java Spring 中@Secured 与@RolesAllowed 之间的区别?以及基于角色的安全的概念?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/29434765/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Difference between @Secured vs @RolesAllowed in Spring? And the concept of Role Based Security?
提问by AndreaNobili
I am studying Spring Security and I have the following doubts related the difference between the use of the @Securedannotation and the @RolesAllowedannotation.
我正在研究 Spring Security,我对@Secured注释和@RolesAllowed注释的使用之间的区别有以下疑问。
I know that both have to been used at method level, on my study material I found the followings 2 examples:
我知道两者都必须在方法级别使用,在我的学习材料中,我发现了以下两个示例:
@RolesAllowedannotation:
import javax.annotation.security.RolesAllowed; public class ItemManager { @RolesAllowed("ROLE_MEMBER") public Item findItem(long itemNumber) { ... } }@Securedannotation:
import org.springframework.security.annotation.Secured; public class ItemManager { @Secured("ROLE_MEMBER") public Item findItem(long itemNumber) { ... } }
@RolesAllowed注释:
import javax.annotation.security.RolesAllowed; public class ItemManager { @RolesAllowed("ROLE_MEMBER") public Item findItem(long itemNumber) { ... } }@Secured注释:
import org.springframework.security.annotation.Secured; public class ItemManager { @Secured("ROLE_MEMBER") public Item findItem(long itemNumber) { ... } }
It seems to me that these 2 annotations works in the same way. What are the differences? What am I missing?
在我看来,这两个注释的工作方式相同。有什么区别?我错过了什么?
Another doubt that I have is: what exactly represent the ROLE_MEMBER?
我的另一个疑问是:ROLE_MEMBER究竟代表什么?
I think that this is something like role based security, so it could mean something like: only if the user is a member it could access to the annoted resource(is it correct?). But where and how is definied the fact that the user have setted this role (it is a member)? How exactly works?
我认为这类似于基于角色的安全性,因此它可能意味着:仅当用户是成员时,它才能访问注释资源(是否正确?)。但是在哪里以及如何定义用户设置了这个角色(它是一个成员)的事实?具体如何运作?
Tnx
田纳西州
回答by Faraj Farook
@Securedand @RolesAllowedare the same. They do the same operation in Spring.
@Secured并且@RolesAllowed是一样的。它们在 Spring 中执行相同的操作。
But
但
@RolesAllowed- Standard annotation of Java.Java has defined Java Specification Request, basically change requests for the Java language, libraries and other components. For the development of annotations, they have provided JSR 250.
@RolesAllowedis included in it. This link contains further info in JSR 250@Secured- Spring security annotation
@RolesAllowed- Java 的标准注释。Java 已经定义了 Java Specification Request,基本上是对 Java 语言、库和其他组件的更改请求。对于注解的开发,他们提供了 JSR 250.
@RolesAllowed包含在其中。此链接包含 JSR 250 中的更多信息@Secured- Spring 安全注解
ROLE_MEMBERis the role which is set to the security user details.
ROLE_MEMBER是设置为安全用户详细信息的角色。
Refer this example from my current project. Here I'm using the user data object and mapping the roles given to the user to the security user details.
从我当前的项目中参考这个例子。在这里,我使用用户数据对象并将赋予用户的角色映射到安全用户详细信息。
public class CustomUserDetails implements UserDetails {
...
...
...
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
Collection<GrantedAuthority> grantedAuthorities = new ArrayList<GrantedAuthority>();
for (Role role : this.user.getRoles()){
grantedAuthorities.add(new SimpleGrantedAuthority(role.getRole()));
}
return grantedAuthorities;
}
}
These roles are then set for the security approvals using the @Securedor @RolesAllowedor @PreAuthorize("hasRole('ROLE_USER')")for the methods.
然后使用@Securedor@RolesAllowed或@PreAuthorize("hasRole('ROLE_USER')")方法为安全批准设置这些角色。
By design it's good to put the security in the Service layer. So when I'm securing my service actions, I check for the roles, not for the users.
按照设计,将安全性放在服务层是很好的。因此,当我保护我的服务操作时,我会检查角色,而不是用户。
This way, we can focus on the business logic and the security for the business logic via small security units called roles.
这样,我们可以通过称为角色的小型安全单元来关注业务逻辑和业务逻辑的安全性。
Then I assign the roles to the user. Users can have multiple roles. So you have to see the relationship here. Users are given the roles. And roles are given the access to the business logic. Users are given the access to the business logic via the roles. This concept is called, Role Based Access Control.
然后我将角色分配给用户。用户可以有多个角色。所以你必须看到这里的关系。用户被赋予角色。角色可以访问业务逻辑。用户可以通过角色访问业务逻辑。这个概念称为基于角色的访问控制。
And in complex situations we can also manage hierarchical roles. Where one role has many other roles. But in the UserDetails, we have to flatten the role hierarchy and provide the list of roles to the Spring framework to process.
在复杂的情况下,我们还可以管理分层角色。其中一个角色有许多其他角色。但是在 UserDetails 中,我们必须扁平化角色层次结构,并将角色列表提供给 Spring 框架进行处理。
回答by Aleksandar
The accepted answer completely answers the question (heh), but I think this is a good place to say how to enable method level security in Spring.
接受的答案完全回答了问题(呵呵),但我认为这是说明如何在 Spring 中启用方法级别安全性的好地方。
The only thing You need to add is the @EnableGlobalMethodSecurityannotationon a configuration class (see the example) with the following properties set to true(default is false)
您唯一需要添加的是配置类上的@EnableGlobalMethodSecurity注释(参见示例),并将以下属性设置为true(默认为false)
securedEnabled(enables Spring'sSecuredannotation.),jsr250Enabled(enables the JSR-250 standardjava security annotations, likeRolesAllowed),prePostEnabled(enables Spring'sPreAuthorizeandPostAuthorizeannotations).
securedEnabled(启用 Spring 的Secured注释。),jsr250Enabled(启用JSR-250 标准Java 安全注释,例如RolesAllowed),prePostEnabled(启用 SpringPreAuthorize和PostAuthorize注释)。
Example of annotation usage:
注解用法示例:
@EnableGlobalMethodSecurity(
securedEnabled = true,
jsr250Enabled = true,
prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
// ...
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().fullyAuthenticated()
.and()
.formLogin(); // You probably need more than this
}
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
// your authentication manager config here
}
For more detailed example, see Spring Security Method Level Annotations Example.
有关更详细的示例,请参阅Spring Security Method Level Annotations Example。
