参考

Spring Security 官方文档

http://www.concretepage.com/spring/spring-security/preauthorize-postauthorize-in-spring-security

方法调用安全

对应的注解@EnableGlobalMethodSecurity,该注解放在GlobalMethodSecurityConfiguration的子类上方

@EnableGlobalMethodSecurity(prePostEnabled = true)

使用的Voter

org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter

有俩对对应的注解

@PreAuthorize 决定方法是否可以被调用

@PostAuthorize 决定方法是否可以返回该值

@PreFilter

@PostFilter

如下:

package com.jiangchong.methodsecurity;

import org.springframework.security.access.method.P;

import org.springframework.security.access.prepost.PostAuthorize;

import org.springframework.security.access.prepost.PreAuthorize;

public interface IBookService

{

    @PreAuthorize("hasRole('ROLE_ADMIN')")

    public void addBook(Book book);

    // PostAuthorize,决定这个值是否可以被返回,使用returnObject

    /*

     * Less commonly, you may wish to perform an access-control check after the

     * method has been invoked. This can be achieved using the @PostAuthorize

     * annotation. To access the return value from a method, use the built-in

     * name returnObject in the expression.

     */

    @PostAuthorize("returnObject.owner == authentication.name")

    public Book getBook();

    // PreAuthorize,决定这个方法是否可以被调用

    /*

     * @P单个参数的方法

     */

    @PreAuthorize("#b.owner == authentication.name")

    public void deleteBook(@P("b") Book book);

    /*

     * @Param放在至少有一个参数的方法的上

     *

     * @PreAuthorize("#n == authentication.name") Contact

     * findContactByName(@Param("n") String name)

     */

    // springEL

    /*

     * @PreAuthorize("#contact.name == authentication.name") public void

     * doSomething(Contact contact);

     */

}

测试的Demo,基于Spring Boot

Pom.xml

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">

    <modelVersion>4.0.0</modelVersion>

    <groupId>com.jiangchong</groupId>

    <artifactId>methodsecurity</artifactId>

    <version>0.0.1-SNAPSHOT</version>

    <packaging>war</packaging>

    <name>methodsecurity</name>

    <url>http://maven.apache.org</url>

    <properties>

        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>

    </properties>

    <parent>

        <groupId>org.springframework.boot</groupId>

        <artifactId>spring-boot-starter-parent</artifactId>

        <version>1.3.2.RELEASE</version>

    </parent>

    <dependencies>

        <dependency>

            <groupId>org.springframework.boot</groupId>

            <artifactId>spring-boot-starter-web</artifactId>

            <scope>compile</scope>

        </dependency>

        <dependency>

            <groupId>org.springframework.boot</groupId>

            <artifactId>spring-boot-starter</artifactId>

        </dependency>

        <dependency>

            <groupId>org.springframework.security</groupId>

            <artifactId>spring-security-core</artifactId>

        </dependency>

        <dependency>

            <groupId>org.springframework.security</groupId>

            <artifactId>spring-security-web</artifactId>

            <scope>compile</scope>

        </dependency>

        <dependency>

            <groupId>org.springframework.security</groupId>

            <artifactId>spring-security-config</artifactId>

        </dependency>

    </dependencies>

</project>

App.class

package com.jiangchong.methodsecurity;

import java.util.Map;

import org.springframework.beans.factory.annotation.Autowired;

import org.springframework.boot.SpringApplication;

import org.springframework.boot.autoconfigure.SpringBootApplication;

import org.springframework.web.bind.annotation.RequestMapping;

import org.springframework.web.bind.annotation.RestController;

/**

 *

 */

@RestController

@SpringBootApplication

public class App

{

    @Autowired

    public IBookService bookService;

    public static void main(String[] args)

    {

        SpringApplication.run(App.class, args);

    }

    @RequestMapping("/")

    public Map<String, String> test()

    {

        Book b1 = new Book("A", "admin");

        bookService.addBook(b1);

        bookService.getBook();

        System.out.println("user return");

        Book b2 = new Book("B", "user");

        bookService.deleteBook(b2);

        return null;

    }

    /*

     * @RequestMapping("/admin") public Map<String, String> testAdmin() {

     * Map<String, String> map = new HashMap<>(); map.put("admin", "admin");

     * return map; }

     *

     * @RequestMapping("/user") public Map<String, String> testUser(String name)

     * { Map<String, String> map = new HashMap<>(); map.put("user", "user");

     * return map; }

     *

     * @RequestMapping("/resource/test") public Map<String, String>

     * testResouce() { Map<String, String> map = new HashMap<>();

     * map.put("test", "resource"); return map; }

     */

}

Book.class

package com.jiangchong.methodsecurity;

public class Book

{

    private String name;

    private String owner;

    public Book(String name, String owner)

    {

        this.name = name;

        this.owner = owner;

    }

    public String getName()

    {

        return name;

    }

    public void setName(String name)

    {

        this.name = name;

    }

    public String getOwner()

    {

        return owner;

    }

    public void setOwner(String owner)

    {

        this.owner = owner;

    }

}

BookService.class

package com.jiangchong.methodsecurity;

import org.springframework.stereotype.Service;

@Service

public class BookService implements IBookService

{

    @Override

    public void addBook(Book book)

    {

        System.out.println("You have successfully added book.");

    }

    @Override

    public Book getBook()

    {

        Book book = new Book("B", "user");

        System.out.println("return " + book.getOwner());

        return book;

    }

    @Override

    public void deleteBook(Book book)

    {

        System.out.println("Books deleted");

    }

}

IBookService

package com.jiangchong.methodsecurity;

import org.springframework.security.access.method.P;

import org.springframework.security.access.prepost.PostAuthorize;

import org.springframework.security.access.prepost.PreAuthorize;

public interface IBookService

{

    @PreAuthorize("hasRole('ROLE_ADMIN')")

    public void addBook(Book book);

    // PostAuthorize,决定这个值是否可以被返回,使用returnObject

    /*

     * Less commonly, you may wish to perform an access-control check after the

     * method has been invoked. This can be achieved using the @PostAuthorize

     * annotation. To access the return value from a method, use the built-in

     * name returnObject in the expression.

     */

    @PostAuthorize("returnObject.owner == authentication.name")

    public Book getBook();

    // PreAuthorize,决定这个方法是否可以被调用

    /*

     * @P单个参数的方法

     */

    @PreAuthorize("#b.owner == authentication.name")

    public void deleteBook(@P("b") Book book);

    /*

     * @Param放在至少有一个参数的方法的上

     *

     * @PreAuthorize("#n == authentication.name") Contact

     * findContactByName(@Param("n") String name)

     */

    // springEL

    /*

     * @PreAuthorize("#contact.name == authentication.name") public void

     * doSomething(Contact contact);

     */

}

MethodSecurityConfig

package com.jiangchong.methodsecurity;

import org.springframework.context.annotation.Configuration;

import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;

import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;

import org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration;

@Configuration

@EnableGlobalMethodSecurity(prePostEnabled = true)

public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration

{

    protected void configure(AuthenticationManagerBuilder auth)

            throws Exception

    {

        auth.inMemoryAuthentication();

    }

}

WebSecurityConfig

package com.jiangchong.methodsecurity;

import org.springframework.context.annotation.Configuration;

import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;

import org.springframework.security.config.annotation.web.builders.HttpSecurity;

import org.springframework.security.config.annotation.web.builders.WebSecurity;

import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;

import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration

@EnableWebSecurity

public class WebSecurityConfig extends WebSecurityConfigurerAdapter

{

    protected void configure(HttpSecurity http) throws Exception

    {

        http.authorizeRequests().anyRequest().authenticated().and().formLogin()

                .loginProcessingUrl("/login").permitAll();

    }

    public void configure(WebSecurity web) throws Exception

    {

        web.ignoring().antMatchers("/resource/**");

    }

    protected void configure(AuthenticationManagerBuilder auth)

            throws Exception

    {

        auth.inMemoryAuthentication().withUser("admin").password("admin")

                .roles("ADMIN").and().withUser("user").password("user")

                .roles("USER");

    }

}
    Book b1 = new Book("A", "admin");

    bookService.addBook(b1);

    bookService.getBook();

    System.out.println("user return");

    Book b2 = new Book("B", "user");

    bookService.deleteBook(b2);
这些调用序列,只要有一个不满足权限,后面的方法不会再调用

spring security method security的更多相关文章

  1. Spring Security 4 Method security using @PreAuthorize,@PostAuthorize, @Secured, EL--转

    原文地址:http://websystique.com/spring-security/spring-security-4-method-security-using-preauthorize-pos ...

  2. 初识Spring security-添加security

    请先查看 初识Spring security-无Security的SpringMVC 在pom.xml文件中添加包 <!-- Spring Security --> <depende ...

  3. Spring Security(二十二):6.4 Method Security

    From version 2.0 onwards Spring Security has improved support substantially for adding security to y ...

  4. Spring Security(十七):5.8 Method Security

    From version 2.0 onwards Spring Security has improved support substantially for adding security to y ...

  5. Spring boot Security Disable security

    When I use security.basic.enabled=false to disable security on a Spring Boot project that has the fo ...

  6. 41.4 Method Security方法安全性

    41.4.1 <global-method-security> 这个元素是为Spring Security beans上的安全方法添加支持的主要手段.可以通过使用注释(在接口或类级别定义) ...

  7. spring boot + thymeleaf +security自定义规则 的简单使用

    1.前言 以前开发一直使用 springMVC模式开发 ,前端页面常使用 JSP  ,现在html5淘汰了 ,要么使用html ,要么使用vue , 现在使用spring boot ,有必要总结一下 ...

  8. 【JavaEE】SSH+Spring Security自定义Security的部分处理策略

    本文建立在 SSH与Spring Security整合 一文的基础上,从这篇文章的example上做修改,或者从 配置了AOP 的example上做修改皆可.这里主要补充我在实际使用Spring Se ...

  9. Spring Cloud:Security OAuth2 自定义异常响应

    对于客户端开发或者网站开发而言,调用接口返回有统一的响应体,可以针对性的设计界面,代码结构更加清晰,层次也更加分明. 默认异常响应 在使用 Spring Security Oauth2 登录和鉴权失败 ...

随机推荐

  1. Active Record: 資料庫遷移(Migration) (转)

    Active Record: 資料庫遷移(Migration) Programming today is a race between software engineers striving to b ...

  2. (转)JAVA实现Windows拨号、IP切换

    原理: 通过调用windows下的dos命令实现拨号 PS:连接名称获取不一定都是适用,但苦于知道的dos命令太少了,只能将就这么用着. 如有更好的方法,烦请不吝赐教. public class Co ...

  3. 运用Fluxion高效破解WiFi密码

    Fluxion是一个无线破解工具,这个工具有点像是Linset的翻版.但是与Linset比较起来,它有着更多有趣的功能.目前这个工具在Kali Linux上可以完美运行. 工作原理 1.扫描能够接收到 ...

  4. 关于ASP.NET页面打印技术的总结【转】

    B/S结构导致了Web应用程序中打印的特殊性. • 程序运行在浏览器中,打印机在本地,而文件确可能在服务器上,导致了打印控制不是很灵活. • 格式如何控制和定制等,是我们开发中可能会面对的问题. 打印 ...

  5. Android Sudoku应用挂掉的问题

    在真机上测试数独游戏时发现,快速点击屏幕时,游戏偶尔出现挂死的情况,Log如下 04-08 15:35:00.838 7317-7356/org.elvalad.sudoku D/OpenGLRend ...

  6. linux命令:head

    1.命令介绍: head用来显示文件的开头的一部分. 2.命令格式: head [选项] 文件 3.命令参数: -q 隐藏文件名 -v 显示文件名 -c<字节> 显示字节数 -n<行 ...

  7. iOS-硬件声音 ,振动,提示警告

    为了引起用户注意发出警告的时候,常常伴随有提示音震动等.系统声音服务提供了一个接口,用于播放不超过30秒的声音文件,他支持的格式有CAF,AIF,WAV. iOS使用该API支持3种不同的通知: 声音 ...

  8. python数据结构与算法——快速排序

    快速排序通过不断将数列分段,使得较小的数在左边的序列,较大的数在右边的序列,不断重复此过程实现排序效果.通过设置两个哨兵不断的找两个序列的较小数,较大数,并把左右的数据互换,实现对数据从粗到细的排序. ...

  9. uget和aria2

    http://blog.csdn.net/luojiming1990/article/details/9078447 其中的aria2 -v要改成aria2c -v

  10. opencv--图像轮廓检测

    //图像的轮廓检测上 //By MoreWindows (http://blog.csdn.net/MoreWindows) #include <opencv2/opencv.hpp> u ...