Join the social network of Tech Nerds, increase skill rank, get work, manage projects...
 

  • Difference between @Secured and @PreAuthorize

    @sumit.vyas
    Recommendations Offline Message

    • 0
    • 0
    • 0
    • 0
    • 0
    • 0
    • 0
    • 0
    • 6.08k
    Comment on it

    @Secured vs @PreAuthorize : Spring Framework provides the different ways to secure the application. Spring Framework has lots of handy tools or methods to secure application. @Secured and @PreAuthorize are the two most popular annotations used to provide method level security. @Secured is used from a long time it is mature whereas @PreAuthorize is a bit new but becoming famous very fast.

    These both are used by developer for security but most of developers are confused about these functionality because both are almost same. @Secured and @PreAuthorize are almost same there is very little difference between these two. Both @Secured and @PreAuthorize belongs to Spring Security. But @PreAuthorize is more powerful than the @Secured.

    The difference between @Secured and @PreAuthorize are as follows :

    1. The main difference between @Secured and @PreAuthorize is that @PreAuthorize can work with Spring EL.
    2. We can access methods and properties of SecurityExpressionRoot while using @PreAuthorize but not with @Secured.
    3. Using @Secured we can only check for static rules but with @PreAuthorize annotation we can use both static and dynamic expression to match the condition.

    Security using @Secured annotation: First we need to do put following line into security.xml to enable the method level security using @Secured annotation.

    <global-method-security secured-annotations="enabled" />

    And then put the @Secured annotation on the above of the method which you want to be secure.

    • Here the method addUser is only be accessed by the role User.

      @Secured(ROLE_USER)

      public void addUser(UserInfo user);

    • Here the method updateUser can be accessed by the role User or Admin .

      @Secured({ROLE_ADMIN , ROLE_USER})

      public void updateUser(UserInfo user);

    Security using @PreAuthorize annotation: First we need to do put follwoing line into security.xml to enable the method level security using @PreAuthorize annotation

    <global-method-security pre-post-annotations="enabled"/>

    And then put the @PreAuthorize annotation on the above of the method which you want to be secure.

    • Here the method addUser is only be accessed by the role User.

      @PreAuthorize ("hasRole('ROLE_USER')")

      public void addUser(UserInfo user);

    • Here the method updateUser can be accessed by the role User and Admin.

      @PreAuthorize("hasRole('ROLE_USER') and hasRole('ROLE_ADMIN')")

      public void updateUser(UserInfo user);

    @PreAuthorize with expression :

    • Here the method addUser is only be accessed if the value of user's name field is equal to value of name field of principal object.

      @PreAuthorize("#user.name == principal.name)

      public void addUser(UserInfo user)

    Difference between @Secured and @PreAuthorize @Secured and @PreAuthorize @Secured vs @PreAuthorize @Secured @PreAuthorize Security using @Secured annotation Security using @PreAuthorize annotation @PreAuthorize with expression @PreAuthorize with SpringEL
    Comment on it

 0 Comment(s)

Sign In
Forgot Password?
                           OR                           
Create an account !!
                           OR                           
Register

Sign up using

                           OR                           
Forgot Password
Fill out the form below and instructions to reset your password will be emailed to you:
Reset Password
Fill out the form below and reset your password: