2021-11-01 14:50:25 -06:00
= Method Security
[[nsa-method-security]]
== <method-security>
This element is the primary means of adding support for securing methods on Spring Security beans.
Methods can be secured by the use of annotations (defined at the interface or class level) or by defining a set of pointcuts.
[[nsa-method-security-attributes]]
=== <method-security> attributes
[[nsa-method-security-pre-post-enabled]]
* **pre-post-enabled**
Enables Spring Security's pre and post invocation annotations (@PreFilter, @PreAuthorize, @PostFilter, @PostAuthorize) for this application context.
Defaults to "true".
[[nsa-method-security-secured-enabled]]
* **secured-enabled**
Enables Spring Security's @Secured annotation for this application context.
Defaults to "false".
[[nsa-method-security-jsr250-enabled]]
* **jsr250-enabled**
Enables JSR-250 authorization annotations (@RolesAllowed, @PermitAll, @DenyAll) for this application context.
Defaults to "false".
[[nsa-method-security-proxy-target-class]]
* **proxy-target-class**
If true, class based proxying will be used instead of interface based proxying.
Defaults to "false".
[[nsa-method-security-children]]
=== Child Elements of <method-security>
* xref:servlet/appendix/namespace/http.adoc#nsa-expression-handler[expression-handler]
[[nsa-global-method-security]]
== <global-method-security>
2021-12-13 16:57:36 -06:00
The `<global-method-security>` element is the primary means of adding support for securing methods on Spring Security beans.
You can secure methods by using annotations (defined at the interface or class level) or by defining a set of pointcuts as child elements with AspectJ syntax.
2021-11-01 14:50:25 -06:00
[[nsa-global-method-security-attributes]]
=== <global-method-security> Attributes
2021-12-13 16:57:36 -06:00
The `<global-method-security>` element has the following attributes:
2021-11-01 14:50:25 -06:00
[[nsa-global-method-security-access-decision-manager-ref]]
2021-12-13 16:57:36 -06:00
`access-decision-manager-ref`::
Method security uses the same `AccessDecisionManager` configuration as web security, but using this attribute can override this arrangement.
By default, an `AffirmativeBased` implementation is used with a `RoleVoter` and an `AuthenticatedVoter`.
2021-11-01 14:50:25 -06:00
[[nsa-global-method-security-authentication-manager-ref]]
2021-12-13 16:57:36 -06:00
`authentication-manager-ref`::
A reference to the `AuthenticationManager` that should be used for method security.
2021-11-01 14:50:25 -06:00
[[nsa-global-method-security-jsr250-annotations]]
2021-12-13 16:57:36 -06:00
`jsr250-annotations`::
Specifies whether JSR-250 style attributes are to be used (for example, `RolesAllowed`).
Doing so requires the `javax.annotation.security` classes to be on the classpath.
Setting this to `true` also adds a `Jsr250Voter` to the `AccessDecisionManager`, so you need to make sure that you do so if you use a custom implementation and want to use these annotations.
2021-11-01 14:50:25 -06:00
[[nsa-global-method-security-metadata-source-ref]]
2021-12-13 16:57:36 -06:00
`metadata-source-ref`::
You can supply an external `MethodSecurityMetadataSource` instance, which will take priority over other sources (such as the default annotations).
2021-11-01 14:50:25 -06:00
[[nsa-global-method-security-mode]]
2021-12-13 16:57:36 -06:00
`mode`::
You can set this attribute to `aspectj` to specify that AspectJ should be used instead of the default Spring AOP.
You must weave secured methods with the `AnnotationSecurityAspect` from the `spring-security-aspects` module.
+
[NOTE]
====
AspectJ follows Java's rule that annotations on interfaces are not inherited.
This means that methods that define the Security annotations on the interface are not secured.
Instead, you must place the Security annotation on the class when you use AspectJ.
====
2021-11-01 14:50:25 -06:00
[[nsa-global-method-security-order]]
2021-12-13 16:57:36 -06:00
`order`::
Lets the `order` advice be set for the method security interceptor.
2021-11-01 14:50:25 -06:00
[[nsa-global-method-security-pre-post-annotations]]
2021-12-13 16:57:36 -06:00
`pre-post-annotations`::
Specifies whether the use of Spring Security's pre- and post-invocation annotations (`@PreFilter`, `@PreAuthorize`, `@PostFilter`, and `@PostAuthorize`) should be enabled for this application context.
Default: `disabled`
2021-11-01 14:50:25 -06:00
[[nsa-global-method-security-proxy-target-class]]
2021-12-13 16:57:36 -06:00
`proxy-target-class`::
If `true`, class-based proxying is used instead of interface-based proxying.
2021-11-01 14:50:25 -06:00
[[nsa-global-method-security-run-as-manager-ref]]
2021-12-13 16:57:36 -06:00
`run-as-manager-ref`::
A reference to an optional `RunAsManager` implementation, which is used by the configured `MethodSecurityInterceptor`.
2021-11-01 14:50:25 -06:00
[[nsa-global-method-security-secured-annotations]]
2021-12-13 16:57:36 -06:00
`secured-annotations`::
Specifies whether the use of Spring Security's `@Secured` annotations should be enabled for this application context.
Default: `disabled`
2021-11-01 14:50:25 -06:00
[[nsa-global-method-security-children]]
=== Child Elements of <global-method-security>
2021-12-13 16:57:36 -06:00
The `<global-method-security>` has the following child elements:
2021-11-01 14:50:25 -06:00
* <<nsa-after-invocation-provider,after-invocation-provider>>
* xref:servlet/appendix/namespace/http.adoc#nsa-expression-handler[expression-handler]
* <<nsa-pre-post-annotation-handling,pre-post-annotation-handling>>
* <<nsa-protect-pointcut,protect-pointcut>>
[[nsa-after-invocation-provider]]
== <after-invocation-provider>
2021-12-13 16:57:36 -06:00
You can use the `<after-invocation-provider>` element to decorate an `AfterInvocationProvider` for use by the security interceptor that is maintained by the `<global-method-security>` namespace.
You can define zero or more of these elements within the `global-method-security` element, each with a `ref` attribute that points to an `AfterInvocationProvider` bean instance within your application context.
2021-11-01 14:50:25 -06:00
[[nsa-after-invocation-provider-parents]]
=== Parent Elements of <after-invocation-provider>
2021-12-13 16:57:36 -06:00
The parent element of the `<after-invocation-provider>` is the <<nsa-global-method-security,global-method-security>> element.
2021-11-01 14:50:25 -06:00
[[nsa-after-invocation-provider-attributes]]
=== <after-invocation-provider> Attributes
2021-12-13 16:57:36 -06:00
The `<after-invocation-provider>` element has a single attribute:
2021-11-01 14:50:25 -06:00
[[nsa-after-invocation-provider-ref]]
2021-12-13 16:57:36 -06:00
`ref`::
2021-11-01 14:50:25 -06:00
Defines a reference to a Spring bean that implements `AfterInvocationProvider`.
[[nsa-pre-post-annotation-handling]]
== <pre-post-annotation-handling>
2021-12-13 16:57:36 -06:00
The `<pre-post-annotation-handling>` lets us entirely replace the default expression-based mechanism for handling Spring Security's pre- and post-invocation annotations (`@PreFilter`, `@PreAuthorize`, `@PostFilter`, `@PostAuthorize`).
It applies only if these annotations are enabled.
2021-11-01 14:50:25 -06:00
[[nsa-pre-post-annotation-handling-parents]]
=== Parent Elements of <pre-post-annotation-handling>
2021-12-13 16:57:36 -06:00
The parent element of the `<pre-post-annotation-handling>` element is the <<nsa-global-method-security,global-method-security>> element.
2021-11-01 14:50:25 -06:00
[[nsa-pre-post-annotation-handling-children]]
=== Child Elements of <pre-post-annotation-handling>
2021-12-13 16:57:36 -06:00
The `<pre-post-annotation-handling>` element has the following children:
2021-11-01 14:50:25 -06:00
* <<nsa-invocation-attribute-factory,invocation-attribute-factory>>
* <<nsa-post-invocation-advice,post-invocation-advice>>
* <<nsa-pre-invocation-advice,pre-invocation-advice>>
[[nsa-invocation-attribute-factory]]
== <invocation-attribute-factory>
2021-12-13 16:57:36 -06:00
The `<invocation-attribute-factory>` element defines the `PrePostInvocationAttributeFactory` instance to use to generate pre- and post-invocation metadata from the annotated methods.
2021-11-01 14:50:25 -06:00
[[nsa-invocation-attribute-factory-parents]]
=== Parent Elements of <invocation-attribute-factory>
2021-12-13 16:57:36 -06:00
The parent element of the `<invocation-attribute-factory>` element is the <<nsa-pre-post-annotation-handling,`pre-post-annotation-handling`>> element.
2021-11-01 14:50:25 -06:00
[[nsa-invocation-attribute-factory-attributes]]
=== <invocation-attribute-factory> Attributes
2021-12-13 16:57:36 -06:00
The `<invocation-attribute-factory>` has a single attribute:
2021-11-01 14:50:25 -06:00
[[nsa-invocation-attribute-factory-ref]]
2021-12-13 16:57:36 -06:00
`ref`::
Defines a reference to a Spring bean ID.
2021-11-01 14:50:25 -06:00
[[nsa-post-invocation-advice]]
== <post-invocation-advice>
2021-12-13 16:57:36 -06:00
The `<post-invocation-advice>` element customizes the `PostInvocationAdviceProvider` with the value of the `ref` attribute as the `PostInvocationAuthorizationAdvice` for the `<pre-post-annotation-handling>` element.
2021-11-01 14:50:25 -06:00
[[nsa-post-invocation-advice-parents]]
=== Parent Elements of <post-invocation-advice>
2021-12-13 16:57:36 -06:00
The parent element of the `<post-invocation-advice>` element is the <<nsa-pre-post-annotation-handling,pre-post-annotation-handling>> element.
2021-11-01 14:50:25 -06:00
[[nsa-post-invocation-advice-attributes]]
=== <post-invocation-advice> Attributes
2021-12-13 16:57:36 -06:00
The `<post-invocation-advice>` has a single attribute:
2021-11-01 14:50:25 -06:00
[[nsa-post-invocation-advice-ref]]
2021-12-13 16:57:36 -06:00
`ref`::
Defines a reference to a Spring bean ID.
2021-11-01 14:50:25 -06:00
[[nsa-pre-invocation-advice]]
== <pre-invocation-advice>
2021-12-13 16:57:36 -06:00
The `<pre-invocation-advice>` element customizes the `PreInvocationAuthorizationAdviceVoter` with the value of the `ref` attribute as the `PreInvocationAuthorizationAdviceVoter` for the `<pre-post-annotation-handling>` element.
2021-11-01 14:50:25 -06:00
[[nsa-pre-invocation-advice-parents]]
=== Parent Elements of <pre-invocation-advice>
2021-12-13 16:57:36 -06:00
The parent element of the `<pre-invocation-advice>` is the <<nsa-pre-post-annotation-handling,pre-post-annotation-handling>> element.
2021-11-01 14:50:25 -06:00
[[nsa-pre-invocation-advice-attributes]]
=== <pre-invocation-advice> Attributes
2021-12-13 16:57:36 -06:00
The `<pre-invocation-advice>` element has a single attribute:
2021-11-01 14:50:25 -06:00
[[nsa-pre-invocation-advice-ref]]
2021-12-13 16:57:36 -06:00
ref::
Defines a reference to a Spring bean ID.
2021-11-01 14:50:25 -06:00
[[nsa-protect-pointcut]]
2021-12-13 16:57:36 -06:00
== Securing Methods using <protect-pointcut>
Rather than defining security attributes on an individual method or class basis by using the `@Secured` annotation, you can define cross-cutting security constraints across whole sets of methods and interfaces in your service layer by using the `<protect-pointcut>` element.
2021-11-01 14:50:25 -06:00
You can find an example in the xref:servlet/authorization/method-security.adoc#ns-protect-pointcut[namespace introduction].
[[nsa-protect-pointcut-parents]]
=== Parent Elements of <protect-pointcut>
2021-12-13 16:57:36 -06:00
The parent element of the `<protect-pointcut>` element is the <<nsa-global-method-security,global-method-security>> element.
2021-11-01 14:50:25 -06:00
[[nsa-protect-pointcut-attributes]]
=== <protect-pointcut> Attributes
2021-12-13 16:57:36 -06:00
The `<protect-pointcut>` has the following attributes:
2021-11-01 14:50:25 -06:00
[[nsa-protect-pointcut-access]]
2021-12-13 16:57:36 -06:00
`access`::
Access configuration attributes list that applies to all methods that match the pointcut -- for example,
`ROLE_A,ROLE_B`.
2021-11-01 14:50:25 -06:00
[[nsa-protect-pointcut-expression]]
2021-12-13 16:57:36 -06:00
`expression`::
An AspectJ expression, including the `execution` keyword -- for example, `execution(int com.foo.TargetObject.countLength(String))`.
2021-11-01 14:50:25 -06:00
[[nsa-intercept-methods]]
== <intercept-methods>
2021-12-13 16:57:36 -06:00
You can use the `<intercept-methods>` element inside a bean definition to add a security interceptor to the bean and set up access configuration attributes for the bean's methods
2021-11-01 14:50:25 -06:00
[[nsa-intercept-methods-attributes]]
=== <intercept-methods> Attributes
2021-12-13 16:57:36 -06:00
The `<intercept-methods>` element has a single attribute:
2021-11-01 14:50:25 -06:00
[[nsa-intercept-methods-access-decision-manager-ref]]
2021-12-13 16:57:36 -06:00
`access-decision-manager-ref`::
Optional `AccessDecisionManager` bean ID to be used by the created method security interceptor.
2021-11-01 14:50:25 -06:00
[[nsa-intercept-methods-children]]
=== Child Elements of <intercept-methods>
2021-12-13 16:57:36 -06:00
The child element of the `<intercept-methods>` is the <<nsa-protect,protect>> element.
2021-11-01 14:50:25 -06:00
[[nsa-method-security-metadata-source]]
== <method-security-metadata-source>
2021-12-13 16:57:36 -06:00
The `<method-security-metadata-source>` element creates a `MethodSecurityMetadataSource` instance.
2021-11-01 14:50:25 -06:00
[[nsa-method-security-metadata-source-attributes]]
=== <method-security-metadata-source> Attributes
2021-12-13 16:57:36 -06:00
The `<method-security-metadata-source>` element has the following attributes:
2021-11-01 14:50:25 -06:00
[[nsa-method-security-metadata-source-id]]
2021-12-13 16:57:36 -06:00
`id`::
2021-11-01 14:50:25 -06:00
A bean identifier, used for referring to the bean elsewhere in the context.
[[nsa-method-security-metadata-source-use-expressions]]
2021-12-13 16:57:36 -06:00
`use-expressions`::
Enables the use of expressions in the `access` attributes of `<intercept-url>` elements rather than the traditional list of configuration attributes.
Default: `false`
2021-11-01 14:50:25 -06:00
If enabled, each attribute should contain a single Boolean expression.
2021-12-13 16:57:36 -06:00
If the expression evaluates to `true`, access is granted.
2021-11-01 14:50:25 -06:00
[[nsa-method-security-metadata-source-children]]
=== Child Elements of <method-security-metadata-source>
2021-12-13 16:57:36 -06:00
The `<method-security-metadata-source>` element has a single child element: <<nsa-protect,protect>>.
2021-11-01 14:50:25 -06:00
[[nsa-protect]]
== <protect>
Defines a protected method and the access control configuration attributes that apply to it.
We strongly advise you NOT to mix "protect" declarations with any services provided "global-method-security".
[[nsa-protect-parents]]
=== Parent Elements of <protect>
2021-12-13 16:57:36 -06:00
The `<protect>` element has two parent elements:
2021-11-01 14:50:25 -06:00
* <<nsa-intercept-methods,intercept-methods>>
* <<nsa-method-security-metadata-source,method-security-metadata-source>>
[[nsa-protect-attributes]]
=== <protect> Attributes
2021-12-13 16:57:36 -06:00
The `<protect>` element has the following attributes:
2021-11-01 14:50:25 -06:00
[[nsa-protect-access]]
2021-12-13 16:57:36 -06:00
`access`::
Access configuration attributes list that applies to the method -- for example,
`ROLE_A,ROLE_B`.
2021-11-01 14:50:25 -06:00
[[nsa-protect-method]]
2021-12-13 16:57:36 -06:00
`method`::
A method name.
