@Secured与@Roles之间的区别是否在Spring?基于角色的安全性的概念? [英] Difference between @Secured vs @RolesAllowed in Spring? And the concept of Role Based Security?
问题描述
我正在研究Spring Security,我对使用 @Secured 注释和 @RolesAllowed 注释之间的区别存在以下疑问。
I am studying Spring Security and I have the following doubts related the difference between the use of the @Secured annotation and the @RolesAllowed annotation.
我知道两者都必须在方法级别使用,在我的学习资料中我发现了以下2个例子:
I know that both have to been used at method level, on my study material I found the followings 2 examples:
-
@RolesAllowed 注释:
import javax.annotation.security.RolesAllowed;
public class ItemManager {
@RolesAllowed("ROLE_MEMBER")
public Item findItem(long itemNumber) {
...
}
}
@Secured 注释:
import org.springframework.security.annotation.Secured;
public class ItemManager {
@Secured("ROLE_MEMBER")
public Item findItem(long itemNumber) {
...
}
}
在我看来,这2个注释适用于同样的方式。有什么区别?我错过了什么?
It seems to me that these 2 annotations works in the same way. What are the differences? What am I missing?
我的另一个疑问是:究竟代表 ROLE_MEMBER 的是什么?
Another doubt that I have is: what exactly represent the ROLE_MEMBER?
我认为这类似于基于角色的安全性,所以它可能意味着:仅当用户是会员时它可以访问带注释的资源(它是否正确?)。但在何处以及如何确定用户已设置此角色(它是会员)的事实?究竟是如何运作的?
I think that this is something like role based security, so it could mean something like: only if the user is a member it could access to the annoted resource (is it correct?). But where and how is definied the fact that the user have setted this role (it is a member)? How exactly works?
Tnx
推荐答案
@Secured 和 @RolesAllowed 是相同的。他们在Spring中执行相同的操作。
@Secured and @RolesAllowed are the same. They do the same operation in Spring.
但是
-
@RolesAllowed- Java的标准注释。
@RolesAllowed- Standard annotation of Java.
Java定义了Java Specification Request,基本上改变了对Java语言,库和其他组件的请求。为了开发注释,他们提供了JSR 250. @RolesAllowed 包含在其中。 此链接包含JSR 250中的更多信息
Java has defined Java Specification Request, basically change requests for the Java language, libraries and other components. For the development of annotations, they have provided JSR 250. @RolesAllowed is included in it. This link contains further info in JSR 250
@Secured - Spring安全注释
@Secured - Spring security annotation
ROLE_MEMBER 是设置为安全用户详细信息的角色。
ROLE_MEMBER is the role which is set to the security user details.
参考此示例从我目前的项目。在这里,我使用用户数据对象并将给用户的角色映射到安全用户详细信息。
Refer this example from my current project. Here I'm using the user data object and mapping the roles given to the user to the security user details.
public class CustomUserDetails implements UserDetails {
...
...
...
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
Collection<GrantedAuthority> grantedAuthorities = new ArrayList<GrantedAuthority>();
for (Role role : this.user.getRoles()){
grantedAuthorities.add(new SimpleGrantedAuthority(role.getRole()));
}
return grantedAuthorities;
}
}
然后使用以下方式为安全审批设置这些角色 @Secured 或 @RolesAllowed 或 @PreAuthorize(hasRole('ROLE_USER')) 用于方法。
These roles are then set for the security approvals using the @Secured or @RolesAllowed or @PreAuthorize("hasRole('ROLE_USER')") for the methods.
通过设计,将安全性放在服务层中是件好事。因此,当我确保我的服务操作安全时,我会检查角色,而不是用户。
By design it's good to put the security in the Service layer. So when I'm securing my service actions, I check for the roles, not for the users.
这样,我们可以专注于业务逻辑和安全性通过称为角色的小型安全单元实现业务逻辑。
This way, we can focus on the business logic and the security for the business logic via small security units called roles.
然后我将角色分配给用户。用户可以拥有多个角色。所以你必须在这里看到这种关系。用户被赋予角色。角色可以访问业务逻辑。通过角色,用户可以访问业务逻辑。这个概念称为基于角色的访问控制。
Then I assign the roles to the user. Users can have multiple roles. So you have to see the relationship here. Users are given the roles. And roles are given the access to the business logic. Users are given the access to the business logic via the roles. This concept is called, Role Based Access Control.
在复杂情况下,我们还可以管理分层角色。一个角色有许多其他角色。但是在UserDetails中,我们必须展平角色层次结构并提供要处理的Spring框架的角色列表。
这篇关于@Secured与@Roles之间的区别是否在Spring?基于角色的安全性的概念?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
