Annotations
1. @Secured
- The @Secured annotation is used to specify a list of roles that are allowed to access a method or class. The roles are specified as a comma-separated list. [(ROLE_VIEWER) ,(ROLE_ADMIN),(ROLE_EDITOR) ]
- The @Secured annotation doesn’t support Spring Expression Language (SpEL).
@Secured({ "ROLE_ADMIN", "ROLE_SUPER_ADMIN" })
public void createUser(User user)
{
// ... logic for create User
}
2. @PreAuthorize
- The @PreAuthorize annotation is used to specify an expression that must be evaluated to be true in order for a method or class to be accessible. The expression is written in Spring Expression Language (SpEL).
- The @PreAuthorize annotation can be used to control access to methods, classes, and even entire applications.
@PreAuthorize("hasRole('ROLE_ADMIN')")
public void deleteAdminUser(Long userId)
{
// ... logic for delete User
}
3. @PostAuthorize
- The @PostAuthorize annotation is used to specify an expression that must be evaluated to true after a method or class has been executed. The expression is written in SpEL.
- The @PostAuthorize annotation can be used to control the results of a method or class.
@PostAuthorize(
"hasRole('ROLE_ADMIN') and hasPermission(returnObject, 'read:courses')")
public List<Course>
findAllCourses()
{
// ... logic for find all courses
}
4. @PreFilter
- The @PreFilter annotation is used to specify an expression that must be evaluated to true in order for a method or class to be included in a security filter chain. The expression is written in SpEL.
@PreFilter(
"hasRole('ROLE_ADMIN') and hasPermission(filterObject, 'read:courses')")
public void
deleteCourses(List<Course> courses)
{
// ... logic for delete Courses
}
5. @PostFilter
- The @PostFilter annotation is used to specify an expression that must evaluate to true after a method or class has been executed in order for it to be included in a security filter chain.
@PostFilter(
"hasRole('ROLE_ADMIN') and hasPermission(filterObject, 'read:classes')")
public List<Class>
findAllClasses()
{
// ...logic for find all classes
}
6. @RolesAllowed
- The @RolesAllowed annotation is more flexible than the @Secured annotation because it allows you to specify an expression that evaluates to a list of roles. This expression can be written in Spring Expression Language (SpEL).
- The @RolesAllowed annotation is a JSR-250 annotation, which means that it is also supported by other security frameworks, such as Apache Shiro.
@RolesAllowed("ROLE_ADMIN")
public void deleteCourse(Long courseId)
{
// ... logic for delete course
}
7. @AuthenticationPrincipal
- The @AuthenticationPrincipal annotation is a Spring Security annotation that is used to inject the current authenticated user into a method or class. The user is injected as a Spring Security Authentication object.
- The @AuthenticationPrincipal annotation can be used in any Spring Security context, including web applications, RESTful APIs, and microservices.
@GetMapping("/username")
public String getUsername(@AuthenticationPrincipal String username) {
// ...
}
8. @RoleHierarchy
- The @RoleHierarchy annotation can be used to simplify the security configuration of your Spring application. By defining a role hierarchy, you can reduce the number of @RolesAllowed or @PreAuthorize annotations that you need to write.
@RoleHierarchy(value = { "ROLE_ADMIN > ROLE_USER",
"ROLE_SUPER_ADMIN > ROLE_ADMIN" })
Spring Security Annotations
There are multiple annotations supported by Spring Security. But, in this article, we will discuss about these annotations can be used in a Spring Boot project as well. These annotations play a crucial role in creating a web application in Spring Boot. The Spring Security annotations are a powerful way to secure Spring applications. By using these annotations, you can control who has access to your application’s resources and how they can interact with them.