What's the difference between @Secured and @PreAuthorize in spring security 3?

Spring Security

Spring Security Problem Overview

It's not clear for me what is the difference in spring security between :

 @PreAuthorize("hasRole('ROLE_USER')")
 public void create(Contact contact)

And

@Secured("ROLE_USER")
public void create(Contact contact)

I understand PreAuthorize can work with spring el but in my sample, is there a real difference ?

Spring Security Solutions

Solution 1 - Spring Security

The real difference is that @PreAuthorize can work with Spring Expression Language (SpEL). You can:

  • Access methods and properties of SecurityExpressionRoot.

  • Access method arguments (requires compilation with debug info or custom ParameterNameDiscoverer):

      @PreAuthorize("#contact.name == principal.name")
  public void doSomething(Contact contact)

  • (Advanced feature) Add your own methods (override MethodSecurityExpressionHandler and set it as <global-method-security><expression-handler ... /></...>).

Solution 2 - Spring Security

If you wanted to do something like access the method only if the user has Role1 and Role2 then you would have to use @PreAuthorize

@PreAuthorize("hasRole('ROLE_role1') and hasRole('ROLE_role2')")

Using

@Secured({"role1", "role2"}) // is treated as an OR

Solution 3 - Spring Security

Simply, @PreAuthorize is newer than @Secured.

So I say it is better to use @PreAuthorize as it is "expression-based" and you can use expressions like hasRole, hasAnyRole, permitAll, etc.

To learn about expressions, see these example expressions.

Solution 4 - Spring Security

@PreAuthorize is different, it is more powerful than @Secured.

  • >The older @Secured annotations did not allow expressions to be used.

  • >Starting with Spring Security 3, the more flexible annotations @PreAuthorize and @PostAuthorize (as well as @PreFilter and @PostFilter) are preferred, as they support Spring Expression Language (SpEL) and provide expression-based access control.

  • >@Secured("ROLE_ADMIN") annotation is the same as @PreAuthorize ("hasRole('ROLE_ADMIN')").

  • >The @Secured({"ROLE_USER","ROLE_ADMIN") is considered as ROLE_USER OR ROLE_ADMIN.

so you cannot express the AND condition using > @Secured. You can define the same with @PreAuthorize("hasRole('ADMIN') OR hasRole('USER')"), which is easier to > understand. You can express AND, OR, or NOT(!) as well.

> @PreAuthorize("!isAnonymous() AND hasRole( 'ADMIN')")

Solution 5 - Spring Security

+-----------------------------------------------+----------------------------------------------------------+-----------------------------------------------------------------+
|                                               |                         @Secured                         |                         @PreAuthorize                           |
+-----------------------------------------------+----------------------------------------------------------+-----------------------------------------------------------------+
| Spring EL expressions                         | Does'nt supports.                                        | Supports                                                        |
+-----------------------------------------------+----------------------------------------------------------+-----------------------------------------------------------------+
| Multiple roles conjunctions with AND operator | Does'nt supports.(If there are multiple roles defined    | Supports                                                        |
|                                               |they will be automatically combined with OR operator)     |                                                                 |
+-----------------------------------------------+----------------------------------------------------------+-----------------------------------------------------------------+
| To enable annotation                          | Add following line to spring-security.xml                | Add following line to spring-security.xml                       |
|                                               | <global-method-security secured-annotations="enabled" /> | <global-method-security pre-post-annotations="enabled"/>        |
+-----------------------------------------------+----------------------------------------------------------+-----------------------------------------------------------------+
| Example                                       | @Secured({ROLE_ADMIN , ROLE_USER})                       | @PreAuthorize("hasRole('ROLE_USER') and hasRole('ROLE_ADMIN')") |
|                                               | public void addUser(UserInfo user){...}                  | public void addUser(UserInfo user){...}                         |
+-----------------------------------------------+----------------------------------------------------------+-----------------------------------------------------------------+
Categories
Recommended Spring Security Solutions

Previous Solution:

Detect Browser Language in PHP

PhpCross BrowserBrowser Detection

Next Solution:

How to have the formatter wrap code with IntelliJ?

Intellij IdeaCode Formatting

Attributions

All content for this solution is sourced from the original question on Stackoverflow.

The content on this page is licensed under the Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license.

Content TypeOriginal AuthorOriginal Content on Stackoverflow
QuestionJerome VDLView Question on Stackoverflow
Solution 1 - Spring SecurityaxtavtView Answer on Stackoverflow
Solution 2 - Spring SecurityarnabmitraView Answer on Stackoverflow
Solution 3 - Spring SecurityDennisView Answer on Stackoverflow
Solution 4 - Spring Securitybecher henchiriView Answer on Stackoverflow
Solution 5 - Spring SecurityJoby Wilson MathewsView Answer on Stackoverflow