Recently I have been working on aa requirement where in certain UI elements should be only visible to user with particular role(say role is XXX)
I used:
<sec:authorize access="hasRole('XXX')"> <input type="button"/></sec:authorize>
which works fine.
But I just wanted to understand if I need to add the below line as well on the java code? If yes, then why?
@PreAuthorize("hasRole('XXX')")
As usually, it depends.
If you are building/maintaining a classic MVC application with Spring MVC
and all of your RequestMapping
's are pointing to a (JSP) view (hence resolved by an InternalResourceViewResolver
and usually rendered by the JspServlet
) you don't need @PreAuthorize
.
But, if you are exposing at least one endpoint eg as JSON/XML you'll need at add @PreAuthorize
if it is required.
Simply put, if your handler method returns a value that gets resolved by a ViewResolver
use the appropriate tag for JSP
, Velocity
or Freemarker
otherwise consider using @PreAuthorize
.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.