Spring Security Method Level Security: What are the differences between these three annotations?
For Java-based applications, Spring Security is a strong and highly flexible authentication and access-control framework. Method-level security, commonly referred to as method-level security, is one element of Spring Security. Instead of imposing security constraints on the entire class or application, method-level security enables developers to impose security limitations on specific methods within a class. This enables more precise control over who has access to particular areas of the program annotations.
Using the Annotations For Method Level Security.
All of @PreAuthorize, @RolesAllowed and @Secured are annotations that allow configuring method security in spring. They can be applied both on individual methods or on the class level, in the latter case the security constraints will be applied to all methods in the class.
Method-level security is accomplished using Spring AOP proxies.
@PreAuthorize
The @PreAuthorize annotation allows specifying access constraints to a method using the Spring Expression Language (SpEL). These constraints are evaluated prior to the method being executed and may result in the execution of the method being denied if the constraints are not fulfilled. The @PreAuthorize annotation is part of the Spring Security framework.
In order to be able to use @PreAuthorize, the prePostEnabled attribute in the @EnableMethodSecurity annotation needs to be set to true:
@EnableMethodSecurity(prePostEnabled=true)
@RolesAllowed
The @RolesAllowed annotation has its origin in the JSR-250 Java security standard. This annotation is more limited than the @PreAuthorize annotation because it only supports role-based security.
In order to use the @RolesAllowed annotation the library containing this annotation needs to be on the classpath, as it is not part of Spring Security. In addition, the jsr250Enabled attribute of the @EnableGlobalMethodSecurity annotation need to be set to true:
@EnableGlobalMethodSecurity(jsr250Enabled=true)
@Secured
@Secured annotation is a legacy Spring Security 2 annotation that can be used to configure method security. It supports more than only role-based security but does not support using
The @PreAuthorize annotation allows specifying access constraints to a method using the Spring Expression Language (SpEL). These constraints are evaluated prior to the method being executed and may result in the execution of the method being denied if the constraints are not fulfilled.
The @PreAuthorize annotation is part of the Spring Security framework.
to specify security constraints. It is recommended to use the @PreAuthorize annotation in new applications over this annotation.
Support for the @Secured annotation needs to be explicitly enabled in the @EnableGlobalMethodSecurity annotation using the securedEnabled attribute:
@EnableGlobalMethodSecurity(securedEnabled=true)
@Secured and @RolesAllowed perform identical functionality in Spring. The difference is that @Secured is a Spring-specific annotation while @RolesAllowed is a Java standard annotation (JSR250). Neither one of this annotation support SpEL.
@PreAuthorize is another Spring specific annotation. You can perform a lot more powerful operations with @PreAuthorize using SpEL. You can write expressions for the limit method invocation based on the roles/permissions, the currently authenticated user, and the arguments passed into the method.
Example:
@PreAuthorize("hasRole('ADMIN') or #user.id == authentication.name")
public void deleteUser(User user) {
...
}
As you can notice from the delete method above, this method can only be invoked by any user with the ROLE of ADMIN or the currently logged-in user Id must be == the user Id to be deleted ( this means no user should be able to delete another user except the Admin).
Conclusion
As for which to use, it’s really up to you. @Secure and @PreAuthorize will tie your code to Spring. If being tied to Spring is not an issue or you need to perform more powerful operations, use @PreAuthorize.
