Method security 

As mentioned earlier, Spring Security performs method-level security through AOP, and there are two ways to secure methods. One is to use the @Secured annotation or the JSR-250 @RoleAllowed annotation to specify the authority/role required to invoke that method. The other way is to use Spring's expression language through the @PreAuthorize and @PostAuthorize annotations.

The following is the way to enable method security with the use of the @Secured annotation:

@EnableGlobalMethodSecurity(securedEnabled = true)
public class MethodSecurityConfig { 
  // ...
}

The following is the way to enable method security with the use of the @RoleAllowed annotation:

@EnableGlobalMethodSecurity(jsr250Enabled = true)
public class MethodSecurityConfig { 
  // ...
}

As you can see, both configurations are applied with the @EnableGlobalMethodSecurity annotation.

The following is how to use the @Secured annotation:

public interface PaymentService { 
  @Secured("ROLE_PAYMENT_ADMIN")
  List<Payment> getPayments(Long userId); 
}

The following code shows how to use the @RoleAllowed annotation:

public interface PaymentService { 
  @RoleAllowed("ROLE_PAYMENT_ADMIN")
  List<Payment> getPayments(Long userId); 
}

As you can see, both annotations are used in the same way and work in the same way. An instance of the MethodSecurityInterceptor interface will intercept the method invocation and the access decision will be delegated to AccessDecisionManager. The decision will be made based on the user's roles that is the granted authorities of the Authentication instance in SecurityContext.

As mentioned earlier, role-based authorization is coarse-grained and has its limits, and that's solved by Spring Expression Language-based method security. Instead of being limited to only checking the granted authorities, we can use Spring Expression Language to access the parameters the method takes or the returned result of the method. With the availability of that information, we can make much more complex authorization logic, such as granting access to the invocation on a method that returns all of the cards of a board only when the invocation is from a board member.

The following configuration will enable expression-based method security:

@EnableGlobalMethodSecurity(prePostEnabled = true)
public class MethodSecurityConfig { 
  // ...
}

We can use the @PreAuthorize annotation and the @PostAuthorize annotation to secure methods. As its name suggests, the @PreAuthorize annotation will trigger authorization before the method invocation and the @PostAuthorize annotation will do that after the method has been invoked.

The following is a usage example of the @PreAuthorize annotation:

public interface BoardService { 
  @PreAuthorize("isBoardMember()")
  List<Card> getCards(long boardId);
}

The authorization will be handled by an instance of the SecurityExpressionHandler interface. We will not dig too much into the method security at the moment, because in the next chapter we will implement a handler of the @PreAuthorize annotation to guard our methods in application services. You will see how it works in action.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.226.98.208