Join the social network of Tech Nerds, increase skill rank, get work, manage projects...
 
  • Difference between @Secured and @PreAuthorize

    • 0
    • 0
    • 0
    • 0
    • 0
    • 0
    • 0
    • 0
    • 6.09k
    Comment on it

    @Secured vs @PreAuthorize : Spring Framework provides the different ways to secure the application. Spring Framework has lots of handy tools or methods to secure application. @Secured and @PreAuthorize are the two most popular annotations used to provide method level security. @Secured is used from a long time it is mature whereas @PreAuthorize is a bit new but becoming famous very fast.

    These both are used by developer for security but most of developers are confused about these functionality because both are almost same. @Secured and @PreAuthorize are almost same there is very little difference between these two. Both @Secured and @PreAuthorize belongs to Spring Security. But @PreAuthorize is more powerful than the @Secured.

    The difference between @Secured and @PreAuthorize are as follows :

    1. The main difference between @Secured and @PreAuthorize is that @PreAuthorize can work with Spring EL.
    2. We can access methods and properties of SecurityExpressionRoot while using @PreAuthorize but not with @Secured.
    3. Using @Secured we can only check for static rules but with @PreAuthorize annotation we can use both static and dynamic expression to match the condition.

    Security using @Secured annotation: First we need to do put following line into security.xml to enable the method level security using @Secured annotation.

    <global-method-security secured-annotations="enabled" />
    

    And then put the @Secured annotation on the above of the method which you want to be secure.

    • Here the method addUser is only be accessed by the role User.

      @Secured(ROLE_USER)

      public void addUser(UserInfo user);

    • Here the method updateUser can be accessed by the role User or Admin .

      @Secured({ROLE_ADMIN , ROLE_USER})

      public void updateUser(UserInfo user);

    Security using @PreAuthorize annotation: First we need to do put follwoing line into security.xml to enable the method level security using @PreAuthorize annotation

    <global-method-security pre-post-annotations="enabled"/>
    

    And then put the @PreAuthorize annotation on the above of the method which you want to be secure.

    • Here the method addUser is only be accessed by the role User.

      @PreAuthorize ("hasRole('ROLE_USER')")

      public void addUser(UserInfo user);

    • Here the method updateUser can be accessed by the role User and Admin.

      @PreAuthorize("hasRole('ROLE_USER') and hasRole('ROLE_ADMIN')")

      public void updateUser(UserInfo user);

    @PreAuthorize with expression :

    • Here the method addUser is only be accessed if the value of user's name field is equal to value of name field of principal object.

      @PreAuthorize("#user.name == principal.name)

      public void addUser(UserInfo user)

 0 Comment(s)

Sign In
                           OR                           
                           OR                           
Register

Sign up using

                           OR                           
Forgot Password
Fill out the form below and instructions to reset your password will be emailed to you:
Reset Password
Fill out the form below and reset your password: