Method Security

<method-security>

此元素是为 Spring Security Bean 添加对安全方法进行支持的主要方式。可以通过使用批注(在接口或类级别定义)或通过定义一组切入点来自动保护方法。

This element is the primary means of adding support for securing methods on Spring Security beans. Methods can be secured by the use of annotations (defined at the interface or class level) or by defining a set of pointcuts.

<method-security> attributes

  • *pre-post-enabled*为这个应用程序上下文启用 Spring Security 的前置和后置调用注解 (@PreFilter、@PreAuthorize、@PostFilter、@PostAuthorize)。默认为“true”。

  • pre-post-enabled Enables Spring Security’s pre and post invocation annotations (@PreFilter, @PreAuthorize, @PostFilter, @PostAuthorize) for this application context. Defaults to "true".

  • *secured-enabled*为这个应用程序上下文启用 Spring Security 的 @Secured 注解。默认为“false”。

  • secured-enabled Enables Spring Security’s @Secured annotation for this application context. Defaults to "false".

  • *jsr250-enabled*为这个应用程序上下文启用 JSR-250 授权注解 (@RolesAllowed、@PermitAll、@DenyAll)。默认为“false”。

  • jsr250-enabled Enables JSR-250 authorization annotations (@RolesAllowed, @PermitAll, @DenyAll) for this application context. Defaults to "false".

  • *mode*如果设置为“aspectj”,则使用 AspectJ 拦截方法调用。

  • mode If set to "aspectj", then uses AspectJ to intercept method invocations.

  • *proxy-target-class*如果为真,则将使用基于类的代理而不是基于接口的代理。默认为“false”。

  • proxy-target-class If true, class based proxying will be used instead of interface based proxying. Defaults to "false".

  • *security-context-holder-strategy-ref*在检索 SecurityContext 时指定要使用的 SecurityContextHolderStrategy。默认为由 SecurityContextHolder.getContextHolderStrategy() 返回的值。

  • security-context-holder-strategy-ref Specifies a SecurityContextHolderStrategy to use when retrieving the SecurityContext. Defaults to the value returned by SecurityContextHolder.getContextHolderStrategy().

  • *observation-registry-ref*用于 `FilterChain`和相关组件的 `ObservationRegistry`的引用。

  • observation-registry-ref A reference to the ObservationRegistry used for the FilterChain and related components

Child Elements of <method-security>

<global-method-security>

此元素是为 Spring Security Bean 添加对安全方法进行支持的主要方式。可以通过使用批注(在接口或类级别定义)或通过使用 AspectJ 语法定义一组切入点作为子元素来自动保护方法。

This element is the primary means of adding support for securing methods on Spring Security beans. Methods can be secured by the use of annotations (defined at the interface or class level) or by defining a set of pointcuts as child elements, using AspectJ syntax.

<global-method-security> Attributes

  • *access-decision-manager-ref*方法安全性使用与 Web 安全性相同的 `AccessDecisionManager`配置,但可使用此属性覆盖此配置。默认情况下,AffirmativeBased 实现用于带有 RoleVoter 和 AuthenticatedVoter。

  • access-decision-manager-ref Method security uses the same AccessDecisionManager configuration as web security, but this can be overridden using this attribute. By default an AffirmativeBased implementation is used for with a RoleVoter and an AuthenticatedVoter.

  • *authentication-manager-ref*引用应用于方法安全性的 AuthenticationManager

  • authentication-manager-ref A reference to an AuthenticationManager that should be used for method security.

  • *jsr250-annotations*指定是否使用 JSR-250 样式属性(例如“RolesAllowed”)。这需要在类路径上有 javax.annotation.security 类。将此设置为 true 也会向 AccessDecisionManager`中添加一个 `Jsr250Voter,因此如果你正在使用自定义实现并且想要使用这些注解,则务必要执行此操作。

  • jsr250-annotations Specifies whether JSR-250 style attributes are to be used (for example "RolesAllowed"). This will require the javax.annotation.security classes on the classpath. Setting this to true also adds a Jsr250Voter to the AccessDecisionManager, so you need to make sure you do this if you are using a custom implementation and want to use these annotations.

  • *metadata-source-ref*可以提供一个外部 `MethodSecurityMetadataSource`实例,它将优先于其他来源(例如默认注解)。

  • metadata-source-ref An external MethodSecurityMetadataSource instance can be supplied which will take priority over other sources (such as the default annotations).

  • *mode*此属性可设置为“aspectj”以指定使用 AspectJ 而不是默认 Spring AOP。受保护的方法必须使用 `spring-security-aspects`模块中的 `AnnotationSecurityAspect`进行编制。

  • mode This attribute can be set to "aspectj" to specify that AspectJ should be used instead of the default Spring AOP. Secured methods must be woven with the AnnotationSecurityAspect from the spring-security-aspects module.

需要注意的是,AspectJ 遵循 Java 的一项规则,即接口上的批注不会被继承。这意味着,对于在接口上定义安全批注的方法,将不会变得安全。相反,在使用 AspectJ 时,您必须将安全批注放在类上。

It is important to note that AspectJ follows Java’s rule that annotations on interfaces are not inherited. This means that methods that define the Security annotations on the interface will not be secured. Instead, you must place the Security annotation on the class when using AspectJ.

  • *order*允许为方法安全性拦截器设置建议的“order”。

  • order Allows the advice "order" to be set for the method security interceptor.

  • *pre-post-annotations*指定是否应为这个应用程序上下文启用 Spring Security 的前置和后置调用注解 (@PreFilter、@PreAuthorize、@PostFilter、@PostAuthorize)。默认为“disabled”。

  • pre-post-annotations Specifies whether the use of Spring Security’s pre and post invocation annotations (@PreFilter, @PreAuthorize, @PostFilter, @PostAuthorize) should be enabled for this application context. Defaults to "disabled".

  • *proxy-target-class*如果为真,则将使用基于类的代理而不是基于接口的代理。

  • proxy-target-class If true, class based proxying will be used instead of interface based proxying.

  • *run-as-manager-ref*引用配置的 `MethodSecurityInterceptor`将使用的可选 `RunAsManager`实现。

  • run-as-manager-ref A reference to an optional RunAsManager implementation which will be used by the configured MethodSecurityInterceptor

  • *secured-annotations*指定是否应为这个应用程序上下文启用 Spring Security 的 @Secured 注解。默认为“disabled”。

  • secured-annotations Specifies whether the use of Spring Security’s @Secured annotations should be enabled for this application context. Defaults to "disabled".

Child Elements of <global-method-security>

<after-invocation-provider>

此元素可用于装饰 AfterInvocationProvider,以供 <global-method-security> 命名空间维护的安全拦截器使用。您可以在 global-method-security 元素内定义零个或多个此类元素,每个元素都有一个 ref 属性,指向应用程序上下文中 AfterInvocationProvider Bean 实例。

This element can be used to decorate an AfterInvocationProvider for use by the security interceptor maintained by the <global-method-security> namespace. You can define zero or more of these within the global-method-security element, each with a ref attribute pointing to an AfterInvocationProvider bean instance within your application context.

Parent Elements of <after-invocation-provider>

<after-invocation-provider> Attributes

  • *ref*定义引用实现 `AfterInvocationProvider`的 Spring Bean。

  • ref Defines a reference to a Spring bean that implements AfterInvocationProvider.

<pre-post-annotation-handling>

允许完全替换用于处理 Spring Security 的调用前和调用后批注(@PreFilter、@PreAuthorize、@PostFilter、@PostAuthorize)的基于表达式的默认机制。仅当启用这些批注时才适用。

Allows the default expression-based mechanism for handling Spring Security’s pre and post invocation annotations (@PreFilter, @PreAuthorize, @PostFilter, @PostAuthorize) to be replaced entirely. Only applies if these annotations are enabled.

Parent Elements of <pre-post-annotation-handling>

Child Elements of <pre-post-annotation-handling>

<invocation-attribute-factory>

定义用于从带批注的方法生成调用前和调用后元数据的 PrePostInvocationAttributeFactory 实例。

Defines the PrePostInvocationAttributeFactory instance which is used to generate pre and post invocation metadata from the annotated methods.

Parent Elements of <invocation-attribute-factory>

<invocation-attribute-factory> Attributes

  • *ref*定义引用 Spring Bean Id。

  • ref Defines a reference to a Spring bean Id.

<post-invocation-advice>

通过将 ref 作为 <pre-post-annotation-handling> 元素的 PostInvocationAuthorizationAdvice 来自定义 PostInvocationAdviceProvider

Customizes the PostInvocationAdviceProvider with the ref as the PostInvocationAuthorizationAdvice for the <pre-post-annotation-handling> element.

Parent Elements of <post-invocation-advice>

<post-invocation-advice> Attributes

  • *ref*定义引用 Spring Bean Id。

  • ref Defines a reference to a Spring bean Id.

<pre-invocation-advice>

通过将 ref 作为 <pre-post-annotation-handling> 元素的 PreInvocationAuthorizationAdviceVoter 来自定义 PreInvocationAuthorizationAdviceVoter

Customizes the PreInvocationAuthorizationAdviceVoter with the ref as the PreInvocationAuthorizationAdviceVoter for the <pre-post-annotation-handling> element.

Parent Elements of <pre-invocation-advice>

<pre-invocation-advice> Attributes

  • *ref*定义引用 Spring Bean Id。

  • ref Defines a reference to a Spring bean Id.

Securing Methods using

<protect-pointcut>`的注释指定了安全属性,而不是在单个方法或类基础上 `@Secured,您可以在您的服务层中使用 `<protect-pointcut>`元素来定义跨越整个方法和接口的跨域安全约束。您可以在 namespace introduction中找到一个示例。

<protect-pointcut> Rather than defining security attributes on an individual method or class basis using the @Secured annotation, you can define cross-cutting security constraints across whole sets of methods and interfaces in your service layer using the <protect-pointcut> element. You can find an example in the namespace introduction.

Parent Elements of <protect-pointcut>

<protect-pointcut> Attributes

  • *access*访问配置属性列表,适用于与切入点匹配的所有方法,例如“ROLE_A,ROLE_B”

  • access Access configuration attributes list that applies to all methods matching the pointcut, e.g. "ROLE_A,ROLE_B"

  • *expression*切面表达式,包括 execution`关键字。例如,`execution(int com.foo.TargetObject.countLength(String))

  • expression An AspectJ expression, including the execution keyword. For example, execution(int com.foo.TargetObject.countLength(String)).

<intercept-methods>

可用于在 Bean 定义中为 Bean 添加安全拦截器,并为 Bean 的方法设置访问配置属性

Can be used inside a bean definition to add a security interceptor to the bean and set up access configuration attributes for the bean’s methods

<intercept-methods> Attributes

  • *use-authorization-manager*使用 AuthorizationManager API 而不是 AccessDecisionManager(默认为 true)

  • use-authorization-manager Use AuthorizationManager API instead of AccessDecisionManager (defaults to true)

  • *authorization-manager-ref*可选的 AuthorizationManager Bean ID,用于替代默认值(取代 use-authorization-manager)

  • authorization-manager-ref Optional AuthorizationManager bean ID to be used instead of the default (supercedes use-authorization-manager)

  • *access-decision-manager-ref*创建的方法安全性拦截器使用的可选 AccessDecisionManager Bean ID。

  • access-decision-manager-ref Optional AccessDecisionManager bean ID to be used by the created method security interceptor.

Child Elements of <intercept-methods>

<method-security-metadata-source>

创建一个 MethodSecurityMetadataSource 实例

Creates a MethodSecurityMetadataSource instance

<method-security-metadata-source> Attributes

  • *id*Bean 标识符,用于在上下文的其他位置引用 Bean。

  • id A bean identifier, used for referring to the bean elsewhere in the context.

  • *use-expressions*允许在 <intercept-url> 元素中的“访问”属性中使用表达式,而不是传统配置属性列表。默认为“false”。如果启用,则每个属性都应包含一个布尔表达式。如果表达式的结果为“true”,则将授予访问权限。

  • use-expressions Enables the use of expressions in the 'access' attributes in <intercept-url> elements rather than the traditional list of configuration attributes. Defaults to 'false'. If enabled, each attribute should contain a single Boolean expression. If the expression evaluates to 'true', access will be granted.

Child Elements of <method-security-metadata-source>

<protect>

定义一个受保护的方法和适用于它的访问控制配置属性。我们强烈建议您不要将“保护”声明与由“global-method-security”提供的任何服务混用。

Defines a protected method and the access control configuration attributes that apply to it. We strongly advise you NOT to mix "protect" declarations with any services provided "global-method-security".

Parent Elements of <protect>

<protect> Attributes

  • *access*适用于该方法的访问配置属性列表,例如“ROLE_A,ROLE_B”。

  • access Access configuration attributes list that applies to the method, e.g. "ROLE_A,ROLE_B".

  • method A method name