spring @EnableGlobalMethodSecurity 与 @EnableWebSecurity
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/29721098/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
@EnableGlobalMethodSecurity vs @EnableWebSecurity
提问by Christopher
I am developing a REST API using Spring 4. I would like to secure some of the endpoints using Spring Security, but based on what I've read this can be done with either @EnableGlobalMethodSecurityor @EnableWebSecurity. Unfortunately, the documentation that I have found for these don't clearly explain what they do (or how they compare). If I want to secure a Spring REST API with authentication and authorization based on data and relationships declared in a standard relational database, what is the recommended method for achieving this in Spring 4?
我正在使用 Spring 4 开发 REST API。我想使用 Spring Security 来保护一些端点,但根据我所阅读的内容,这可以使用@EnableGlobalMethodSecurity或来完成@EnableWebSecurity。不幸的是,我为这些找到的文档并没有清楚地解释它们的作用(或它们如何比较)。如果我想根据标准关系数据库中声明的数据和关系通过身份验证和授权来保护 Spring REST API,那么在 Spring 4 中实现这一目标的推荐方法是什么?
回答by Joao Evangelista
EnableWebSecuritywill provide configuration via HttpSecurityproviding the configuration you could find with <http></http>tag in xml configuration, it's allow you to configure your access based on urls patterns, the authentication endpoints, handlers etc...
EnableWebSecurity将通过HttpSecurity提供配置,提供您可以<http></http>在 xml 配置中找到带有标记的配置,它允许您根据 url 模式、身份验证端点、处理程序等配置您的访问...
EnableGlobalMethodSecurityprovides AOP security on methods, some of annotation it will enable are PreAuthorizePostAuthorizealso it has support for JSR-250. There is also more parameters in configuration for you
EnableGlobalMethodSecurity在方法上提供 AOP 安全性,它将启用一些注释并且PreAuthorizePostAuthorize它也支持JSR-250。配置中还有更多参数供您使用
For your needs, it's better mix the two. With REST you can achieve all you need only with @EnableWebSecurity, since HttpSecurity#antMatchers(HttpMethod,String...)accepts controls over Http methods
根据您的需要,最好将两者混合使用。使用 REST,您只需使用 即可实现所需的一切@EnableWebSecurity,因为HttpSecurity#antMatchers(HttpMethod,String...)接受对 Http 方法的控制
