Spring security 什么';springsecurity3中@securied和@PreAuthorize的区别是什么?
我不清楚spring security的区别是什么:Spring security 什么';springsecurity3中@securied和@PreAuthorize的区别是什么?,spring-security,Spring Security,我不清楚spring security的区别是什么: @PreAuthorize("hasRole('ROLE_USER')") public void create(Contact contact) 及 我知道预授权可以使用spring el,但在我的示例中,有真正的区别吗?真正的区别是@PreAuthorize可以使用。你可以: 的访问方法和属性 访问方法参数(需要使用调试信息或自定义信息进行编译): (高级功能)添加您自己的方法(覆盖并将其设置为) 简单地说, @PreAutho
@PreAuthorize("hasRole('ROLE_USER')")
public void create(Contact contact)
及
我知道预授权可以使用spring el,但在我的示例中,有真正的区别吗?真正的区别是
@PreAuthorize
可以使用。你可以:
- 的访问方法和属性
- 访问方法参数(需要使用调试信息或自定义信息进行编译):
- (高级功能)添加您自己的方法(覆盖并将其设置为
)
- 简单地说,
@PreAuthorize
比@Secured
更新
因此,我认为最好使用@PreAuthorize
,因为它是“基于表达式的”,您可以使用诸如hasRole、hasAnyRole、permitAll等表达式
要了解有关表达式的信息,请参见这些。如果您希望仅在用户拥有Role1和Role2时访问该方法,则必须使用@PreAuthorize
@PreAuthorize("hasRole('ROLE_role1') and hasRole('ROLE_role2')")
使用
@PreAuthorize
不同,它比@Secured
更强大
-
较旧的
批注不允许使用表达式@Secured
-
从SpringSecurity3开始,更灵活的注释
和@PreAuthorize
(以及@PreFilter和 @PostFilter)是首选,因为它们支持Spring表达式 语言(SpEL)并提供基于表达式的访问控制@PostAuthorize
-
注释与@Secured(“ROLE\u ADMIN”)
@PreAuthorize(“hasRole('ROLE\u ADMIN'))注释相同
-
被视为ROLE\u USER或ROLE\u ADMIN@Secured({“ROLE\u USER”、“ROLE\u ADMIN”)
@PreAuthorize(“hasRole('ADMIN'))或hasRole('USER')”)来定义相同的内容,这更容易理解
理解。你也可以表达和,或,或不(!)
@PreAuthorize(“!isAnonymous()和hasRole('ADMIN'))
+-----------------------------------------------+----------------------------------------------------------+-----------------------------------------------------------------+
||@安全|@预授权|
+-----------------------------------------------+----------------------------------------------------------+-----------------------------------------------------------------+
|Spring EL表达式|不支持.|支持|
+-----------------------------------------------+----------------------------------------------------------+-----------------------------------------------------------------+
|带和运算符的多角色连接不支持。(如果定义了多个角色,则支持|
||它们将自动与或操作员组合)||
+-----------------------------------------------+----------------------------------------------------------+-----------------------------------------------------------------+
|要启用注释|将以下行添加到spring-security.xml |将以下行添加到spring-security.xml|
| | | |
+-----------------------------------------------+----------------------------------------------------------+-----------------------------------------------------------------+
|示例|@Secured({ROLE_ADMIN,ROLE_USER})|@PreAuthorize(“hasRole('ROLE_USER'))和hasRole('ROLE_ADMIN'))|
|| public void addUser(UserInfo user){…}| public void addUser(UserInfo user){…}|
+-----------------------------------------------+----------------------------------------------------------+-----------------------------------------------------------------+
不知道这一点,但看起来很棒!:当您还原了我的编辑时,您是说此“hasRole('ADMIN或hasRole('USER')”中没有错误”
?
@PreAuthorize("#contact.name == principal.name")
public void doSomething(Contact contact)
@PreAuthorize("hasRole('ROLE_role1') and hasRole('ROLE_role2')")
@Secured({"role1", "role2"}) // is treated as an OR
+-----------------------------------------------+----------------------------------------------------------+-----------------------------------------------------------------+
| | @Secured | @PreAuthorize |
+-----------------------------------------------+----------------------------------------------------------+-----------------------------------------------------------------+
| Spring EL expressions | Does'nt supports. | Supports |
+-----------------------------------------------+----------------------------------------------------------+-----------------------------------------------------------------+
| Multiple roles conjunctions with AND operator | Does'nt supports.(If there are multiple roles defined | Supports |
| |they will be automatically combined with OR operator) | |
+-----------------------------------------------+----------------------------------------------------------+-----------------------------------------------------------------+
| To enable annotation | Add following line to spring-security.xml | Add following line to spring-security.xml |
| | <global-method-security secured-annotations="enabled" /> | <global-method-security pre-post-annotations="enabled"/> |
+-----------------------------------------------+----------------------------------------------------------+-----------------------------------------------------------------+
| Example | @Secured({ROLE_ADMIN , ROLE_USER}) | @PreAuthorize("hasRole('ROLE_USER') and hasRole('ROLE_ADMIN')") |
| | public void addUser(UserInfo user){...} | public void addUser(UserInfo user){...} |
+-----------------------------------------------+----------------------------------------------------------+-----------------------------------------------------------------+