    @Controller @RequestMapping("/messageProcessing") public class WechatPushController { @Aut ...

  5. 旅行家的预算 1999年NOIP全国联赛普及组NOIP全国联赛提高组

     时间限制: 1 s 空间限制: 128000 KB 题目描述 Description 一个旅行家想驾驶汽车以最少的费用从一个城市到另一个城市(假设出发时油箱是空的).给定两个城市之间的距离D1.汽车 ...

  6. 格式化用户输入的金额(处理RMB的时候适合)

    number_format($str,'2','.',','); function number($k){ if(strpos($k,'.')===false){ $ok = $k.'; }else{ ...

  7. 2.b统计字符串长度

    import java.util.*;public class Main {    public static void main(String args[]){    String a;    Sc ...

  8. C#中get和set的写法

    class program{ private string name; public string XXXXXX{ get{return name;} set{name=value;} } } 在C# ...

  9. 关于动态生成data组件

    /*! * WeX5 v3 (http://www.justep.com) * Copyright 2015 Justep, Inc. * Licensed under Apache License, ...

  10. SUSE Linux 13服务器版

    SUSE Linux 下面打开图形界面下的终端 桌面右键,选择运行 konsole命令打一桌面终端插件 配置静态ip /etc/sysconfig/network/ 虚拟机下面的网卡 vi /etc/ ...