Soham Sengupta, profile picture
Uploaded bySoham Sengupta
PPTX, PDF130 views

Spring method-level-secuirty

The document discusses different approaches to method level security in Spring Security including @PreAuthorize, @PostAuthorize, @PreFilter, and @PostFilter annotations. @PreAuthorize allows restricting access to methods based on roles or expressions while @PostAuthorize controls access based on method return values. @PreFilter and @PostFilter can filter collections passed as method parameters or returned.

Embed presentation

Download to read offline
Soham Sengupta https://github.com/trainerpb 1
Basic Approaches of Spring Security 1. URL level security (We already know this) 2. Method level security 3. Entity /Object Level security https://github.com/trainerpb 2
Method Level Security- what & why?  Additional Layer of Security  Decouple & less-rely on Front-end logic for ‘ROLE based access ‘  Survives in case of developer- mistake (E.g. renaming paths – which allowed other roles to access resources) https://github.com/trainerpb 3
What does that mean? https://github.com/trainerpb 4
Let’s prevent the method ,too https://github.com/trainerpb 5
What happens?  Even if any other role is allowed to access /doA  Access to this method will be FORBIDDEN (HTTP Status: 403)  @PreAuthorize is capable of:  Evaluating Spring Expressions  Access Method Parameters https://github.com/trainerpb 6
@PostAuthroize  This helps control access to succeed depending on returned value of the method  E.g. -a very silly impractical USE-CASE-  Let Access succeed as long length of the username <= Radom() mod 8 https://github.com/trainerpb 7
@PreFilter  Helps filter out from a method, objects from a Collection passed as parameter to a method https://github.com/trainerpb 8
@PreFilter – Contd.  Use Case – List all Users except yourself – (E.g. Facebook –chat pane shows all friends of your but not you!) https://github.com/trainerpb 9
@PreFilter – Contd. Assignment – What happens if more than one Collection are passed in parameter list? https://github.com/trainerpb 10
@PostFilter  This helps filter returned Collection based on some criteria that is returned https://github.com/trainerpb 11
Other Approaches- @Secured https://github.com/trainerpb 12 @Secured annotation doesn’t support Spring Expression Language What’ll be the @PreAuthorize equivalent of the above code snippet?
Another Approach- @RoleAllowed https://github.com/trainerpb 13 What’ll be the @PreAuthorize equivalent of the above code snippet?
Combining @’s together  We can put multiple annotations together on a method.  I want a method  To be available to ADMIN only  Then, I want to return Collection of records of logged-in user only https://github.com/trainerpb 14
Important Notes- 1. By default, Spring AOP proxy-ing is used to apply method security  Security will be ignored fora secure method m1() called by another method m2() in the same class 2. Thread-bound Security Context-  security context isn’t propagated to child-threads 3. We can use @PreAuthroize or similar annotations at class-level to ensure ROLE_BASED access to that class. https://github.com/trainerpb 15
https://github.com/trainerpb 16

More Related Content

PPTX
Monitoring with Prometheus
byPravin Magdum
 
DOC
List of computer network programs
bymamta4817
 
PPT
Lo nuevo en Spring 3.0 - Spring Live Perú 2009
byLennon Shimokawa
 
ODP
PST Repair Tool
bybear106
 
PDF
Storyplayer
byStuart Herbert
 
PPTX
Run python from windows taskscheduler
byNorifumi Irie
 
PPTX
Celery in the Django
byWalter Liu
 
PDF
Demystifying how imports work in Python
byprodicus
 
Monitoring with Prometheus
byPravin Magdum
 
List of computer network programs
bymamta4817
 
Lo nuevo en Spring 3.0 - Spring Live Perú 2009
byLennon Shimokawa
 
PST Repair Tool
bybear106
 
Storyplayer
byStuart Herbert
 
Run python from windows taskscheduler
byNorifumi Irie
 
Celery in the Django
byWalter Liu
 
Demystifying how imports work in Python
byprodicus
 

Similar to Spring method-level-secuirty

PDF
Lesson07_Spring_Security_API.pdf
byScott Anderson
 
PDF
Lesson_07_Spring_Security_Register_NEW.pdf
byScott Anderson
 
PPTX
Spring security mvc-1
bySoham Sengupta
 
PDF
Lesson07-UsernamePasswordAuthenticationFilter.pdf
byScott Anderson
 
PPTX
Spring Security services for web applications
byStephenKoc1
 
PDF
Building layers of defense for your application
byVMware Tanzu
 
PDF
Spring security4.x
byZeeshan Khan
 
PPTX
springb security.pptxdsdsgfdsgsdgsdgsdgdsgdsgds
byzmulani8
 
PDF
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
byMatt Raible
 
PPT
Spring Security Introduction
byMindfire Solutions
 
PDF
Spring security jwt tutorial toptal
byjbsysatm
 
PDF
Spring5 hibernate5 security5 lab step by step
byRajiv Gupta
 
PDF
From 0 to Spring Security 4.0
byrobwinch
 
PPTX
Spring Security 3
byJason Ferguson
 
PDF
Spring Security in Action 1st Edition Laurentiu Spilca Spilcă Laurenţiu
byticeyfedorvt
 
PDF
The hidden gems of Spring Security
byMassimiliano Dessì
 
PPTX
Code your Own: Authentication Provider for Blackboard Learn
byDan Rinzel
 
PDF
Hacking the Grails Spring Security Plugins
byGR8Conf
 
PPTX
Spring Security: Deep dive into basics. Ihor Polataiko.pptx
byIhor Polataiko
 
PDF
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
byHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Lesson07_Spring_Security_API.pdf
byScott Anderson
 
Lesson_07_Spring_Security_Register_NEW.pdf
byScott Anderson
 
Spring security mvc-1
bySoham Sengupta
 
Lesson07-UsernamePasswordAuthenticationFilter.pdf
byScott Anderson
 
Spring Security services for web applications
byStephenKoc1
 
Building layers of defense for your application
byVMware Tanzu
 
Spring security4.x
byZeeshan Khan
 
springb security.pptxdsdsgfdsgsdgsdgsdgdsgdsgds
byzmulani8
 
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
byMatt Raible
 
Spring Security Introduction
byMindfire Solutions
 
Spring security jwt tutorial toptal
byjbsysatm
 
Spring5 hibernate5 security5 lab step by step
byRajiv Gupta
 
From 0 to Spring Security 4.0
byrobwinch
 
Spring Security 3
byJason Ferguson
 
Spring Security in Action 1st Edition Laurentiu Spilca Spilcă Laurenţiu
byticeyfedorvt
 
The hidden gems of Spring Security
byMassimiliano Dessì
 
Code your Own: Authentication Provider for Blackboard Learn
byDan Rinzel
 
Hacking the Grails Spring Security Plugins
byGR8Conf
 
Spring Security: Deep dive into basics. Ihor Polataiko.pptx
byIhor Polataiko
 
JavaCro'14 - Securing web applications with Spring Security 3 – Fernando Redo...
byHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 

More from Soham Sengupta

PDF
JavaScript event handling assignment
bySoham Sengupta
 
PDF
Networking assignment 2
bySoham Sengupta
 
PDF
Networking assignment 1
bySoham Sengupta
 
PPT
Sohams cryptography basics
bySoham Sengupta
 
PPT
Network programming1
bySoham Sengupta
 
PPT
JSR-82 Bluetooth tutorial
bySoham Sengupta
 
PPSX
Xmpp and java
bySoham Sengupta
 
PPT
Core java day2
bySoham Sengupta
 
PPT
Core java day1
bySoham Sengupta
 
PPT
Core java day4
bySoham Sengupta
 
PPT
Core java day5
bySoham Sengupta
 
PPT
Exceptions
bySoham Sengupta
 
PPSX
Java.lang.object
bySoham Sengupta
 
PPT
Jsp1
bySoham Sengupta
 
PPTX
Soham web security
bySoham Sengupta
 
PPTX
Html tables and_javascript
bySoham Sengupta
 
PPT
Html javascript
bySoham Sengupta
 
PPT
Java script
bySoham Sengupta
 
PPS
Sohamsg ajax
bySoham Sengupta
 
PPT
Dhtml
bySoham Sengupta
 
JavaScript event handling assignment
bySoham Sengupta
 
Networking assignment 2
bySoham Sengupta
 
Networking assignment 1
bySoham Sengupta
 
Sohams cryptography basics
bySoham Sengupta
 
Network programming1
bySoham Sengupta
 
JSR-82 Bluetooth tutorial
bySoham Sengupta
 
Xmpp and java
bySoham Sengupta
 
Core java day2
bySoham Sengupta
 
Core java day1
bySoham Sengupta
 
Core java day4
bySoham Sengupta
 
Core java day5
bySoham Sengupta
 
Exceptions
bySoham Sengupta
 
Java.lang.object
bySoham Sengupta
 
Jsp1
bySoham Sengupta
 
Soham web security
bySoham Sengupta
 
Html tables and_javascript
bySoham Sengupta
 
Html javascript
bySoham Sengupta
 
Java script
bySoham Sengupta
 
Sohamsg ajax
bySoham Sengupta
 
Dhtml
bySoham Sengupta
 

Recently uploaded

PPTX
The Future of IT Service Management AI Automation & Beyond.pptx
byChetu
 
PDF
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
PDF
8 LLM Surveys https://tinyurl.com/bdz8e6fp
byBob Marcus
 
PPTX
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
PPTX
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
PDF
The Ultimate Guide to Problem Management Dashboards for IT Teams.pdf
byomnex systems
 
PDF
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
PDF
Top 7 Manufacturing Software for Small Businesses Boosting Growth in 2025
byEnvertis Software Solutions
 
PDF
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
PPTX
The Landscape of Computer Software Development Companies
byYash Singh
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
PDF
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
PDF
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
PDF
Incident Response Planning with a Foundation Model
byKim Hammar
 
PDF
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
PDF
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
PDF
The year in review - MarvelClient in 2025
bypanagenda
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
The Future of IT Service Management AI Automation & Beyond.pptx
byChetu
 
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
8 LLM Surveys https://tinyurl.com/bdz8e6fp
byBob Marcus
 
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
The Ultimate Guide to Problem Management Dashboards for IT Teams.pdf
byomnex systems
 
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
Top 7 Manufacturing Software for Small Businesses Boosting Growth in 2025
byEnvertis Software Solutions
 
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
The Landscape of Computer Software Development Companies
byYash Singh
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
Incident Response Planning with a Foundation Model
byKim Hammar
 
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
The year in review - MarvelClient in 2025
bypanagenda
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 

Spring method-level-secuirty

  • 1.
  • 2.
    Basic Approaches ofSpring Security 1. URL level security (We already know this) 2. Method level security 3. Entity /Object Level security https://github.com/trainerpb 2
  • 3.
    Method Level Security-what & why?  Additional Layer of Security  Decouple & less-rely on Front-end logic for ‘ROLE based access ‘  Survives in case of developer- mistake (E.g. renaming paths – which allowed other roles to access resources) https://github.com/trainerpb 3
  • 4.
    What does thatmean? https://github.com/trainerpb 4
  • 5.
    Let’s prevent themethod ,too https://github.com/trainerpb 5
  • 6.
    What happens?  Evenif any other role is allowed to access /doA  Access to this method will be FORBIDDEN (HTTP Status: 403)  @PreAuthorize is capable of:  Evaluating Spring Expressions  Access Method Parameters https://github.com/trainerpb 6
  • 7.
    @PostAuthroize  This helpscontrol access to succeed depending on returned value of the method  E.g. -a very silly impractical USE-CASE-  Let Access succeed as long length of the username <= Radom() mod 8 https://github.com/trainerpb 7
  • 8.
    @PreFilter  Helps filterout from a method, objects from a Collection passed as parameter to a method https://github.com/trainerpb 8
  • 9.
    @PreFilter – Contd. Use Case – List all Users except yourself – (E.g. Facebook –chat pane shows all friends of your but not you!) https://github.com/trainerpb 9
  • 10.
    @PreFilter – Contd. Assignment– What happens if more than one Collection are passed in parameter list? https://github.com/trainerpb 10
  • 11.
    @PostFilter  This helpsfilter returned Collection based on some criteria that is returned https://github.com/trainerpb 11
  • 12.
    Other Approaches- @Secured https://github.com/trainerpb12 @Secured annotation doesn’t support Spring Expression Language What’ll be the @PreAuthorize equivalent of the above code snippet?
  • 13.
    Another Approach- @RoleAllowed https://github.com/trainerpb13 What’ll be the @PreAuthorize equivalent of the above code snippet?
  • 14.
    Combining @’s together We can put multiple annotations together on a method.  I want a method  To be available to ADMIN only  Then, I want to return Collection of records of logged-in user only https://github.com/trainerpb 14
  • 15.
    Important Notes- 1. Bydefault, Spring AOP proxy-ing is used to apply method security  Security will be ignored fora secure method m1() called by another method m2() in the same class 2. Thread-bound Security Context-  security context isn’t propagated to child-threads 3. We can use @PreAuthroize or similar annotations at class-level to ensure ROLE_BASED access to that class. https://github.com/trainerpb 15
  • 16.