Spring 中@Secured 与@RolesAllowed 之间的区别?以及基于角色的安全的概念? [英] Difference between @Secured vs @RolesAllowed in Spring? And the concept of Role Based Security?
问题描述
我正在研究 Spring Security,对于 @Secured 注释和 @RolesAllowed 注释的使用之间的区别,我有以下疑问.
I am studying Spring Security and I have the following doubts related the difference between the use of the @Secured annotation and the @RolesAllowed annotation.
我知道两者都必须在方法级别使用,在我的学习材料中,我发现了以下两个示例:
I know that both have to been used at method level, on my study material I found the followings 2 examples:
@RolesAllowed 注释:
import javax.annotation.security.RolesAllowed;
public class ItemManager {
@RolesAllowed("ROLE_MEMBER")
public Item findItem(long itemNumber) {
...
}
}
@Secured 注释:
import org.springframework.security.annotation.Secured;
public class ItemManager {
@Secured("ROLE_MEMBER")
public Item findItem(long itemNumber) {
...
}
}
在我看来,这两个注释的工作方式相同.有什么区别?我错过了什么?
It seems to me that these 2 annotations works in the same way. What are the differences? What am I missing?
我的另一个疑问是:ROLE_MEMBER 究竟代表什么?
Another doubt that I have is: what exactly represent the ROLE_MEMBER?
我认为这类似于基于角色的安全,所以它可能意味着:只有当用户是成员时,它才能访问注释资源(这是正确的吗?).但是在哪里以及如何定义用户设置了这个角色(它是一个成员)的事实?具体如何运作?
I think that this is something like role based security, so it could mean something like: only if the user is a member it could access to the annoted resource (is it correct?). But where and how is definied the fact that the user have setted this role (it is a member)? How exactly works?
Tnx
推荐答案
@Secured 和 @RolesAllowed 是一样的.它们在 Spring 中执行相同的操作.
@Secured and @RolesAllowed are the same. They do the same operation in Spring.
但是
@RolesAllowed- Java 的标准注释.
@RolesAllowed- Standard annotation of Java.
Java 已经定义了 Java Specification Request,基本上是对 Java 语言、库和其他组件的更改请求.对于注解的开发,他们提供了JSR 250,其中包含了@RolesAllowed.此链接包含 JSR 250 中的更多信息
@Secured - Spring 安全注解
@Secured - Spring security annotation
ROLE_MEMBER 是设置为安全用户详细信息的角色.
ROLE_MEMBER is the role which is set to the security user details.
参考我当前项目中的这个例子.在这里,我使用用户数据对象并将赋予用户的角色映射到安全用户详细信息.
Refer this example from my current project. Here I'm using the user data object and mapping the roles given to the user to the security user details.
public class CustomUserDetails implements UserDetails {
...
...
...
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
Collection<GrantedAuthority> grantedAuthorities = new ArrayList<GrantedAuthority>();
for (Role role : this.user.getRoles()){
grantedAuthorities.add(new SimpleGrantedAuthority(role.getRole()));
}
return grantedAuthorities;
}
}
然后使用 @Secured 或 @RolesAllowed 或 @PreAuthorize("hasRole('ROLE_USER')") 为安全批准设置这些角色 用于方法.
These roles are then set for the security approvals using the @Secured or @RolesAllowed or @PreAuthorize("hasRole('ROLE_USER')") for the methods.
按照设计,将安全性放在服务层是很好的.因此,当我保护我的服务操作时,我会检查角色,而不是用户.
By design it's good to put the security in the Service layer. So when I'm securing my service actions, I check for the roles, not for the users.
通过这种方式,我们可以通过称为角色的小型安全单元专注于业务逻辑和业务逻辑的安全性.
This way, we can focus on the business logic and the security for the business logic via small security units called roles.
然后我将角色分配给用户.用户可以有多个角色.所以你必须看到这里的关系.用户被赋予角色.角色可以访问业务逻辑.用户可以通过角色访问业务逻辑.这个概念称为基于角色的访问控制.
Then I assign the roles to the user. Users can have multiple roles. So you have to see the relationship here. Users are given the roles. And roles are given the access to the business logic. Users are given the access to the business logic via the roles. This concept is called, Role Based Access Control.
在复杂的情况下,我们还可以管理分层角色.其中一个角色有许多其他角色.但是在 UserDetails 中,我们必须扁平化角色层次结构,并将角色列表提供给 Spring 框架进行处理.
这篇关于Spring 中@Secured 与@RolesAllowed 之间的区别?以及基于角色的安全的概念?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
