参考

Spring Security 官方文档

http://www.concretepage.com/spring/spring-security/preauthorize-postauthorize-in-spring-security

方法调用安全

对应的注解@EnableGlobalMethodSecurity,该注解放在GlobalMethodSecurityConfiguration的子类上方

@EnableGlobalMethodSecurity(prePostEnabled = true)

使用的Voter

org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter

有俩对对应的注解

@PreAuthorize 决定方法是否可以被调用

@PostAuthorize 决定方法是否可以返回该值

@PreFilter

@PostFilter

如下:

package com.jiangchong.methodsecurity;

import org.springframework.security.access.method.P;

import org.springframework.security.access.prepost.PostAuthorize;

import org.springframework.security.access.prepost.PreAuthorize;

public interface IBookService

{

    @PreAuthorize("hasRole('ROLE_ADMIN')")

    public void addBook(Book book);

    // PostAuthorize,决定这个值是否可以被返回,使用returnObject

    /*

     * Less commonly, you may wish to perform an access-control check after the

     * method has been invoked. This can be achieved using the @PostAuthorize

     * annotation. To access the return value from a method, use the built-in

     * name returnObject in the expression.

     */

    @PostAuthorize("returnObject.owner == authentication.name")

    public Book getBook();

    // PreAuthorize,决定这个方法是否可以被调用

    /*

     * @P单个参数的方法

     */

    @PreAuthorize("#b.owner == authentication.name")

    public void deleteBook(@P("b") Book book);

    /*

     * @Param放在至少有一个参数的方法的上

     *

     * @PreAuthorize("#n == authentication.name") Contact

     * findContactByName(@Param("n") String name)

     */

    // springEL

    /*

     * @PreAuthorize("#contact.name == authentication.name") public void

     * doSomething(Contact contact);

     */

}

测试的Demo,基于Spring Boot

Pom.xml

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">

    <modelVersion>4.0.0</modelVersion>

    <groupId>com.jiangchong</groupId>

    <artifactId>methodsecurity</artifactId>

    <version>0.0.1-SNAPSHOT</version>

    <packaging>war</packaging>

    <name>methodsecurity</name>

    <url>http://maven.apache.org</url>

    <properties>

        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>

    </properties>

    <parent>

        <groupId>org.springframework.boot</groupId>

        <artifactId>spring-boot-starter-parent</artifactId>

        <version>1.3.2.RELEASE</version>

    </parent>

    <dependencies>

        <dependency>

            <groupId>org.springframework.boot</groupId>

            <artifactId>spring-boot-starter-web</artifactId>

            <scope>compile</scope>

        </dependency>

        <dependency>

            <groupId>org.springframework.boot</groupId>

            <artifactId>spring-boot-starter</artifactId>

        </dependency>

        <dependency>

            <groupId>org.springframework.security</groupId>

            <artifactId>spring-security-core</artifactId>

        </dependency>

        <dependency>

            <groupId>org.springframework.security</groupId>

            <artifactId>spring-security-web</artifactId>

            <scope>compile</scope>

        </dependency>

        <dependency>

            <groupId>org.springframework.security</groupId>

            <artifactId>spring-security-config</artifactId>

        </dependency>

    </dependencies>

</project>

App.class

package com.jiangchong.methodsecurity;

import java.util.Map;

import org.springframework.beans.factory.annotation.Autowired;

import org.springframework.boot.SpringApplication;

import org.springframework.boot.autoconfigure.SpringBootApplication;

import org.springframework.web.bind.annotation.RequestMapping;

import org.springframework.web.bind.annotation.RestController;

/**

 *

 */

@RestController

@SpringBootApplication

public class App

{

    @Autowired

    public IBookService bookService;

    public static void main(String[] args)

    {

        SpringApplication.run(App.class, args);

    }

    @RequestMapping("/")

    public Map<String, String> test()

    {

        Book b1 = new Book("A", "admin");

        bookService.addBook(b1);

        bookService.getBook();

        System.out.println("user return");

        Book b2 = new Book("B", "user");

        bookService.deleteBook(b2);

        return null;

    }

    /*

     * @RequestMapping("/admin") public Map<String, String> testAdmin() {

     * Map<String, String> map = new HashMap<>(); map.put("admin", "admin");

     * return map; }

     *

     * @RequestMapping("/user") public Map<String, String> testUser(String name)

     * { Map<String, String> map = new HashMap<>(); map.put("user", "user");

     * return map; }

     *

     * @RequestMapping("/resource/test") public Map<String, String>

     * testResouce() { Map<String, String> map = new HashMap<>();

     * map.put("test", "resource"); return map; }

     */

}

Book.class

package com.jiangchong.methodsecurity;

public class Book

{

    private String name;

    private String owner;

    public Book(String name, String owner)

    {

        this.name = name;

        this.owner = owner;

    }

    public String getName()

    {

        return name;

    }

    public void setName(String name)

    {

        this.name = name;

    }

    public String getOwner()

    {

        return owner;

    }

    public void setOwner(String owner)

    {

        this.owner = owner;

    }

}

BookService.class

package com.jiangchong.methodsecurity;

import org.springframework.stereotype.Service;

@Service

public class BookService implements IBookService

{

    @Override

    public void addBook(Book book)

    {

        System.out.println("You have successfully added book.");

    }

    @Override

    public Book getBook()

    {

        Book book = new Book("B", "user");

        System.out.println("return " + book.getOwner());

        return book;

    }

    @Override

    public void deleteBook(Book book)

    {

        System.out.println("Books deleted");

    }

}

IBookService

package com.jiangchong.methodsecurity;

import org.springframework.security.access.method.P;

import org.springframework.security.access.prepost.PostAuthorize;

import org.springframework.security.access.prepost.PreAuthorize;

public interface IBookService

{

    @PreAuthorize("hasRole('ROLE_ADMIN')")

    public void addBook(Book book);

    // PostAuthorize,决定这个值是否可以被返回,使用returnObject

    /*

     * Less commonly, you may wish to perform an access-control check after the

     * method has been invoked. This can be achieved using the @PostAuthorize

     * annotation. To access the return value from a method, use the built-in

     * name returnObject in the expression.

     */

    @PostAuthorize("returnObject.owner == authentication.name")

    public Book getBook();

    // PreAuthorize,决定这个方法是否可以被调用

    /*

     * @P单个参数的方法

     */

    @PreAuthorize("#b.owner == authentication.name")

    public void deleteBook(@P("b") Book book);

    /*

     * @Param放在至少有一个参数的方法的上

     *

     * @PreAuthorize("#n == authentication.name") Contact

     * findContactByName(@Param("n") String name)

     */

    // springEL

    /*

     * @PreAuthorize("#contact.name == authentication.name") public void

     * doSomething(Contact contact);

     */

}

MethodSecurityConfig

package com.jiangchong.methodsecurity;

import org.springframework.context.annotation.Configuration;

import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;

import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;

import org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration;

@Configuration

@EnableGlobalMethodSecurity(prePostEnabled = true)

public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration

{

    protected void configure(AuthenticationManagerBuilder auth)

            throws Exception

    {

        auth.inMemoryAuthentication();

    }

}

WebSecurityConfig

package com.jiangchong.methodsecurity;

import org.springframework.context.annotation.Configuration;

import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;

import org.springframework.security.config.annotation.web.builders.HttpSecurity;

import org.springframework.security.config.annotation.web.builders.WebSecurity;

import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;

import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration

@EnableWebSecurity

public class WebSecurityConfig extends WebSecurityConfigurerAdapter

{

    protected void configure(HttpSecurity http) throws Exception

    {

        http.authorizeRequests().anyRequest().authenticated().and().formLogin()

                .loginProcessingUrl("/login").permitAll();

    }

    public void configure(WebSecurity web) throws Exception

    {

        web.ignoring().antMatchers("/resource/**");

    }

    protected void configure(AuthenticationManagerBuilder auth)

            throws Exception

    {

        auth.inMemoryAuthentication().withUser("admin").password("admin")

                .roles("ADMIN").and().withUser("user").password("user")

                .roles("USER");

    }

}
    Book b1 = new Book("A", "admin");

    bookService.addBook(b1);

    bookService.getBook();

    System.out.println("user return");

    Book b2 = new Book("B", "user");

    bookService.deleteBook(b2);
这些调用序列,只要有一个不满足权限,后面的方法不会再调用

spring security method security的更多相关文章

  1. Spring Security 4 Method security using @PreAuthorize,@PostAuthorize, @Secured, EL--转

    原文地址:http://websystique.com/spring-security/spring-security-4-method-security-using-preauthorize-pos ...

  2. 初识Spring security-添加security

    请先查看 初识Spring security-无Security的SpringMVC 在pom.xml文件中添加包 <!-- Spring Security --> <depende ...

  3. Spring Security(二十二):6.4 Method Security

    From version 2.0 onwards Spring Security has improved support substantially for adding security to y ...

  4. Spring Security(十七):5.8 Method Security

    From version 2.0 onwards Spring Security has improved support substantially for adding security to y ...

  5. Spring boot Security Disable security

    When I use security.basic.enabled=false to disable security on a Spring Boot project that has the fo ...

  6. 41.4 Method Security方法安全性

    41.4.1 <global-method-security> 这个元素是为Spring Security beans上的安全方法添加支持的主要手段.可以通过使用注释(在接口或类级别定义) ...

  7. spring boot + thymeleaf +security自定义规则 的简单使用

    1.前言 以前开发一直使用 springMVC模式开发 ,前端页面常使用 JSP  ,现在html5淘汰了 ,要么使用html ,要么使用vue , 现在使用spring boot ,有必要总结一下 ...

  8. 【JavaEE】SSH+Spring Security自定义Security的部分处理策略

    本文建立在 SSH与Spring Security整合 一文的基础上,从这篇文章的example上做修改,或者从 配置了AOP 的example上做修改皆可.这里主要补充我在实际使用Spring Se ...

  9. Spring Cloud:Security OAuth2 自定义异常响应

    对于客户端开发或者网站开发而言,调用接口返回有统一的响应体,可以针对性的设计界面,代码结构更加清晰,层次也更加分明. 默认异常响应 在使用 Spring Security Oauth2 登录和鉴权失败 ...

随机推荐

  1. CSS特性: 继承 和 层叠

    在css中也存在着继承关系,与面向对象的编程语言不同,css的继承很简单,而且主要指的是在CSS盒模型中,外围的盒子的样式会被内部所包含的盒子所继承.具体来了解一下. HTML元素之间存在一个”树型“ ...

  2. brute-force search

    #include <pcl/search/brute_force.h> #include <pcl/common/common.h> #include <iostream ...

  3. Bug严重级别分类

    BUG等级划分,一般划分为:严重BUG.较严重BUG.一般性BUG.建议性BUG A类—严重错误,包括以下各种错误: 1. 由于程序所引起的死机,非法退出 2. 死循环 3. 数据库发生死锁 4. 因 ...

  4. 地图和定位 、 iCloud

    1 FindMe应用 1.1 问题 MapKit框架可以用于创建现场交互的地图来显示用户想要设备显示的任何位置,包括用户的当前位置,甚至可以进行标记并查看地图上的标注信息.CoreLocation框架 ...

  5. 用python+selenium将腾讯首页今日话题的内容自动发表到自己cnblog里

    目的:使用pyhton下的unittest单元测试框架并结合selenium的webdriver来实现将腾讯首页的今日话题下的内容自动发表达到自己的cnblog里. 思路:创建QQDailyTopic ...

  6. 更新EF,EF 报错

    在项目中,对一个视图进行了更新,增加了一个字段,然后需要更新EF访问,可是往往会报错, 查看映射关系发现EF将字段映射为主键,而视图没有进行ISNULL处理. 可以有两种处理方式: 1:修改视图对字段 ...

  7. android 镜像源

    Android SDK在线更新镜像服务器 中国科学院开源协会镜像站地址: IPV4/IPV6: mirrors.opencas.cn 端口:80 IPV4/IPV6: mirrors.opencas. ...

  8. python 深拷贝与浅拷贝

    浅拷贝的方式有: lst=[1,2,3] (1)直接赋值: lst_cp = lst (2)for循环遍历生成:lst_cp= [i for i in lst] (3)copy模块下,copy.cop ...

  9. EntityFramework 实体映射到数据库

    EntityFramework实体映射到数据库 在Entity Framework Code First与数据表之间的映射方式实现: 1.Fluent API映射 通过重写DbContext上的OnM ...

  10. Python 爬虫学习 urllib

    网页抓取 # -*-coding: utf-8 -*- import urllib url = "http://www.cndzz.com/" html = urllib.urlo ...