Reputation: 31
What does @Secured({ "ROLE_USER", "ROLE_ADMIN" }) exactly means
I have come accross the following annotation in my example code.
@Secured({ "ROLE_USER", "ROLE_ADMIN" })
Could anyone explain what doest it mean?
Upvotes: 0
Views: 4816
Answers (3)
Reputation: 4103
@Secured annotation is a method security in Spring framework. It is one of the authorization semantics applied at the method level. It allows the method to be accessed by the user who has atleast one of the roles specified in the @Secured annotation.
In the example you have looked into, i.e. @Secured({ROLE_USER, ROLE_ADMIN}) signifies that the method following this annotation can be accessed only by someone who has either ROLE_ADMIN or ROLE_USER.
For further reference, go to this page.
Upvotes: 0
Reputation: 1433
Here goes a example:
@Controller
public class ProtectedMethodsController {
@Secured({"ROLE_USER","ROLE_ADMIN"})//->for both security roles
@RequestMapping("/protectedMethod")
public @ResponseBody String secretMethod() {
return "You executed the protected method successfully (For USERs)";
}
@Secured("ROLE_ADMIN")
@RequestMapping("/adminProtectedMethod")
public @ResponseBody String adminSecretMethod() {
return "You executed the protected method successfully (For ADMINs)";
}
//->Without @Secured("ROLE_")
@RequestMapping("/notProtectedMethod")
public @ResponseBody String notProtectedMethod() {
return "You executed the not protected method successfully (For ALL USERs)";
}
/** Notes:
* 1 - The first step is to enable method security, you do that annotating
* the main class (class with the @SpringBootApplication annotation)
* with @EnableGlobalMethodSecurity(securedEnabled = true);
* 2 - Then we can decorate the method resources with @Secured("ROLE_USER")
* annotation.**/
}
@SpringBootApplication
@EnableGlobalMethodSecurity(securedEnabled = true)
public class Application extends SpringBootServletInitializer {
public static void main(String[] args) throws Throwable {
SpringApplication.run(Application.class, args);
}
@Override
protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
return application.sources(Application.class);
}
}
Upvotes: 0
Reputation: 73568
It's a Spring Security Framework annotation to allow the method to be executed only when the caller has either ROLE_USER or ROLE_ADMIN security roles.
See the documentation for more information on Spring Security.
Upvotes: 3
Related Questions
- @RolesAllowed doesn't work
- Difference between @Secured vs @RolesAllowed in Spring? And the concept of Role Based Security?
- When should I prefix ROLE_ with Spring Security?
- Spring Security role hierarchy @Secured JavaConfig
- How does @Secured know what role a user is from database?
- Is there a way to access the roles specified in @Secured?
- Spring security role assignment
- Are multiple roles allowed in the @Secured annotation with Spring Security
- Spring security roles
- Security annotation - can't secure