Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Best practice to use @PreAuthorize

Tags:

java

architecture

spring-boot

spring-security

I have a service class with secured methods (@PreAuthorize, Spring Security).

Is Its bad practice coding?

Maybe should I use this annotation @PreAuthorize only in my controller class (@Controller or @RestController)

like image 275
Anderson Rossi Avatar asked Jan 05 '16 15:01

Anderson Rossi

People also ask

What is the use of @PreAuthorize annotation?

The @PreAuthorize annotation checks the given expression before entering the method, whereas the @PostAuthorize annotation verifies it after the execution of the method and could alter the result.

What's the difference between @secured and @PreAuthorize in Spring Security?

The real difference is that @PreAuthorize can work with Spring Expression Language (SpEL). You can: Access methods and properties of SecurityExpressionRoot . (Advanced feature) Add your own methods (override MethodSecurityExpressionHandler and set it as <global-method-security><expression-handler ... /></...> ).

How does @PreAuthorize work in spring boot?

Spring Security provides method level security using @PreAuthorize and @PostAuthorize annotations. This is expression-based access control. The @PreAuthorize can check for authorization before entering into method. The @PreAuthorize authorizes on the basis of role or the argument which is passed to the method.

What is @PreAuthorize annotation in spring?

The most obviously useful annotation is @PreAuthorize which decides whether a method can actually be invoked or not. For example (from the “Contacts” sample application) @PreAuthorize("hasRole('ROLE_USER')") public void create(Contact contact);

1 Answers

Yes, ideally, this type of authorization checks should be done at Controller or the first request handler step (like RestController which you mentioned). It makes more sense to put @PreAuthorize annotation on Controller methods as request will not be forwarded to Service layer and unnecessary code (code which is there in controller method) will not be executed if correct role is not found.

BUT

If you have and application where service classes is being used by multiple controllers then you can have @PreAuthorize annotation on Service layer. If tomorrow someone create a new controller(and forgets to use correct authorization checks) and use the existing service class then your application will handle the authorization correctly using service layer authorization.

like image 126
Ankit Avatar answered Sep 25 '22 11:09

Ankit
Sign in to Comment

Related questions

SOAPExceptionImpl: Invalid Content-Type:text/html. Is this an error message instead of a SOAP response?
Why does Nginx Provide the Client SSL DN in reverse order?
OpenCsv writes wrong column names with BeanToCsv + HeaderColumnNameTranslateMappingStrategy
How to override dependencies within Scopes in Dagger 2
Java - Convert predicate to string
Why isn't -XX:+ExplicitGCInvokesConcurrent the default when using the G1 collector?
flink - adding instrumentation
How to implement communication Activity-Service
Is it possible to selectively set modules for components in Dagger 2?
What is the equivalent of Haskell's scanl in Java's streams?
RxJava: Observing messages emitted from a socket
Is it okay to use strings.xml Resource file for storing large text in Android?
Regular Expression for Separating Paths [duplicate]
Is it bad practice to use swing and awt classes for my non-graphics related classes in my programs?
Appropriate use of Mockito.reset()?
How can multiple requests used to populate models be handled using RXJava Observables?
How does HttpAsyncClient 4 work?
Why do we need ContentProviders for JFace Viewers (TableViewers specifically)?
New additional fields in java.lang.Thread, what is the idea?
Difference between join and path navigation in jpa query

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!