Menu
@Secured and @RolesAllowed are the same the only difference is @RolesAllowed is a standard annotation (i.e. not only spring security) whereas @Secured is spring security only. @PreAuthorize is different in a way that it is more powerful then the other 2. It allows for SpEL expression for a more fine-grained control.
So, predicates can be written using SpEL (Spring Expression Language). The @PreAuthorize annotation checks the given expression before entering the method, whereas the @PostAuthorize annotation verifies it after the execution of the method and could alter the result.
Spring Security provides method level security using @PreAuthorize and @PostAuthorize annotations. This is expression-based access control. The @PreAuthorize can check for authorization before entering into method. The @PreAuthorize authorizes on the basis of role or the argument which is passed to the method.
To enable @Secured annotation in your Spring Boot application you will need to first enable the Global Method Security by adding the @EnableGlobalMethodSecurity annotation to any Class in your application which has the @Configuration annotation or is a configuration class itself.
The real difference is that @PreAuthorize can work with Spring Expression Language (SpEL). You can:
SecurityExpressionRoot.Access method arguments (requires compilation with debug info or custom ParameterNameDiscoverer):
@PreAuthorize("#contact.name == principal.name")
public void doSomething(Contact contact)
MethodSecurityExpressionHandler and set it as <global-method-security><expression-handler ... /></...>).If you wanted to do something like access the method only if the user has Role1 and Role2 then you would have to use @PreAuthorize
@PreAuthorize("hasRole('ROLE_role1') and hasRole('ROLE_role2')")
Using
@Secured({"role1", "role2"}) // is treated as an OR
Simply,
@PreAuthorize is newer than @Secured.
So I say it is better to use @PreAuthorize as it is "expression-based" and you can use expressions like hasRole, hasAnyRole, permitAll, etc.
To learn about expressions, see these example expressions.
@PreAuthorize is different, it is more powerful than @Secured.
The older
@Securedannotations did not allow expressions to be used.
Starting with Spring Security 3, the more flexible annotations
@PreAuthorizeand@PostAuthorize(as well as @PreFilter and @PostFilter) are preferred, as they support Spring Expression Language (SpEL) and provide expression-based access control.
@Secured("ROLE_ADMIN")annotation is the same as@PreAuthorize ("hasRole('ROLE_ADMIN')").
The
@Secured({"ROLE_USER","ROLE_ADMIN")is considered as ROLE_USER OR ROLE_ADMIN.
so you cannot express the AND condition using
@Secured. You can define the same with
@PreAuthorize("hasRole('ADMIN') OR hasRole('USER')"), which is easier to understand. You can express AND, OR, or NOT(!) as well.@PreAuthorize("!isAnonymous() AND hasRole( 'ADMIN')")
+-----------------------------------------------+----------------------------------------------------------+-----------------------------------------------------------------+
| | @Secured | @PreAuthorize |
+-----------------------------------------------+----------------------------------------------------------+-----------------------------------------------------------------+
| Spring EL expressions | Does'nt supports. | Supports |
+-----------------------------------------------+----------------------------------------------------------+-----------------------------------------------------------------+
| Multiple roles conjunctions with AND operator | Does'nt supports.(If there are multiple roles defined | Supports |
| |they will be automatically combined with OR operator) | |
+-----------------------------------------------+----------------------------------------------------------+-----------------------------------------------------------------+
| To enable annotation | Add following line to spring-security.xml | Add following line to spring-security.xml |
| | <global-method-security secured-annotations="enabled" /> | <global-method-security pre-post-annotations="enabled"/> |
+-----------------------------------------------+----------------------------------------------------------+-----------------------------------------------------------------+
| Example | @Secured({ROLE_ADMIN , ROLE_USER}) | @PreAuthorize("hasRole('ROLE_USER') and hasRole('ROLE_ADMIN')") |
| | public void addUser(UserInfo user){...} | public void addUser(UserInfo user){...} |
+-----------------------------------------------+----------------------------------------------------------+-----------------------------------------------------------------+
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With