SlideShare a Scribd company logo

Spring Method Level Security with Annotations

Download as PPTX, PDF
Soham Sengupta
Soham Sengupta

Spring method-level security

Technology
1 of 16
Soham Sengupta https://github.com/trainerpb 1
Basic Approaches of Spring Security 1. URL level security (We already know this) 2. Method level security 3. Entity /Object Level security https://github.com/trainerpb 2
Method Level Security- what & why?  Additional Layer of Security  Decouple & less-rely on Front-end logic for ‘ROLE based access ‘  Survives in case of developer- mistake (E.g. renaming paths – which allowed other roles to access resources) https://github.com/trainerpb 3
What does that mean? https://github.com/trainerpb 4
Let’s prevent the method ,too https://github.com/trainerpb 5
What happens?  Even if any other role is allowed to access /doA  Access to this method will be FORBIDDEN (HTTP Status: 403)  @PreAuthorize is capable of:  Evaluating Spring Expressions  Access Method Parameters https://github.com/trainerpb 6
@PostAuthroize  This helps control access to succeed depending on returned value of the method  E.g. -a very silly impractical USE-CASE-  Let Access succeed as long length of the username <= Radom() mod 8 https://github.com/trainerpb 7
@PreFilter  Helps filter out from a method, objects from a Collection passed as parameter to a method https://github.com/trainerpb 8
@PreFilter – Contd.  Use Case – List all Users except yourself – (E.g. Facebook –chat pane shows all friends of your but not you!) https://github.com/trainerpb 9
@PreFilter – Contd. Assignment – What happens if more than one Collection are passed in parameter list? https://github.com/trainerpb 10
@PostFilter  This helps filter returned Collection based on some criteria that is returned https://github.com/trainerpb 11
Other Approaches- @Secured https://github.com/trainerpb 12 @Secured annotation doesn’t support Spring Expression Language What’ll be the @PreAuthorize equivalent of the above code snippet?
Another Approach- @RoleAllowed https://github.com/trainerpb 13 What’ll be the @PreAuthorize equivalent of the above code snippet?
Combining @’s together  We can put multiple annotations together on a method.  I want a method  To be available to ADMIN only  Then, I want to return Collection of records of logged-in user only https://github.com/trainerpb 14
Important Notes- 1. By default, Spring AOP proxy-ing is used to apply method security  Security will be ignored fora secure method m1() called by another method m2() in the same class 2. Thread-bound Security Context-  security context isn’t propagated to child-threads 3. We can use @PreAuthroize or similar annotations at class-level to ensure ROLE_BASED access to that class. https://github.com/trainerpb 15
https://github.com/trainerpb 16

Recommended

Monitoring with Prometheus
Monitoring with Prometheus Monitoring with Prometheus
Monitoring with Prometheus Pravin Magdum
 
List of computer network programs
List of computer network programsList of computer network programs
List of computer network programsmamta4817
 
Lo nuevo en Spring 3.0 - Spring Live Perú 2009
Lo nuevo en Spring 3.0 - Spring Live Perú 2009Lo nuevo en Spring 3.0 - Spring Live Perú 2009
Lo nuevo en Spring 3.0 - Spring Live Perú 2009Lennon Shimokawa
 
PST Repair Tool
PST Repair ToolPST Repair Tool
PST Repair Toolbear106
 
Storyplayer
StoryplayerStoryplayer
StoryplayerStuart Herbert
 
Run python from windows taskscheduler
Run python from windows taskschedulerRun python from windows taskscheduler
Run python from windows taskschedulerNorifumi Irie
 
Celery in the Django
Celery in the DjangoCelery in the Django
Celery in the DjangoWalter Liu
 
Demystifying how imports work in Python
Demystifying how imports work in PythonDemystifying how imports work in Python
Demystifying how imports work in Pythonprodicus
 

Recommended

Monitoring with Prometheus
Monitoring with Prometheus Monitoring with Prometheus
Monitoring with Prometheus Pravin Magdum
 
List of computer network programs
List of computer network programsList of computer network programs
List of computer network programsmamta4817
 
Lo nuevo en Spring 3.0 - Spring Live Perú 2009
Lo nuevo en Spring 3.0 - Spring Live Perú 2009Lo nuevo en Spring 3.0 - Spring Live Perú 2009
Lo nuevo en Spring 3.0 - Spring Live Perú 2009Lennon Shimokawa
 
PST Repair Tool
PST Repair ToolPST Repair Tool
PST Repair Toolbear106
 
Storyplayer
StoryplayerStoryplayer
StoryplayerStuart Herbert
 
Run python from windows taskscheduler
Run python from windows taskschedulerRun python from windows taskscheduler
Run python from windows taskschedulerNorifumi Irie
 
Celery in the Django
Celery in the DjangoCelery in the Django
Celery in the DjangoWalter Liu
 
Demystifying how imports work in Python
Demystifying how imports work in PythonDemystifying how imports work in Python
Demystifying how imports work in Pythonprodicus
 
Drupal development
Drupal development Drupal development
Drupal development Dennis Povshedny
 
Greach 2014 - Metaprogramming with groovy
Greach 2014 - Metaprogramming with groovyGreach 2014 - Metaprogramming with groovy
Greach 2014 - Metaprogramming with groovyIván López Martín
 
PHP LFI to Arbitrary Code Execution via rfc1867 file upload temporary files
PHP LFI to Arbitrary Code Execution via rfc1867 file upload temporary filesPHP LFI to Arbitrary Code Execution via rfc1867 file upload temporary files
PHP LFI to Arbitrary Code Execution via rfc1867 file upload temporary filesAttaporn Ninsuwan
 
Fall 2011 PHP Class - Session 1
Fall 2011 PHP Class - Session 1Fall 2011 PHP Class - Session 1
Fall 2011 PHP Class - Session 1jimbojsb
 
How to? Drupal developer toolkit. Dennis Povshedny.
How to? Drupal developer toolkit. Dennis Povshedny.How to? Drupal developer toolkit. Dennis Povshedny.
How to? Drupal developer toolkit. Dennis Povshedny.DrupalCampDN
 
Intro to OOP PHP and Github
Intro to OOP PHP and GithubIntro to OOP PHP and Github
Intro to OOP PHP and GithubJo Erik San Jose
 
Ratpack - Classy and Compact Groovy Web Apps
Ratpack - Classy and Compact Groovy Web AppsRatpack - Classy and Compact Groovy Web Apps
Ratpack - Classy and Compact Groovy Web AppsJames Williams
 
Introduction to Cakephp
Introduction to CakephpIntroduction to Cakephp
Introduction to CakephpAditya Mooley
 
Learn flask in 90mins
Learn flask in 90minsLearn flask in 90mins
Learn flask in 90minsLarry Cai
 
Andy On Closures
Andy On ClosuresAndy On Closures
Andy On Closuresmelbournepatterns
 
Spring security mvc-1
Spring security mvc-1Spring security mvc-1
Spring security mvc-1Soham Sengupta
 
Php
PhpPhp
PhpTSUBHASHRI
 
Php
PhpPhp
PhpTSUBHASHRI
 
Php
PhpPhp
PhpTSUBHASHRI
 
Slim PHP when you don't need the kitchen sink
Slim PHP when you don't need the kitchen sinkSlim PHP when you don't need the kitchen sink
Slim PHP when you don't need the kitchen sinkJoe Ferguson
 
Symfony
SymfonySymfony
SymfonyАртём Курапов
 
Oops in PHP By Nyros Developer
Oops in PHP By Nyros DeveloperOops in PHP By Nyros Developer
Oops in PHP By Nyros DeveloperNyros Technologies
 
Indic threads delhi13-rest-anirudh
Indic threads delhi13-rest-anirudhIndic threads delhi13-rest-anirudh
Indic threads delhi13-rest-anirudhAnirudh Bhatnagar
 
JVM Web Frameworks Exploration
JVM Web Frameworks ExplorationJVM Web Frameworks Exploration
JVM Web Frameworks ExplorationKevin H.A. Tan
 
Oops in PHP
Oops in PHPOops in PHP
Oops in PHPMindfire Solutions
 
JavaScript event handling assignment
JavaScript event handling assignment JavaScript event handling assignment
JavaScript event handling assignment Soham Sengupta
 
Networking assignment 2
Networking assignment 2Networking assignment 2
Networking assignment 2Soham Sengupta
 

More Related Content

Similar to Spring Method Level Security with Annotations

Greach 2014 - Metaprogramming with groovy
Greach 2014 - Metaprogramming with groovyGreach 2014 - Metaprogramming with groovy
Greach 2014 - Metaprogramming with groovyIván López Martín
 
PHP LFI to Arbitrary Code Execution via rfc1867 file upload temporary files
PHP LFI to Arbitrary Code Execution via rfc1867 file upload temporary filesPHP LFI to Arbitrary Code Execution via rfc1867 file upload temporary files
PHP LFI to Arbitrary Code Execution via rfc1867 file upload temporary filesAttaporn Ninsuwan
 
Fall 2011 PHP Class - Session 1
Fall 2011 PHP Class - Session 1Fall 2011 PHP Class - Session 1
Fall 2011 PHP Class - Session 1jimbojsb
 
How to? Drupal developer toolkit. Dennis Povshedny.
How to? Drupal developer toolkit. Dennis Povshedny.How to? Drupal developer toolkit. Dennis Povshedny.
How to? Drupal developer toolkit. Dennis Povshedny.DrupalCampDN
 
Intro to OOP PHP and Github
Intro to OOP PHP and GithubIntro to OOP PHP and Github
Intro to OOP PHP and GithubJo Erik San Jose
 
Ratpack - Classy and Compact Groovy Web Apps
Ratpack - Classy and Compact Groovy Web AppsRatpack - Classy and Compact Groovy Web Apps
Ratpack - Classy and Compact Groovy Web AppsJames Williams
 
Introduction to Cakephp
Introduction to CakephpIntroduction to Cakephp
Introduction to CakephpAditya Mooley
 
Learn flask in 90mins
Learn flask in 90minsLearn flask in 90mins
Learn flask in 90minsLarry Cai
 
Slim PHP when you don't need the kitchen sink
Slim PHP when you don't need the kitchen sinkSlim PHP when you don't need the kitchen sink
Slim PHP when you don't need the kitchen sinkJoe Ferguson
 
Oops in PHP By Nyros Developer
Oops in PHP By Nyros DeveloperOops in PHP By Nyros Developer
Oops in PHP By Nyros DeveloperNyros Technologies
 
Indic threads delhi13-rest-anirudh
Indic threads delhi13-rest-anirudhIndic threads delhi13-rest-anirudh
Indic threads delhi13-rest-anirudhAnirudh Bhatnagar
 
JVM Web Frameworks Exploration
JVM Web Frameworks ExplorationJVM Web Frameworks Exploration
JVM Web Frameworks ExplorationKevin H.A. Tan
 

Similar to Spring Method Level Security with Annotations (20)

Drupal development
Drupal development Drupal development
Drupal development
 
Greach 2014 - Metaprogramming with groovy
Greach 2014 - Metaprogramming with groovyGreach 2014 - Metaprogramming with groovy
Greach 2014 - Metaprogramming with groovy
 
PHP LFI to Arbitrary Code Execution via rfc1867 file upload temporary files
PHP LFI to Arbitrary Code Execution via rfc1867 file upload temporary filesPHP LFI to Arbitrary Code Execution via rfc1867 file upload temporary files
PHP LFI to Arbitrary Code Execution via rfc1867 file upload temporary files
 
Fall 2011 PHP Class - Session 1
Fall 2011 PHP Class - Session 1Fall 2011 PHP Class - Session 1
Fall 2011 PHP Class - Session 1
 
How to? Drupal developer toolkit. Dennis Povshedny.
How to? Drupal developer toolkit. Dennis Povshedny.How to? Drupal developer toolkit. Dennis Povshedny.
How to? Drupal developer toolkit. Dennis Povshedny.
 
Intro to OOP PHP and Github
Intro to OOP PHP and GithubIntro to OOP PHP and Github
Intro to OOP PHP and Github
 
Ratpack - Classy and Compact Groovy Web Apps
Ratpack - Classy and Compact Groovy Web AppsRatpack - Classy and Compact Groovy Web Apps
Ratpack - Classy and Compact Groovy Web Apps
 
Introduction to Cakephp
Introduction to CakephpIntroduction to Cakephp
Introduction to Cakephp
 
Learn flask in 90mins
Learn flask in 90minsLearn flask in 90mins
Learn flask in 90mins
 
Andy On Closures
Andy On ClosuresAndy On Closures
Andy On Closures
 
Spring security mvc-1
Spring security mvc-1Spring security mvc-1
Spring security mvc-1
 
Php
PhpPhp
Php
 
Php
PhpPhp
Php
 
Php
PhpPhp
Php
 
Slim PHP when you don't need the kitchen sink
Slim PHP when you don't need the kitchen sinkSlim PHP when you don't need the kitchen sink
Slim PHP when you don't need the kitchen sink
 
Symfony
SymfonySymfony
Symfony
 
Oops in PHP By Nyros Developer
Oops in PHP By Nyros DeveloperOops in PHP By Nyros Developer
Oops in PHP By Nyros Developer
 
Indic threads delhi13-rest-anirudh
Indic threads delhi13-rest-anirudhIndic threads delhi13-rest-anirudh
Indic threads delhi13-rest-anirudh
 
JVM Web Frameworks Exploration
JVM Web Frameworks ExplorationJVM Web Frameworks Exploration
JVM Web Frameworks Exploration
 
Oops in PHP
Oops in PHPOops in PHP
Oops in PHP
 

More from Soham Sengupta

JavaScript event handling assignment
JavaScript event handling assignment JavaScript event handling assignment
JavaScript event handling assignment Soham Sengupta
 
Networking assignment 2
Networking assignment 2Networking assignment 2
Networking assignment 2Soham Sengupta
 
Networking assignment 1
Networking assignment 1Networking assignment 1
Networking assignment 1Soham Sengupta
 
Sohams cryptography basics
Sohams cryptography basicsSohams cryptography basics
Sohams cryptography basicsSoham Sengupta
 
JSR-82 Bluetooth tutorial
JSR-82 Bluetooth tutorialJSR-82 Bluetooth tutorial
JSR-82 Bluetooth tutorialSoham Sengupta
 
Html tables and_javascript
Html tables and_javascriptHtml tables and_javascript
Html tables and_javascriptSoham Sengupta
 

More from Soham Sengupta (20)

JavaScript event handling assignment
JavaScript event handling assignment JavaScript event handling assignment
JavaScript event handling assignment
 
Networking assignment 2
Networking assignment 2Networking assignment 2
Networking assignment 2
 
Networking assignment 1
Networking assignment 1Networking assignment 1
Networking assignment 1
 
Sohams cryptography basics
Sohams cryptography basicsSohams cryptography basics
Sohams cryptography basics
 
Network programming1
Network programming1Network programming1
Network programming1
 
JSR-82 Bluetooth tutorial
JSR-82 Bluetooth tutorialJSR-82 Bluetooth tutorial
JSR-82 Bluetooth tutorial
 
Xmpp and java
Xmpp and javaXmpp and java
Xmpp and java
 
Core java day2
Core java day2Core java day2
Core java day2
 
Core java day1
Core java day1Core java day1
Core java day1
 
Core java day4
Core java day4Core java day4
Core java day4
 
Core java day5
Core java day5Core java day5
Core java day5
 
Exceptions
ExceptionsExceptions
Exceptions
 
Java.lang.object
Java.lang.objectJava.lang.object
Java.lang.object
 
Jsp1
Jsp1Jsp1
Jsp1
 
Soham web security
Soham web securitySoham web security
Soham web security
 
Html tables and_javascript
Html tables and_javascriptHtml tables and_javascript
Html tables and_javascript
 
Html javascript
Html javascriptHtml javascript
Html javascript
 
Java script
Java scriptJava script
Java script
 
Sohamsg ajax
Sohamsg ajaxSohamsg ajax
Sohamsg ajax
 
Dhtml
DhtmlDhtml
Dhtml
 

Recently uploaded

Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 

Recently uploaded (20)

Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 

Spring Method Level Security with Annotations

  • 2. Basic Approaches of Spring Security 1. URL level security (We already know this) 2. Method level security 3. Entity /Object Level security https://github.com/trainerpb 2
  • 3. Method Level Security- what & why?  Additional Layer of Security  Decouple & less-rely on Front-end logic for ‘ROLE based access ‘  Survives in case of developer- mistake (E.g. renaming paths – which allowed other roles to access resources) https://github.com/trainerpb 3
  • 4. What does that mean? https://github.com/trainerpb 4
  • 5. Let’s prevent the method ,too https://github.com/trainerpb 5
  • 6. What happens?  Even if any other role is allowed to access /doA  Access to this method will be FORBIDDEN (HTTP Status: 403)  @PreAuthorize is capable of:  Evaluating Spring Expressions  Access Method Parameters https://github.com/trainerpb 6
  • 7. @PostAuthroize  This helps control access to succeed depending on returned value of the method  E.g. -a very silly impractical USE-CASE-  Let Access succeed as long length of the username <= Radom() mod 8 https://github.com/trainerpb 7
  • 8. @PreFilter  Helps filter out from a method, objects from a Collection passed as parameter to a method https://github.com/trainerpb 8
  • 9. @PreFilter – Contd.  Use Case – List all Users except yourself – (E.g. Facebook –chat pane shows all friends of your but not you!) https://github.com/trainerpb 9
  • 10. @PreFilter – Contd. Assignment – What happens if more than one Collection are passed in parameter list? https://github.com/trainerpb 10
  • 11. @PostFilter  This helps filter returned Collection based on some criteria that is returned https://github.com/trainerpb 11
  • 12. Other Approaches- @Secured https://github.com/trainerpb 12 @Secured annotation doesn’t support Spring Expression Language What’ll be the @PreAuthorize equivalent of the above code snippet?
  • 13. Another Approach- @RoleAllowed https://github.com/trainerpb 13 What’ll be the @PreAuthorize equivalent of the above code snippet?
  • 14. Combining @’s together  We can put multiple annotations together on a method.  I want a method  To be available to ADMIN only  Then, I want to return Collection of records of logged-in user only https://github.com/trainerpb 14
  • 15. Important Notes- 1. By default, Spring AOP proxy-ing is used to apply method security  Security will be ignored fora secure method m1() called by another method m2() in the same class 2. Thread-bound Security Context-  security context isn’t propagated to child-threads 3. We can use @PreAuthroize or similar annotations at class-level to ensure ROLE_BASED access to that class. https://github.com/trainerpb 15