Method Level Security

Method Level Security In Spring Security

• In the section Configure Authorities, we applied authorization rules on the API paths/URLs using spring security configuration. However, the method level security allows to apply the authorization rules at any layer of an application like in service layer or repository layer etc. Method level security can be enabled using the annotation @EnableGlobalMethodSecurity on the configuration class.
• Method level security will also helps authorization rules even in the non-web applications where we will not have any endpoints.

• Method level security provides the below approaches to apply the authorization rules and execution your business logic.

  • Invocation authorization`: Validate of someone can invoke a method or not based on their roles/authorities.
  • Filtering authorization: Validates what a method can receive through its parameters and what the invoker can receive back from the post business logic execution.

• Spring security will use the aspects from the AOP module and have the interceptors in between the method invocation to apply the authorization rules configured.

• Method level security offers below 3 differences styles for configuring the authorization rules on top of the methods.
  • The prePostEnabled property enables Spring Security @PreAuthorize & @PostAuthorize annotations.
  • The securedEnabled property enables @Secured annotation.
  • The jsr250Enabled property enables @RoleAllowed annotation.

@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true, jsr250Enabled = true)
public class MethodSecurityConfig {

    ....

}

• @Secured and @RoleAllowed are less powerful compared to @PreAuthorize and @PostAuthorize

Deep Dive Into Method Level Security

• Invocation Authorization Method Level
• Filtering Authorization Method Level

See Also

• Configure Authorities

References

• Spring Security Zero To Master