Create an account

Very important

  • To access the important data of the forums, you must be active in each forum and especially in the leaks and database leaks section, send data and after sending the data and activity, data and important content will be opened and visible for you.
  • You will only see chat messages from people who are at or below your level.
  • More than 500,000 database leaks and millions of account leaks are waiting for you, so access and view with more activity.
  • Many important data are inactive and inaccessible for you, so open them with activity. (This will be done automatically)

0Day Forums Coding FrameWork Spring @RolesAllowed vs. @PreAuthorize vs. @Secured

Thread Rating:
  • 931 Vote(s) - 3.5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Options
@RolesAllowed vs. @PreAuthorize vs. @Secured

Offline nidatingd


Member
*
Member
Posts: 1
Threads: 1
Joined: May 2021
Reputation: 0
Level: 1 [Level]
Total Points: 0
Rank 0 / 1
99% to upload Level
Rank
Activity 0 / 1
99% to upload your Rank
Activity
Experience 1
99% to upload Experience
Experience

Points: 50
#1
08-02-2023, 04:20 PM
I have a basic SpringBoot app. using Spring Initializer, embedded Tomcat, Thymeleaf template engine, and package as an executable JAR file.

I want to secure a controller:

@Controller
@RequestMapping("/company")
@RolesAllowed({"ROLE_ADMIN"})
@PreAuthorize("hasRole('ADMIN')")
@Secured("ADMIN")
public class CompanyController {
}

I know that there are different options, but I don't really know which I should use
Reply

Offline defiance80


Luxury
*****
Luxury
Posts: 0
Threads: 0
Joined: Feb 2020
Reputation: 0
Level: inf [Level]
Total Points: inf
Rank nan / 1
100% to upload Level
Rank
Activity inf / 1
99% to upload your Rank
Activity
Experience nan
100% to upload Experience
Experience

Points: 50
#2
08-02-2023, 04:40 PM
`@Secured` and `@RolesAllowed` perform identical functionality in Spring. The difference is that `@Secured` is a Spring specific annotaiton while `@RolesAllowed` is a Java standard annotation (JSR250). Neither one of these annotation support SpEL.

`@PreAuthorize` is another Spring specific annotation. You can perform a lot more powerful operations with `@PreAuthorize` using SpEL. You can write expressions the limit method invocation based on the roles/permissions, the current authenticated user, and the arguments passed into the method.

@PreAuthorize("hasRole('ADMIN') or #user.id == authentication.name")
public void deleteUser(User user) {
...
}

[To see links please register here]


---

As for which to use, it's really up to you. `@Secure` and `@PreAuthorize` will tie your code to Spring. If being tied to Spring is not an issue or you need to perform more powerful operations, use `@PreAuthorize`.
Reply

Offline kameroncsj


Member
*
Member
Posts: 0
Threads: 0
Joined: Sep 2019
Reputation: 0
Level: inf [Level]
Total Points: inf
Rank nan / 1
100% to upload Level
Rank
Activity inf / 1
99% to upload your Rank
Activity
Experience nan
100% to upload Experience
Experience

Points: 50
#3
08-02-2023, 04:45 PM
All of these are basically the same for your purpose, but `@PreAuthorize` is the best fit for controllers and controller methods. `@Secured` and `@RolesAllowed` are intended for describing service layer security attributes.

Also be aware for `@PreAuthorize` annotation to work you must define a configuration class:

@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {
...
}
Reply

Offline preformist7164


Valued member
***
Valued member
Posts: 0
Threads: 0
Joined: Aug 2022
Reputation: 0
Level: inf [Level]
Total Points: inf
Rank nan / 1
100% to upload Level
Rank
Activity inf / 1
99% to upload your Rank
Activity
Experience nan
100% to upload Experience
Experience

Points: 50
#4
08-02-2023, 04:45 PM
## Security Annotations

All of `@PreAuthorize`, `@RolesAllowed` and `@Secured` are annotations which allow to configure *method security*. They can be applied both on individual methods or on class level, in the latter case the security constraints will be applied to all methods in the class.

Method-level security is accomplished using [Spring AOP proxies](

[To see links please register here]

).

### `@PreAuthorize`

**`@PreAuthorize`** annotation allows to specify access constraints to a method using the *Spring Expression Language (SpEL)*. These constraints are evaluated prior to the method being executed and may result in execution of the method being denied if the constraints are not fulfilled. The `@PreAuthorize` annotation is part of the Spring Security framework.

In order to be able to use `@PreAuthorize`, the *`prePostEnabled`* attribute in the
`@EnableGlobalMethodSecurity` annotation needs to be set to `true`:

~~~java
@EnableGlobalMethodSecurity(prePostEnabled=true)
~~~

### `@RolesAllowed`

**`@RolesAllowed`** annotation has its origin in the [JSR-250](

[To see links please register here]

) Java security standard. This
annotation is *more limited* than the `@PreAuthorize` annotation because it *only supports role-based security*.

In order to use the `@RolesAllowed` annotation the library containing this annotation needs to be on the classpath, as it is not part of Spring Security. In addition, the *`jsr250Enabled`* attribute of the `@EnableGlobalMethodSecurity` annotation need to be set to `true`:

~~~java
@EnableGlobalMethodSecurity(jsr250Enabled=true)
~~~

### `@Secured`

**`@Secured`** annotation is a *legacy Spring Security 2 annotation* that can be used to configure method security. It supports more than only role-based security, but does not support using Spring Expression Language (SpEL) to specify security constraints. It is recommended to use the `@PreAuthorize` annotation in new applications over this annotation.

Support for the `@Secured` annotation needs to be explicitly enabled in the
`@EnableGlobalMethodSecurity` annotation using the *`securedEnabled`* attribute:

~~~java
@EnableGlobalMethodSecurity(securedEnabled=true)
~~~

### Which security annotations allow to use SpEL

The following table shows the support for Spring Expression Language in the security annotations that can be used with Spring Security 5:

╔═════════════════════╦═══════════════════╗
║ Security Annotation ║ Has SpEL Support? ║
╠═════════════════════╬═══════════════════╣
║ @PreAuthorize ║ yes ║
╠═════════════════════╬═══════════════════╣
║ @PostAuthorize ║ yes ║
╠═════════════════════╬═══════════════════╣
║ @PreFilter ║ yes ║
╠═════════════════════╬═══════════════════╣
║ @PostFilter ║ yes ║
╠═════════════════════╬═══════════════════╣
║ @Secured ║ no ║
╠═════════════════════╬═══════════════════╣
║ @RolesAllowed ║ no ║
╚═════════════════════╩═══════════════════╝
Reply

« Next Oldest
Next Newest »


Forum Jump:


Users browsing this thread:
1 Guest(s)

©0Day  2016 - 2023 | All Rights Reserved.  Made with    for the community. Connected through