Menu
It seems logical to secure an entire class of controllers rather than each method. Can I do this:
@Controller @Secured("ROLE_USER") public class accountPages { //Controllers } 
789
In the above code example, the @PreAuthorize annotation is used at a class level and all methods in the class are affected by it. Only users in role “MANAGER” will be able to access the /managers/status/check web service endpoint.
@PreAuthorize is different, it is more powerful than @Secured . The older @Secured annotations did not allow expressions to be used. @Secured("ROLE_ADMIN") annotation is the same as @PreAuthorize ("hasRole('ROLE_ADMIN')") . The @Secured({"ROLE_USER","ROLE_ADMIN") is considered as ROLE_USER OR ROLE_ADMIN.
The Secured annotation is used to define a list of security configuration attributes for business methods. This annotation can be used as a Java 5 alternative to XML configuration.
The @PreAuthorize annotation checks the given expression before entering the method, whereas the @PostAuthorize annotation verifies it after the execution of the method and could alter the result.
from Spring Security 3 - PACKT Publishing
Be aware that the method-level security annotations can also be applied at the class level as well! Method-level annotations, if supplied, will always override annotations specified at the class level
196
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
