在Spring security的使用中,为了对方法进行权限控制,通常采用的三个注解,就是@Secured(), @PreAuthorize() 及 @RolesAllowed()。
@Secured({"ROLE_ADMIN"}) public void changePassword(String username, String password); |
@RolesAllowed({"ROLE_ADMIN"}) public void changePassword(String username, String password); |
@PreAuthorize("hasRole(‘ROLE_ADMIN‘)") public void changePassword(String username, String password); |
1. @Secured(): secured_annotation
使用时,需要如下配置Spring Security (无论是通过xml配置,还是在Spring boot下,直接注解配置,都需要指明secured-annotations)
XML: <global-method-security secured-annotations="enabled"/>
Spring boot: @EnableGlobalMethodSecurity(securedEnabled = true)
2. @RolesAllowed(): jsr250-annotations
使用时,需要如下配置Spring Security (无论是通过xml配置,还是在Spring boot下,直接注解配置,都需要指明jsr250-annotations)
XML: <global-method-security jsr250-annotations="enabled"/>
Spring boot: @EnableGlobalMethodSecurity(jsr250Enabled = true)
3. @PreAuthorize(): pre-post-annotations
使用时,需要如下配置Spring Security (无论是通过xml配置,还是在Spring boot下,直接注解配置,都需要指明pre-post-annotations)
XML: <global-method-security pre-post-annotations="enabled"/>
Spring boot: @EnableGlobalMethodSecurity(prePostEnabled = true)
@Secured and @RolesAllowed are the same the only difference is @RolesAllowed is a standard annotation (i.e. not only spring security) whereas @Secured is spring security only.
@PreAuthorize is different in a way that it is more powerful then the
other 2. It allows for SpEL expression for a more fine-grained control.
Which to use well the simplest thing that could possible work, if you
don‘t need expression etc. go with the standard annotations to limit the
dependency on spring classes.
方法授权类型 |
声明方式 |
JSR标准 |
允许SpEL表达式 |
@PreAuthorize @PostAuthorize |
注解 |
No |
Yes |
@RolesAllowed @PermitAll @DenyAll |
注解 |
Yes |
NO |
@Secure |
注解 |
No |
No |
protect-pointcut |
No |
No |
区别: @Secured(), @PreAuthorize() 及 @RolesAllowed()