Spring method-level-secuirty
Download as PPTX, PDF0 likes104 views
The document discusses different approaches to method level security in Spring Security including @PreAuthorize, @PostAuthorize, @PreFilter, and @PostFilter annotations. @PreAuthorize allows restricting access to methods based on roles or expressions while @PostAuthorize controls access based on method return values. @PreFilter and @PostFilter can filter collections passed as method parameters or returned.
Spring method-level-secuirty
- 2. Basic Approaches of Spring Security 1. URL level security (We already know this) 2. Method level security 3. Entity /Object Level security https://github.com/trainerpb 2
- 3. Method Level Security- what & why? Additional Layer of Security Decouple & less-rely on Front-end logic for ‘ROLE based access ‘ Survives in case of developer- mistake (E.g. renaming paths – which allowed other roles to access resources) https://github.com/trainerpb 3
- 4. What does that mean? https://github.com/trainerpb 4
- 5. Let’s prevent the method ,too https://github.com/trainerpb 5
- 6. What happens? Even if any other role is allowed to access /doA Access to this method will be FORBIDDEN (HTTP Status: 403) @PreAuthorize is capable of: Evaluating Spring Expressions Access Method Parameters https://github.com/trainerpb 6
- 7. @PostAuthroize This helps control access to succeed depending on returned value of the method E.g. -a very silly impractical USE-CASE- Let Access succeed as long length of the username <= Radom() mod 8 https://github.com/trainerpb 7
- 8. @PreFilter Helps filter out from a method, objects from a Collection passed as parameter to a method https://github.com/trainerpb 8
- 9. @PreFilter – Contd. Use Case – List all Users except yourself – (E.g. Facebook –chat pane shows all friends of your but not you!) https://github.com/trainerpb 9
- 10. @PreFilter – Contd. Assignment – What happens if more than one Collection are passed in parameter list? https://github.com/trainerpb 10
- 11. @PostFilter This helps filter returned Collection based on some criteria that is returned https://github.com/trainerpb 11
- 12. Other Approaches- @Secured https://github.com/trainerpb 12 @Secured annotation doesn’t support Spring Expression Language What’ll be the @PreAuthorize equivalent of the above code snippet?
- 13. Another Approach- @RoleAllowed https://github.com/trainerpb 13 What’ll be the @PreAuthorize equivalent of the above code snippet?
- 14. Combining @’s together We can put multiple annotations together on a method. I want a method To be available to ADMIN only Then, I want to return Collection of records of logged-in user only https://github.com/trainerpb 14
- 15. Important Notes- 1. By default, Spring AOP proxy-ing is used to apply method security Security will be ignored fora secure method m1() called by another method m2() in the same class 2. Thread-bound Security Context- security context isn’t propagated to child-threads 3. We can use @PreAuthroize or similar annotations at class-level to ensure ROLE_BASED access to that class. https://github.com/trainerpb 15