Skip to content

Spring 中文文档社区
Spring 中文文档社区

syhp1982 / Spring 中文文档社区
与 Fork 源项目一致

Fork自 开发云 / Spring 中文文档社区

通知 1
Star 0
Fork 0
Spring 中文文档社区
Spring 中文文档社区

体验新版 GitCode,发现更多精彩内容 >>

切换分支/标签
查找文件 普通视图历史永久链接Permalink
servlet-appendix-namespace-method-security.md 8.6 KB
Newer Older
茶陵後's avatar
#18 [skip ci] spring-security  
茶陵後 已提交
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 
# Method Security

## \<method-security\>

This element is the primary means of adding support for securing methods on Spring Security beans.
Methods can be secured by the use of annotations (defined at the interface or class level) or by defining a set of pointcuts.

### \<method-security\> attributes

* **pre-post-enabled**Enables Spring Security’s pre and post invocation annotations (@PreFilter, @PreAuthorize, @PostFilter, @PostAuthorize) for this application context.
  Defaults to "true".

* **secured-enabled**Enables Spring Security’s @Secured annotation for this application context.
  Defaults to "false".

* **jsr250-enabled**Enables JSR-250 authorization annotations (@RolesAllowed, @PermitAll, @DenyAll) for this application context.
  Defaults to "false".

* **proxy-target-class**If true, class based proxying will be used instead of interface based proxying.
  Defaults to "false".

### Child Elements of \<method-security\>

* [expression-handler](http.html#nsa-expression-handler)

## \<global-method-security\>

This element is the primary means of adding support for securing methods on Spring Security beans.
Methods can be secured by the use of annotations (defined at the interface or class level) or by defining a set of pointcuts as child elements, using AspectJ syntax.

### \<global-method-security\> Attributes

* **access-decision-manager-ref**Method security uses the same `AccessDecisionManager` configuration as web security, but this can be overridden using this attribute.
  By default an AffirmativeBased implementation is used for with a RoleVoter and an AuthenticatedVoter.

* **authentication-manager-ref**A reference to an `AuthenticationManager` that should be used for method security.

* **jsr250-annotations**Specifies whether JSR-250 style attributes are to be used (for example "RolesAllowed").
  This will require the javax.annotation.security classes on the classpath.
  Setting this to true also adds a `Jsr250Voter` to the `AccessDecisionManager`, so you need to make sure you do this if you are using a custom implementation and want to use these annotations.

* **metadata-source-ref**An external `MethodSecurityMetadataSource` instance can be supplied which will take priority over other sources (such as the default annotations).

* **mode**This attribute can be set to "aspectj" to specify that AspectJ should be used instead of the default Spring AOP.
  Secured methods must be woven with the `AnnotationSecurityAspect` from the `spring-security-aspects` module.

It is important to note that AspectJ follows Java’s rule that annotations on interfaces are not inherited.
This means that methods that define the Security annotations on the interface will not be secured.
Instead, you must place the Security annotation on the class when using AspectJ.

* **order**Allows the advice "order" to be set for the method security interceptor.

* **pre-post-annotations**Specifies whether the use of Spring Security’s pre and post invocation annotations (@PreFilter, @PreAuthorize, @PostFilter, @PostAuthorize) should be enabled for this application context.
  Defaults to "disabled".

* **proxy-target-class**If true, class based proxying will be used instead of interface based proxying.

* **run-as-manager-ref**A reference to an optional `RunAsManager` implementation which will be used by the configured `MethodSecurityInterceptor`

* **secured-annotations**Specifies whether the use of Spring Security’s @Secured annotations should be enabled for this application context.
  Defaults to "disabled".

### Child Elements of \<global-method-security\>

* [after-invocation-provider](#nsa-after-invocation-provider)

* [expression-handler](http.html#nsa-expression-handler)

* [pre-post-annotation-handling](#nsa-pre-post-annotation-handling)

* [protect-pointcut](#nsa-protect-pointcut)

## \<after-invocation-provider\>

This element can be used to decorate an `AfterInvocationProvider` for use by the security interceptor maintained by the `<global-method-security>` namespace.
You can define zero or more of these within the `global-method-security` element, each with a `ref` attribute pointing to an `AfterInvocationProvider` bean instance within your application context.

### Parent Elements of \<after-invocation-provider\>

* [global-method-security](#nsa-global-method-security)

### \<after-invocation-provider\> Attributes

* **ref**Defines a reference to a Spring bean that implements `AfterInvocationProvider`.

## \<pre-post-annotation-handling\>

Allows the default expression-based mechanism for handling Spring Security’s pre and post invocation annotations (@PreFilter, @PreAuthorize, @PostFilter, @PostAuthorize) to be replaced entirely.
Only applies if these annotations are enabled.

### Parent Elements of \<pre-post-annotation-handling\>

* [global-method-security](#nsa-global-method-security)

### Child Elements of \<pre-post-annotation-handling\>

* [invocation-attribute-factory](#nsa-invocation-attribute-factory)

* [post-invocation-advice](#nsa-post-invocation-advice)

* [pre-invocation-advice](#nsa-pre-invocation-advice)

## \<invocation-attribute-factory\>

Defines the PrePostInvocationAttributeFactory instance which is used to generate pre and post invocation metadata from the annotated methods.

### Parent Elements of \<invocation-attribute-factory\>

* [pre-post-annotation-handling](#nsa-pre-post-annotation-handling)

### \<invocation-attribute-factory\> Attributes

* **ref**Defines a reference to a Spring bean Id.

## \<post-invocation-advice\>

Customizes the `PostInvocationAdviceProvider` with the ref as the `PostInvocationAuthorizationAdvice` for the \<pre-post-annotation-handling\> element.

### Parent Elements of \<post-invocation-advice\>

* [pre-post-annotation-handling](#nsa-pre-post-annotation-handling)

### \<post-invocation-advice\> Attributes

* **ref**Defines a reference to a Spring bean Id.

## \<pre-invocation-advice\>

Customizes the `PreInvocationAuthorizationAdviceVoter` with the ref as the `PreInvocationAuthorizationAdviceVoter` for the \<pre-post-annotation-handling\> element.

### Parent Elements of \<pre-invocation-advice\>

* [pre-post-annotation-handling](#nsa-pre-post-annotation-handling)

### \<pre-invocation-advice\> Attributes

* **ref**Defines a reference to a Spring bean Id.

## Securing Methods using

`<protect-pointcut>`Rather than defining security attributes on an individual method or class basis using the `@Secured` annotation, you can define cross-cutting security constraints across whole sets of methods and interfaces in your service layer using the `<protect-pointcut>` element.
You can find an example in the [namespace introduction](../../authorization/method-security.html#ns-protect-pointcut).

### Parent Elements of \<protect-pointcut\>

* [global-method-security](#nsa-global-method-security)

### \<protect-pointcut\> Attributes

* **access**Access configuration attributes list that applies to all methods matching the pointcut, e.g.
  "ROLE\_A,ROLE\_B"

* **expression**An AspectJ expression, including the `execution` keyword.
  For example, `execution(int com.foo.TargetObject.countLength(String))`.

## \<intercept-methods\>

Can be used inside a bean definition to add a security interceptor to the bean and set up access configuration attributes for the bean’s methods

### \<intercept-methods\> Attributes

* **access-decision-manager-ref**Optional AccessDecisionManager bean ID to be used by the created method security interceptor.

### Child Elements of \<intercept-methods\>

* [protect](#nsa-protect)

## \<method-security-metadata-source\>

Creates a MethodSecurityMetadataSource instance

### \<method-security-metadata-source\> Attributes

* **id**A bean identifier, used for referring to the bean elsewhere in the context.

* **use-expressions**Enables the use of expressions in the 'access' attributes in \<intercept-url\> elements rather than the traditional list of configuration attributes.
  Defaults to 'false'.
  If enabled, each attribute should contain a single Boolean expression.
  If the expression evaluates to 'true', access will be granted.

### Child Elements of \<method-security-metadata-source\>

* [protect](#nsa-protect)

## \<protect\>

Defines a protected method and the access control configuration attributes that apply to it.
We strongly advise you NOT to mix "protect" declarations with any services provided "global-method-security".

### Parent Elements of \<protect\>

* [intercept-methods](#nsa-intercept-methods)

* [method-security-metadata-source](#nsa-method-security-metadata-source)

### \<protect\> Attributes

* **access**Access configuration attributes list that applies to the method, e.g.
  "ROLE\_A,ROLE\_B".

* **method**A method name

[Web Security](http.html)[LDAP Security](ldap.html)