Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-07-07 19:22:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

SEC-1398: Minor changes to method security annotation information in namespace chapter.

Browse Source 
Added some explanation of the different annotation types and their suitability.
This commit is contained in:
Luke Taylor 2010-02-06 18:01:34 +00:00
parent 67c9a0b78d
commit f54831f2b5
1 changed files with 22 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
docs/manual/src/docbook/namespace-config.xml
View File

@ -620,21 +620,21 @@ List&lt;OpenIDAttribute> attributes = token.getAttributes();</programlisting>The
<section xml:id="ns-method-security"> <section xml:id="ns-method-security">
<title>Method Security</title> <title>Method Security</title>
<para>From version 2.0 onwards Spring Security has improved support substantially for adding <para>From version 2.0 onwards Spring Security has improved support substantially for adding
security to your service layer methods. It provides support for JSR-250 security as well as security to your service layer methods. It provides support for JSR-250 annotation security as
the framework's original <literal>@Secured</literal> annotation. From 3.0 you can also make well as the framework's original <literal>@Secured</literal> annotation. From 3.0 you can also
use of new <link xlink:href="el-access">expression-based annotations</link>. You can apply make use of new <link xlink:href="el-access">expression-based annotations</link>. You can
security to a single bean, using the <literal>intercept-methods</literal> element to decorate apply security to a single bean, using the <literal>intercept-methods</literal> element to
the bean declaration, or you can secure multiple beans across the entire service layer using decorate the bean declaration, or you can secure multiple beans across the entire service
the AspectJ style pointcuts. </para> layer using the AspectJ style pointcuts. </para>
<section xml:id="ns-global-method"> <section xml:id="ns-global-method">
<title>The <literal>&lt;global-method-security&gt;</literal> Element</title> <title>The <literal>&lt;global-method-security&gt;</literal> Element</title>
<para> This element is used to enable annotation-based security in your application (by <para> This element is used to enable annotation-based security in your application (by
setting the appropriate attributes on the element), and also to group together security setting the appropriate attributes on the element), and also to group together security
pointcut declarations which will be applied across your entire application context. You pointcut declarations which will be applied across your entire application context. You
should only declare one <literal>&lt;global-method-security&gt;</literal> element. The should only declare one <literal>&lt;global-method-security&gt;</literal> element. The
following declaration would enable support for both Spring Security's following declaration would enable support for Spring Security's
<literal>@Secured</literal>, and JSR-250 annotations: <programlisting><![CDATA[ <literal>@Secured</literal>: <programlisting><![CDATA[
<global-method-security secured-annotations="enabled" jsr250-annotations="enabled"/> <global-method-security secured-annotations="enabled" />
]]> ]]>
</programlisting> Adding an annotation to a method (on an class or interface) would then limit </programlisting> Adding an annotation to a method (on an class or interface) would then limit
the access to that method accordingly. Spring Security's native annotation support defines a the access to that method accordingly. Spring Security's native annotation support defines a
@ -652,8 +652,14 @@ List&lt;OpenIDAttribute> attributes = token.getAttributes();</programlisting>The
@Secured("ROLE_TELLER") @Secured("ROLE_TELLER")
public Account post(Account account, double amount); public Account post(Account account, double amount);
} }
</programlisting></para> </programlisting>Support
<para>To use the new expression-based syntax, you would use <programlisting><![CDATA[ for JSR-250 annotations can be enabled using <programlisting><![CDATA[
<global-method-security jsr250-annotations="enabled" />
]]>
</programlisting>These are standards-based and allow simple role-based constraints to be
applied but do not have the power Spring Security's native annotations.
To use the new expression-based syntax, you would use
<programlisting><![CDATA[
<global-method-security pre-post-annotations="enabled" /> <global-method-security pre-post-annotations="enabled" />
]]></programlisting>and the equivalent Java code would ]]></programlisting>and the equivalent Java code would
be<programlisting language="java"> be<programlisting language="java">
@ -668,7 +674,11 @@ List&lt;OpenIDAttribute> attributes = token.getAttributes();</programlisting>The
@PreAuthorize("hasAuthority('ROLE_TELLER')") @PreAuthorize("hasAuthority('ROLE_TELLER')")
public Account post(Account account, double amount); public Account post(Account account, double amount);
} }
</programlisting></para> </programlisting>Expression-based
annotations are a good choice if you need to define simple rules that go beyond checking the
role names against the user's list of authorities. You can enable more than one type of
annotation in the same application, but you should avoid mixing annotations types in the
same interface or class to avoid confusion.</para>
<section xml:id="ns-protect-pointcut"> <section xml:id="ns-protect-pointcut">
<title>Adding Security Pointcuts using <literal>protect-pointcut</literal></title> <title>Adding Security Pointcuts using <literal>protect-pointcut</literal></title>
<para> The use of <literal>protect-pointcut</literal> is particularly powerful, as it allows <para> The use of <literal>protect-pointcut</literal> is particularly powerful, as it allows