Method invocation

Spring Security allows users to access-control method execution using aspect-oriented programming (AOP) in the background. This can be done using XML configuration or using Java configuration. Since we have been following Java configuration throughout this book, we will cover Java configuration and annotations here to explain method security. The best practice is to choose a particular method invocation authorization approach and stick to it for consistency across your application. Choose whichever approach is apt for your application, as there isn't anything particular documented on when to choose what.

If you would like to enable method security in your application, firstly annotate the class with @EnableMethodSecurity. There are three types of annotation with which you can annotate the methods and authorize them. The types are as follows:

  • Voting-based annotations: the most commonly used annotations in Spring Security. Spring Security's @Secured annotation falls into this category. To use these annotations, they first have to be enabled, as shown in the following code snippet:
@Configuration
@EnableGlobalMethodSecurity(securedEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    // ...
}

Once the usage of annotation is enabled, the @Secured annotation can be used, as shown in the following code snippet:

@RestController
@RequestMapping("/movie")
public class MovieController {

    @GetMapping("public")
    @Secured("ROLE_PUBLIC")
    public String publiclyAvailable() {
        return "Hello All!";
    }

    @GetMapping("admin")
    @Secured("ROLE_ADMIN")
    public String adminAccessible() {
        return "Hello Admin!";
    }
}
  • JSR-250 security annotations: This is also called the Enterprise JavaBeans 3.0 (EJB 3) security annotation. Again, before using these annotations, they have to be enabled using @EnableGlobalMethodSecurity(jsr250Enabled = true). The following snippet shows the JSR-250 security annotation in action:
@RestController
@RequestMapping("/movie")
public class MovieController {

    @GetMapping("public")
    @PermitAll
    public String publiclyAvailable() {
        return "Hello All!";
    }

    @GetMapping("admin")
    @RolesAllowed({"ROLE_ADMIN"})
    public String adminAccessible() {
        return "Hello Admin!";
    }
}

  • Expression-based annotation: Annotations based on @Pre and @Post fall into this category. They are enabled using @EnableGlobalMethodSecurity(prePostEnabled = true):
@RestController
@RequestMapping("/movie")
public class MovieController {
    @GetMapping("public")
    @PreAuthorize("permitAll()")
    public String publiclyAvailable() {
        return "Hello All!";
    }
    @GetMapping("admin")
    @PreAuthorize("hasAnyAuthority('ROLE_ADMIN')")
    public String adminAccessible() {
        return "Hello Admin!";
    }
}

In the preceding example, hasAnyAuthority is called Spring Expression Language (SpEL). Similar to the example shown, there are many such predefined expressions that can be used for security.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.21.244.231