Security
Spring Data REST 与 Spring Security 配合得非常好。本部分展示了一些示例,说明如何使用方法级安全性保护 Spring Data REST 服务。
Spring Data REST works quite well with Spring Security. This section shows examples of how to secure your Spring Data REST services with method-level security.
@Pre and @Post Security
以下用 Spring Data REST 测试套件显示的例子阐述了 Spring Security 的 PreAuthorization model(最高级的安全模型):
The following example from Spring Data REST’s test suite shows Spring Security’s PreAuthorization model (the most sophisticated security model):
Unresolved include directive in modules/ROOT/pages/security.adoc - include::example$security/PreAuthorizedOrderRepository.java[]| 1 | 此 Spring Security 注释保护整个存储库。 Spring Security SpEL expression表示委托方必须在角色集合中拥有 ROLE_USER。 |
| 2 | This Spring Security annotation secures the entire repository. The Spring Security SpEL expression indicates that the principal must have ROLE_USER in its collection of roles. |
| 3 | 要更改方法级别设置,您必须覆盖方法签名并应用 Spring Security 注释。在此情况下,该方法使用用户必须拥有 `ROLE_ADMIN`才能执行删除的要求来覆盖存储库级别设置。 |
| 4 | To change method-level settings, you must override the method signature and apply a Spring Security annotation. In this case, the method overrides the repository-level settings with the requirement that the user have ROLE_ADMIN to perform a delete. |
前述示例展示了一个标准 Spring Data 存储库定义,它通过一些主要更改对 CrudRepository 进行了扩展:指定具体角色以访问各种方法:
The preceding example shows a standard Spring Data repository definition extending CrudRepository with some key changes: the specification of particular roles to access the various methods:
存储库和方法级安全设置不会合并。相反,方法级设置将覆盖存储库级设置。
Repository and method level security settings do not combine. Instead, method-level settings override repository level settings.
之前的示例说明了 CrudRepository 实际上具有四个删除方法。您必须重写所有删除方法才能正确保护它。
The previous example illustrates that CrudRepository, in fact, has four delete methods. You must override all delete methods to properly secure it.
@Secured security
以下示例展示了 Spring Security 较旧的 @Secured 注释,它完全基于角色:
The following example shows Spring Security’s older @Secured annotation, which is purely role-based:
Unresolved include directive in modules/ROOT/pages/security.adoc - include::example$security/SecuredPersonRepository.java[]| 1 | 此操作会导致与前一个示例相同的安全检查,但灵活性较低。它只允许角色作为限制访问的方法。 |
| 2 | This results in the same security check as the previous example but has less flexibility. It allows only roles as the means to restrict access. |
| 3 | 同样,这也表明删除方法需要 ROLE_ADMIN。 |
| 4 | Again, this shows that delete methods require ROLE_ADMIN. |
|
如果您从新项目开始或首次应用 Spring Security, |
|
If you start with a new project or first apply Spring Security, |
Enabling Method-level Security
要配置方法级安全性,以下是来自 Spring Data REST 测试套件的简短代码段:
To configure method-level security, here is a brief snippet from Spring Data REST’s test suite:
Unresolved include directive in modules/ROOT/pages/security.adoc - include::example$security/SecurityConfiguration.java[]
...
}| 1 | 这是一个 Spring 配置类。 |
| 2 | This is a Spring configuration class. |
| 3 | 它使用 Spring Security 的 @EnableGlobalMethodSecurity`注释来启用 `@Secured`和 `@Pre/`@Post`支持。请注意:您不必同时使用两者。此特定案例用于证明这两个版本都适用于 Spring Data REST。 |
| 4 | It uses Spring Security’s @EnableGlobalMethodSecurity annotation to enable both @Secured and @Pre/@Post support. NOTE: You don’t have to use both. This particular case is used to prove both versions work with Spring Data REST. |
| 5 | 此类扩展 Spring Security 的 WebSecurityConfigurerAdapter,用于纯 Java 安全配置。 |
| 6 | This class extends Spring Security’s WebSecurityConfigurerAdapter which is used for pure Java configuration of security. |
这个配置类的其他部分没有列出,因为与 Spring Security 参考文档所述的 standard practices一致。
The rest of the configuration class is not listed, because it follows standard practices that you can read about in the Spring Security reference docs.