@RolesAllowed vs @PreAuthorize vs @Secured

Question

@RolesAllowed vs @PreAuthorize vs @Secured

I have a main SpringBoot application. using the Spring Initializer, the built-in Tomcat, the Thymeleaf template engine, and the package as an executable JAR file.

I want to protect the controller:

@Controller
@RequestMapping("/company")
@RolesAllowed({"ROLE_ADMIN"})
@PreAuthorize("hasRole('ADMIN')")
@Secured("ADMIN")
public class CompanyController {
}

I know there are different options, but I do not know what I should use

+13

spring spring-boot spring-mvc spring-security

Nuñito de la calzada May 14, '17 at 7:54

source share

3 answers

@Secured @RolesAllowed Spring. , @Secured Spring , @RolesAllowed Java (JSR250). SpEL.

@PreAuthorize - Spring. @PreAuthorize, SpEL. limit /, , .

@PreAuthorize("hasRole('ADMIN') or #user.id == authentication.name")
public void deleteUser(User user) {
    ...
}

http://docs.spring.io/autorepo/docs/spring-security/4.0.x/reference/html/el-access.html#el-common-built-in

, , . @Secure @PreAuthorize Spring. Spring , @PreAuthorize.

+14

Jason White 14 '17 11:35

All of them are basically the same for your purpose, but @PreAuthorizebest suited for controllers and controller methods. @Securedand @RolesAllowedare intended to describe service level security attributes.

Also note that for annotation @PreAuthorizeto work, you must define a configuration class:

@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {
...
}

+4

NikolaB May 14, '17 at 11:34

source share

DimaSan · Accepted Answer · 2019-08-07T12:01:30+0000

Security Annotations

Everything @PreAuthorize, @RolesAllowedand @Securedare annotations that allow you to configure the security of the method. They can be applied both to individual methods and at the class level; in the latter case, security restrictions will apply to all methods in the class.

Spring AOP.

`@PreAuthorize`

@PreAuthorize , Spring (SpEL). , , . @PreAuthorize Spring Security.

@PreAuthorize, prePostEnabled @EnableGlobalMethodSecurity true:

@EnableGlobalMethodSecurity(prePostEnabled=true)

`@RolesAllowed`

@RolesAllowed Java JSR-250. , @PreAuthorize, .

@RolesAllowed, , , , Spring Security. , jsr250Enabled @EnableGlobalMethodSecurity true:

@EnableGlobalMethodSecurity(jsr250Enabled=true)

`@Secured`

@Secured - Spring Security 2, . , Spring Expression Language (SpEL) . @PreAuthorize .

@Secured @EnableGlobalMethodSecurity securedEnabled:

@EnableGlobalMethodSecurity(securedEnabled=true)

SpEL

Spring Expression Language , Spring Security 5:

╔═════════════════════╦═══════════════════╗
║ Security Annotation ║ Has SpEL Support? ║
╠═════════════════════╬═══════════════════╣
║  @PreAuthorize      ║        yes        ║
╠═════════════════════╬═══════════════════╣
║  @PostAuthorize     ║        yes        ║
╠═════════════════════╬═══════════════════╣
║  @PreFilter         ║        yes        ║
╠═════════════════════╬═══════════════════╣
║  @PostFilter        ║        yes        ║
╠═════════════════════╬═══════════════════╣
║  @Secured           ║        no         ║
╠═════════════════════╬═══════════════════╣
║  @RolesAllowed      ║        no         ║
╚═════════════════════╩═══════════════════╝

@RolesAllowed vs @PreAuthorize vs @Secured

Security Annotations

@PreAuthorize

@RolesAllowed

@Secured

SpEL

More articles:

`@PreAuthorize`

`@RolesAllowed`

`@Secured`