stackoom
  简体   繁体   中英

Combining @Secured and @PreAuthorize annotation on one method

 原文  2017-03-22 23:14:05       java/ spring/ spring-mvc/ spring-security

Question

I have the following service method in my application: 

    @Override
    @Secured({Authority.ACCESS_FUNDING})
    @PreAuthorize("hasPermission(principal, 'MODIFY')")
    public FundingAllocation newFundingAllocation(FundingAllocationForm fundingAllocationForm) {
      return newFundingAllocation(fundingAllocationForm, null);
    }

But I noticed that the @Secured annotation is getting ignored, and only @PreAuthorize check is performed.

I have the following spring security config: 

  <security:global-method-security secured-annotations="enabled" pre-post-annotations="enabled">
    <security:expression-handler ref="securityExpressionHandler"/>
  </security:global-method-security>

Does anybody knows if its even possible to combine to annotations on one method?

2 answers

solution1
 3  2017-03-23 14:06:02

As per the Javadoc on DelegatingMethodSecurityMetadataSource it will use the first source of metadata it finds. So it is not intended to mix the two. The rationale is also explained in https://github.com/spring-projects/spring-security/issues/2116

The official docs also state:

You can enable more than one type of annotation in the same application, but only one type should be used for any interface or class as the behaviour will not be well-defined otherwise. If two annotations are found which apply to a particular method, then only one of them will be applied.

So just don't do it and write the correct expression in your @PreAuthorize : 

@PreAuthorized("hasAuthority('ACCESS_FUNDING') and hasPermission(principal, 'MODIFY')")

as jmw5598's answer suggests.

solution2
 2  2017-03-23 00:09:38

With the @PreAuthorize and @PostAuthorize you can combine expressions with and and or operators. 

@Override
@PreAuthorized("hasAuthority('ACCESS_FUNDING') and hasPermission(principal, 'MODIFY')")
public FundingAllocation newFundingAllocation(FundingAllocationForm fundingAllocationForm) {
  return newFundingAllocation(fundingAllocationForm, null);
}

Hopefully this is helpful.

http://docs.spring.io/spring-security/site/docs/current/reference/html/el-access.html

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Spring Security: method is not secured with @PreAuthorize annotation With which methods does @Secured and @PreAuthorize annotation work? @PreAuthorize invoked on one method but not another @PreAuthorize not working when a secured method is called from another secured method in same class @PreAuthorize annotations combining Spring test: How to test method secured with @PreAuthorize(“@SecurityPermission.hasPermission('somepermission')”) @PreAuthorize Security role annotation Spring Security, Method Security annotation (@Secured ) is not working (java config) When should we use @PreAuthorize and @Secured AspectJ- combining method annotation and set field
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM