参考

Spring Security 官方文档

http://www.concretepage.com/spring/spring-security/preauthorize-postauthorize-in-spring-security

方法调用安全

对应的注解@EnableGlobalMethodSecurity,该注解放在GlobalMethodSecurityConfiguration的子类上方

@EnableGlobalMethodSecurity(prePostEnabled = true)

使用的Voter

org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter

有俩对对应的注解

@PreAuthorize 决定方法是否可以被调用

@PostAuthorize 决定方法是否可以返回该值

@PreFilter

@PostFilter

如下:

package com.jiangchong.methodsecurity;

import org.springframework.security.access.method.P;

import org.springframework.security.access.prepost.PostAuthorize;

import org.springframework.security.access.prepost.PreAuthorize;

public interface IBookService

{

    @PreAuthorize("hasRole('ROLE_ADMIN')")

    public void addBook(Book book);

    // PostAuthorize,决定这个值是否可以被返回,使用returnObject

    /*

     * Less commonly, you may wish to perform an access-control check after the

     * method has been invoked. This can be achieved using the @PostAuthorize

     * annotation. To access the return value from a method, use the built-in

     * name returnObject in the expression.

     */

    @PostAuthorize("returnObject.owner == authentication.name")

    public Book getBook();

    // PreAuthorize,决定这个方法是否可以被调用

    /*

     * @P单个参数的方法

     */

    @PreAuthorize("#b.owner == authentication.name")

    public void deleteBook(@P("b") Book book);

    /*

     * @Param放在至少有一个参数的方法的上

     *

     * @PreAuthorize("#n == authentication.name") Contact

     * findContactByName(@Param("n") String name)

     */

    // springEL

    /*

     * @PreAuthorize("#contact.name == authentication.name") public void

     * doSomething(Contact contact);

     */

}

测试的Demo,基于Spring Boot

Pom.xml

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">

    <modelVersion>4.0.0</modelVersion>

    <groupId>com.jiangchong</groupId>

    <artifactId>methodsecurity</artifactId>

    <version>0.0.1-SNAPSHOT</version>

    <packaging>war</packaging>

    <name>methodsecurity</name>

    <url>http://maven.apache.org</url>

    <properties>

        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>

    </properties>

    <parent>

        <groupId>org.springframework.boot</groupId>

        <artifactId>spring-boot-starter-parent</artifactId>

        <version>1.3.2.RELEASE</version>

    </parent>

    <dependencies>

        <dependency>

            <groupId>org.springframework.boot</groupId>

            <artifactId>spring-boot-starter-web</artifactId>

            <scope>compile</scope>

        </dependency>

        <dependency>

            <groupId>org.springframework.boot</groupId>

            <artifactId>spring-boot-starter</artifactId>

        </dependency>

        <dependency>

            <groupId>org.springframework.security</groupId>

            <artifactId>spring-security-core</artifactId>

        </dependency>

        <dependency>

            <groupId>org.springframework.security</groupId>

            <artifactId>spring-security-web</artifactId>

            <scope>compile</scope>

        </dependency>

        <dependency>

            <groupId>org.springframework.security</groupId>

            <artifactId>spring-security-config</artifactId>

        </dependency>

    </dependencies>

</project>

App.class

package com.jiangchong.methodsecurity;

import java.util.Map;

import org.springframework.beans.factory.annotation.Autowired;

import org.springframework.boot.SpringApplication;

import org.springframework.boot.autoconfigure.SpringBootApplication;

import org.springframework.web.bind.annotation.RequestMapping;

import org.springframework.web.bind.annotation.RestController;

/**

 *

 */

@RestController

@SpringBootApplication

public class App

{

    @Autowired

    public IBookService bookService;

    public static void main(String[] args)

    {

        SpringApplication.run(App.class, args);

    }

    @RequestMapping("/")

    public Map<String, String> test()

    {

        Book b1 = new Book("A", "admin");

        bookService.addBook(b1);

        bookService.getBook();

        System.out.println("user return");

        Book b2 = new Book("B", "user");

        bookService.deleteBook(b2);

        return null;

    }

    /*

     * @RequestMapping("/admin") public Map<String, String> testAdmin() {

     * Map<String, String> map = new HashMap<>(); map.put("admin", "admin");

     * return map; }

     *

     * @RequestMapping("/user") public Map<String, String> testUser(String name)

     * { Map<String, String> map = new HashMap<>(); map.put("user", "user");

     * return map; }

     *

     * @RequestMapping("/resource/test") public Map<String, String>

     * testResouce() { Map<String, String> map = new HashMap<>();

     * map.put("test", "resource"); return map; }

     */

}

Book.class

package com.jiangchong.methodsecurity;

public class Book

{

    private String name;

    private String owner;

    public Book(String name, String owner)

    {

        this.name = name;

        this.owner = owner;

    }

    public String getName()

    {

        return name;

    }

    public void setName(String name)

    {

        this.name = name;

    }

    public String getOwner()

    {

        return owner;

    }

    public void setOwner(String owner)

    {

        this.owner = owner;

    }

}

BookService.class

package com.jiangchong.methodsecurity;

import org.springframework.stereotype.Service;

@Service

public class BookService implements IBookService

{

    @Override

    public void addBook(Book book)

    {

        System.out.println("You have successfully added book.");

    }

    @Override

    public Book getBook()

    {

        Book book = new Book("B", "user");

        System.out.println("return " + book.getOwner());

        return book;

    }

    @Override

    public void deleteBook(Book book)

    {

        System.out.println("Books deleted");

    }

}

IBookService

package com.jiangchong.methodsecurity;

import org.springframework.security.access.method.P;

import org.springframework.security.access.prepost.PostAuthorize;

import org.springframework.security.access.prepost.PreAuthorize;

public interface IBookService

{

    @PreAuthorize("hasRole('ROLE_ADMIN')")

    public void addBook(Book book);

    // PostAuthorize,决定这个值是否可以被返回,使用returnObject

    /*

     * Less commonly, you may wish to perform an access-control check after the

     * method has been invoked. This can be achieved using the @PostAuthorize

     * annotation. To access the return value from a method, use the built-in

     * name returnObject in the expression.

     */

    @PostAuthorize("returnObject.owner == authentication.name")

    public Book getBook();

    // PreAuthorize,决定这个方法是否可以被调用

    /*

     * @P单个参数的方法

     */

    @PreAuthorize("#b.owner == authentication.name")

    public void deleteBook(@P("b") Book book);

    /*

     * @Param放在至少有一个参数的方法的上

     *

     * @PreAuthorize("#n == authentication.name") Contact

     * findContactByName(@Param("n") String name)

     */

    // springEL

    /*

     * @PreAuthorize("#contact.name == authentication.name") public void

     * doSomething(Contact contact);

     */

}

MethodSecurityConfig

package com.jiangchong.methodsecurity;

import org.springframework.context.annotation.Configuration;

import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;

import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;

import org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration;

@Configuration

@EnableGlobalMethodSecurity(prePostEnabled = true)

public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration

{

    protected void configure(AuthenticationManagerBuilder auth)

            throws Exception

    {

        auth.inMemoryAuthentication();

    }

}

WebSecurityConfig

package com.jiangchong.methodsecurity;

import org.springframework.context.annotation.Configuration;

import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;

import org.springframework.security.config.annotation.web.builders.HttpSecurity;

import org.springframework.security.config.annotation.web.builders.WebSecurity;

import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;

import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration

@EnableWebSecurity

public class WebSecurityConfig extends WebSecurityConfigurerAdapter

{

    protected void configure(HttpSecurity http) throws Exception

    {

        http.authorizeRequests().anyRequest().authenticated().and().formLogin()

                .loginProcessingUrl("/login").permitAll();

    }

    public void configure(WebSecurity web) throws Exception

    {

        web.ignoring().antMatchers("/resource/**");

    }

    protected void configure(AuthenticationManagerBuilder auth)

            throws Exception

    {

        auth.inMemoryAuthentication().withUser("admin").password("admin")

                .roles("ADMIN").and().withUser("user").password("user")

                .roles("USER");

    }

}
    Book b1 = new Book("A", "admin");

    bookService.addBook(b1);

    bookService.getBook();

    System.out.println("user return");

    Book b2 = new Book("B", "user");

    bookService.deleteBook(b2);
这些调用序列,只要有一个不满足权限,后面的方法不会再调用

spring security method security的更多相关文章

  1. Spring Security 4 Method security using @PreAuthorize,@PostAuthorize, @Secured, EL--转

    原文地址:http://websystique.com/spring-security/spring-security-4-method-security-using-preauthorize-pos ...

  2. 初识Spring security-添加security

    请先查看 初识Spring security-无Security的SpringMVC 在pom.xml文件中添加包 <!-- Spring Security --> <depende ...

  3. Spring Security(二十二):6.4 Method Security

    From version 2.0 onwards Spring Security has improved support substantially for adding security to y ...

  4. Spring Security(十七):5.8 Method Security

    From version 2.0 onwards Spring Security has improved support substantially for adding security to y ...

  5. Spring boot Security Disable security

    When I use security.basic.enabled=false to disable security on a Spring Boot project that has the fo ...

  6. 41.4 Method Security方法安全性

    41.4.1 <global-method-security> 这个元素是为Spring Security beans上的安全方法添加支持的主要手段.可以通过使用注释(在接口或类级别定义) ...

  7. spring boot + thymeleaf +security自定义规则 的简单使用

    1.前言 以前开发一直使用 springMVC模式开发 ,前端页面常使用 JSP  ,现在html5淘汰了 ,要么使用html ,要么使用vue , 现在使用spring boot ,有必要总结一下 ...

  8. 【JavaEE】SSH+Spring Security自定义Security的部分处理策略

    本文建立在 SSH与Spring Security整合 一文的基础上,从这篇文章的example上做修改,或者从 配置了AOP 的example上做修改皆可.这里主要补充我在实际使用Spring Se ...

  9. Spring Cloud:Security OAuth2 自定义异常响应

    对于客户端开发或者网站开发而言,调用接口返回有统一的响应体,可以针对性的设计界面,代码结构更加清晰,层次也更加分明. 默认异常响应 在使用 Spring Security Oauth2 登录和鉴权失败 ...

随机推荐

  1. How To Use Hbase Bulk Loading

    最近在学习hbase,学到利用如何将数据导入到hbase中,采用的方式是批量导入:bulk load的方法,中间出现了一些问题,下面将执行的步骤记录一下,以供日后查阅: 说明:导入的方式是将csv文件 ...

  2. SVG 2D入门13 - svg对决canvas

    到目前为止,SVG与Canvas的主要特性均已经总结完毕了.它们都是HTML5中支持的2D图形展示技术,而且均支持向量图形.现在,我们就来比对一下这两种技术,分析一下它们的长处和适用场景.首先分析一下 ...

  3. Nested List Weight Sum -- LeetCode 339

    Given a nested list of integers, return the sum of all integers in the list weighted by their depth. ...

  4. system_call的处理过程

    一. 跟踪time系统调用 使用gdb调试跟踪系统调用内核函数sys_time 过程如下: 对sys_time设置断点之后,在menuOS中执行time命令,发现系统停在systime处,输入S单步执 ...

  5. 第三个Sprint冲刺第四天

    讨论地点:宿舍 讨论成员:邵家文.李新.朱浩龙.陈俊金 讨论问题:强化界面功能

  6. day12_API第二天

    1.Scanner注意问题 1.Scanner中方法                   next() -- 查找并返回来自此扫描器的下一个完整标记.           nextLine() -- ...

  7. hdu4497 GCD and LCM ——素数分解+计数

    link:http://acm.hdu.edu.cn/showproblem.php?pid=4497 如果G%L != 0,说明一定无解. 把K = G / L质数分解,G / L = p1^t1 ...

  8. ABBYY FineReader自定义工作区的方法

    ABBYY FineReader作为一款OCR图文识别软件,界面具有用户友好性和直观性,以结果为导向,可以在不进行任何其他培训的情况下使用该程序,新用户可以迅速掌握主要功能,轻松自定义程序的界面,接下 ...

  9. 12-factor

    简介 如今,软件通常会作为一种服务来交付,它们被称为网络应用程序,或软件即服务(SaaS).12-Factor 为构建如下的 SaaS 应用提供了方法论: 使用标准化流程自动配置,从而使新的开发者花费 ...

  10. 完成一段简单的Python程序,使用函数实现用来判断输入数是偶数还是奇数

    #!/bin/usr/env python#coding=utf-8'''完成一段简单的Python程序,使用函数实现用来判断偶数和奇数'''def number_deal(a): if a%2==0 ...