Spring Security Annotations
Phenny Mwaisaka
Annotations provide an elegant way to implement authorization in Spring Security. Below are key annotations and their usage:
1.
@SecuredPurpose: Restricts access to methods or classes based on a list of roles.
Key Details:Roles are specified as a comma-separated list (e.g.,
{"ROLE_ADMIN", "ROLE_USER"}).Does not support SpEL (unlike
@PreAuthorize).Requires
@EnableGlobalMethodSecurity(securedEnabled = true)in the configuration.
Example:
@Secured({"ROLE_ADMIN", "ROLE_SUPER_ADMIN"})
public void createUser(User user) {
// Logic for creating a user
}
2. @PreAuthorize
Purpose: Evaluates a SpEL expression before method execution to grant/deny access.
Key Details:
Supports complex expressions (e.g.,
#userId ==principal.id).Requires
@EnableGlobalMethodSecurity(prePostEnabled = true).
Example:
@PreAuthorize("hasRole('ROLE_ADMIN') or #userId == authentication.principal.id")
public void deleteAdminUser(Long userId) {
// Logic
}
3. @PostAuthorize
Purpose: Evaluates a SpEL expression after method execution, often to filter the return value.
Key Details:
- Useful for post-execution checks (e.g., verifying ownership of returned data).
Example:
@PostAuthorize("returnObject.owner == authentication.name")
public Document getDocument(Long id) {
// Logic
}
4. @PreFilter
Purpose: Filters input collections before method execution based on a SpEL condition.
Key Details:
Applies to method parameters (e.g.,
List<T>,Array).The
filterObjectkeyword refers to each item in the collection.
Example:
@PreFilter("filterObject.owner == authentication.name")
public void deleteDocuments(List<Document> documents) {
// Logic (only processes documents owned by the current user)
}
5. @PostFilter
Purpose: Filters returned collections after method execution using SpEL.
Key Details:
- Removes items from the result that don’t match the condition.
Example:
@PostFilter("hasRole('ROLE_ADMIN') or filterObject.isPublic")
public List<Course> findAllCourses() {
// Logic (returns only public courses or all courses for admins)
}
6. @RolesAllowed (JSR-250)
Purpose: Specifies allowed roles (similar to @Secured but standardized).
Key Details:
Part of
javax.annotation.security(not Spring-specific).Does not support SpEL.
Requires
@EnableGlobalMethodSecurity(jsr250Enabled = true).
Example:
@RolesAllowed("ROLE_ADMIN")
public void deleteCourse(Long courseId) {
// Logic
}
7. @AuthenticationPrincipal
Purpose: Injects the current authenticated user (e.g., UserDetails, String username).
Key Details:
- Works with
@EnableWebSecurityor@EnableGlobalMethodSecurity.
Example:
@GetMapping("/me")
public String getUsername(@AuthenticationPrincipal UserDetails user) {
return user.getUsername();
}
8. Role Hierarchies
Purpose: Simplifies security configurations by defining role inheritance.
Key Details:
Configured as a bean (not an annotation!).
Example:
ROLE_SUPER_ADMIN > ROLE_ADMIN > ROLE_USERmeans higher roles inherit lower permissions.
Configuration Example:
@Bean
public RoleHierarchy roleHierarchy() {
String hierarchy = "ROLE_SUPER_ADMIN > ROLE_ADMIN > ROLE_USER";
RoleHierarchyImpl roleHierarchy = new RoleHierarchyImpl();
roleHierarchy.setHierarchy(hierarchy);
return roleHierarchy;
}
Key Takeaways
Method Security: Annotations like
@PreAuthorizeand@Securedcontrol access at the method level.SpEL: Used in
@Pre/PostAuthorizeand@Pre/PostFilterfor dynamic expressions.JSR-250:
@RolesAllowedis a Java standard, while@Securedis Spring-specific.Role Hierarchies: Reduce redundancy by defining role relationships in a bean.
For full security setup, enable annotations in your configuration:
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true, jsr250Enabled = true)
Subscribe to my newsletter
Read articles from Phenny Mwaisaka directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by