Reputation: 1164
Spring security use of @PreAuthorize
Recently I have been working on a a requirement where in certain UI elements should be only visible to user with particular role(say role is XXX)
I used:
<sec:authorize access="hasRole('XXX')"> <input type="button"/></sec:authorize>
which works fine.
But I just wanted to understand if I need to add the below line as well on the java code? If yes, then why?
@PreAuthorize("hasRole('XXX')")
Upvotes: 0
Views: 459
Answers (1)
Reputation:
As usually, it depends.
If you are building/maintaining a classic MVC application with Spring MVC and all of your RequestMapping's are pointing to a (JSP) view (hence resolved by an InternalResourceViewResolver and usually rendered by the JspServlet) you don't need @PreAuthorize.
But, if you are exposing at least one endpoint e.g. as JSON/XML you'll need at add @PreAuthorize if it is required.
Simply put, if your handler method returns a value that gets resolved by a ViewResolver use the appropriate tag for JSP, Velocity or Freemarker otherwise consider using @PreAuthorize.
Upvotes: 1
Related Questions
- @PreAuthorize(permitAll) still requires authentication
- Security config when using @PreAuthorize
- How does Spring Security check @PreAuthorize and how does it call hasAuthority() method?
- Can Spring Security use @PreAuthorize on Spring controllers methods?
- Spring security - @PreAuthorize not working
- What is difference between @PreAuthorize and @security annotation in Spring?
- @PreAuthorize beeing ignored by Spring
- Spring Security @PreAuthorize on controllers
- @PreAuthorize not working correctly
- Spring Security: Unsure of pre-authentication method