参考

Spring Security 官方文档

http://www.concretepage.com/spring/spring-security/preauthorize-postauthorize-in-spring-security

方法调用安全

对应的注解@EnableGlobalMethodSecurity,该注解放在GlobalMethodSecurityConfiguration的子类上方

@EnableGlobalMethodSecurity(prePostEnabled = true)

使用的Voter

org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter

有俩对对应的注解

@PreAuthorize 决定方法是否可以被调用

@PostAuthorize 决定方法是否可以返回该值

@PreFilter

@PostFilter

如下:

package com.jiangchong.methodsecurity;

import org.springframework.security.access.method.P;
import org.springframework.security.access.prepost.PostAuthorize;
import org.springframework.security.access.prepost.PreAuthorize; public interface IBookService
{
@PreAuthorize("hasRole('ROLE_ADMIN')")
public void addBook(Book book); // PostAuthorize,决定这个值是否可以被返回,使用returnObject
/*
* Less commonly, you may wish to perform an access-control check after the
* method has been invoked. This can be achieved using the @PostAuthorize
* annotation. To access the return value from a method, use the built-in
* name returnObject in the expression.
*/
@PostAuthorize("returnObject.owner == authentication.name")
public Book getBook(); // PreAuthorize,决定这个方法是否可以被调用
/*
* @P单个参数的方法
*/
@PreAuthorize("#b.owner == authentication.name")
public void deleteBook(@P("b") Book book);
/*
* @Param放在至少有一个参数的方法的上
*
* @PreAuthorize("#n == authentication.name") Contact
* findContactByName(@Param("n") String name)
*/
// springEL
/*
* @PreAuthorize("#contact.name == authentication.name") public void
* doSomething(Contact contact);
*/ }

测试的Demo,基于Spring Boot

Pom.xml

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion> <groupId>com.jiangchong</groupId>
<artifactId>methodsecurity</artifactId>
<version>0.0.1-SNAPSHOT</version>
<packaging>war</packaging> <name>methodsecurity</name>
<url>http://maven.apache.org</url> <properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
</properties>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>1.3.2.RELEASE</version>
</parent>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
</dependency>
</dependencies>
</project>

App.class

package com.jiangchong.methodsecurity;

import java.util.Map;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController; /**
*
*/
@RestController
@SpringBootApplication
public class App
{
@Autowired
public IBookService bookService; public static void main(String[] args)
{
SpringApplication.run(App.class, args);
} @RequestMapping("/")
public Map<String, String> test()
{
Book b1 = new Book("A", "admin");
bookService.addBook(b1);
bookService.getBook();
System.out.println("user return");
Book b2 = new Book("B", "user");
bookService.deleteBook(b2);
return null;
}
/*
* @RequestMapping("/admin") public Map<String, String> testAdmin() {
* Map<String, String> map = new HashMap<>(); map.put("admin", "admin");
* return map; }
*
* @RequestMapping("/user") public Map<String, String> testUser(String name)
* { Map<String, String> map = new HashMap<>(); map.put("user", "user");
* return map; }
*
* @RequestMapping("/resource/test") public Map<String, String>
* testResouce() { Map<String, String> map = new HashMap<>();
* map.put("test", "resource"); return map; }
*/
}

Book.class

package com.jiangchong.methodsecurity;

public class Book
{
private String name;
private String owner; public Book(String name, String owner)
{
this.name = name;
this.owner = owner;
} public String getName()
{
return name;
} public void setName(String name)
{
this.name = name;
} public String getOwner()
{
return owner;
} public void setOwner(String owner)
{
this.owner = owner;
}
}

BookService.class

package com.jiangchong.methodsecurity;

import org.springframework.stereotype.Service;

@Service
public class BookService implements IBookService
{
@Override
public void addBook(Book book)
{
System.out.println("You have successfully added book.");
} @Override
public Book getBook()
{
Book book = new Book("B", "user");
System.out.println("return " + book.getOwner());
return book;
} @Override
public void deleteBook(Book book)
{
System.out.println("Books deleted");
} }

IBookService

package com.jiangchong.methodsecurity;

import org.springframework.security.access.method.P;
import org.springframework.security.access.prepost.PostAuthorize;
import org.springframework.security.access.prepost.PreAuthorize; public interface IBookService
{
@PreAuthorize("hasRole('ROLE_ADMIN')")
public void addBook(Book book); // PostAuthorize,决定这个值是否可以被返回,使用returnObject
/*
* Less commonly, you may wish to perform an access-control check after the
* method has been invoked. This can be achieved using the @PostAuthorize
* annotation. To access the return value from a method, use the built-in
* name returnObject in the expression.
*/
@PostAuthorize("returnObject.owner == authentication.name")
public Book getBook(); // PreAuthorize,决定这个方法是否可以被调用
/*
* @P单个参数的方法
*/
@PreAuthorize("#b.owner == authentication.name")
public void deleteBook(@P("b") Book book);
/*
* @Param放在至少有一个参数的方法的上
*
* @PreAuthorize("#n == authentication.name") Contact
* findContactByName(@Param("n") String name)
*/
// springEL
/*
* @PreAuthorize("#contact.name == authentication.name") public void
* doSomething(Contact contact);
*/ }

MethodSecurityConfig

package com.jiangchong.methodsecurity;

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration; @Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration
{
protected void configure(AuthenticationManagerBuilder auth)
throws Exception
{
auth.inMemoryAuthentication();
} }

WebSecurityConfig

package com.jiangchong.methodsecurity;

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; @Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter
{
protected void configure(HttpSecurity http) throws Exception
{
http.authorizeRequests().anyRequest().authenticated().and().formLogin()
.loginProcessingUrl("/login").permitAll();
} public void configure(WebSecurity web) throws Exception
{
web.ignoring().antMatchers("/resource/**");
} protected void configure(AuthenticationManagerBuilder auth)
throws Exception
{
auth.inMemoryAuthentication().withUser("admin").password("admin")
.roles("ADMIN").and().withUser("user").password("user")
.roles("USER");
} }
    Book b1 = new Book("A", "admin");
bookService.addBook(b1);
bookService.getBook();
System.out.println("user return");
Book b2 = new Book("B", "user");
bookService.deleteBook(b2);
这些调用序列,只要有一个不满足权限,后面的方法不会再调用

spring security method security的更多相关文章

  1. Spring Security 4 Method security using @PreAuthorize,@PostAuthorize, @Secured, EL--转

    原文地址:http://websystique.com/spring-security/spring-security-4-method-security-using-preauthorize-pos ...

  2. 初识Spring security-添加security

    请先查看 初识Spring security-无Security的SpringMVC 在pom.xml文件中添加包 <!-- Spring Security --> <depende ...

  3. Spring Security(二十二):6.4 Method Security

    From version 2.0 onwards Spring Security has improved support substantially for adding security to y ...

  4. Spring Security(十七):5.8 Method Security

    From version 2.0 onwards Spring Security has improved support substantially for adding security to y ...

  5. Spring boot Security Disable security

    When I use security.basic.enabled=false to disable security on a Spring Boot project that has the fo ...

  6. 41.4 Method Security方法安全性

    41.4.1 <global-method-security> 这个元素是为Spring Security beans上的安全方法添加支持的主要手段.可以通过使用注释(在接口或类级别定义) ...

  7. spring boot + thymeleaf +security自定义规则 的简单使用

    1.前言 以前开发一直使用 springMVC模式开发 ,前端页面常使用 JSP  ,现在html5淘汰了 ,要么使用html ,要么使用vue , 现在使用spring boot ,有必要总结一下 ...

  8. 【JavaEE】SSH+Spring Security自定义Security的部分处理策略

    本文建立在 SSH与Spring Security整合 一文的基础上,从这篇文章的example上做修改,或者从 配置了AOP 的example上做修改皆可.这里主要补充我在实际使用Spring Se ...

  9. Spring Cloud:Security OAuth2 自定义异常响应

    对于客户端开发或者网站开发而言,调用接口返回有统一的响应体,可以针对性的设计界面,代码结构更加清晰,层次也更加分明. 默认异常响应 在使用 Spring Security Oauth2 登录和鉴权失败 ...

随机推荐

  1. 从c开始,小小感悟

    c语言是众多编程小白进入编程大门的钥匙,不过许多人在学习一段时间以后就渐渐产生了困惑,枯燥的黑色界面渐渐让他们失去了"渴望",---我还不能制作出一款像样的软件,我还是只是在算数学 ...

  2. SqlServer性能优化:创建性能监视器(二)

    添加三个选项: 下一步就可以了 Sql跟踪的模板: 跟踪Sql 语句的执行情况: 使用刚才的新建的模板: 用到的Sql语句: select * from [Sales].[SalesOrderDeta ...

  3. 搜索栏会消失 uisearchbar 狂点消失的问题解决

    经过反复试验和错误很多,我发现当searchdisplaycontroller结束搜索,搜索栏会消失,所以我重新插入到搜索栏表头和它为我工作. - (void)searchDisplayControl ...

  4. java项目部署在服务器环境配置以及命令的编写

    在往项目上部署java项目(即打成的jar包),要为相应的项目配置环境变量,即项目运行所需要的jar或其他第三方的jar包,java -cp derivativeAccording.jar:lib/c ...

  5. IOS网络开发(一)

    1 简易的聊天工具 1.1 问题 Socket的英文原义是孔或者插座的意思,通常也称作套接字,用于描述IP地址和端口,是一个通信链的句柄,本案例使用第三方Socket编程框架AsyncSocket框架 ...

  6. Spark 个人实战系列(1)--Spark 集群安装

    前言: CDH4不带yarn和spark, 因此需要自己搭建spark集群. 这边简单描述spark集群的安装过程, 并讲述spark的standalone模式, 以及对相关的脚本进行简单的分析. s ...

  7. Jena Fuseki 102

    Version Fuseki v1 Fuseki v2 since Jena 2.13.0 Both v1 and v2 are active and maintained.[2015/06/29] ...

  8. C语言解决八皇后问题

    #include <stdio.h> #include <stdlib.h> /* this code is used to cope with the problem of ...

  9. Do It Wrong, Get It Right

    Do It Wrong, Get It Right Time Limit: 5000ms, Special Time Limit:12500ms, Memory Limit:65536KB Total ...

  10. hiho一下122周 后缀数组三·重复旋律

    后缀数组三·重复旋律3 时间限制:5000ms 单点时限:1000ms 内存限制:256MB 描述 小Hi平时的一大兴趣爱好就是演奏钢琴.我们知道一个音乐旋律被表示为长度为 N 的数构成的数列.小Hi ...