Method security is a bit more complicated than a simple allow or deny rule. Custom methods can be provided with specific security settings. In Spring, we can achieve this by providing the proper annotations for the methods to be secured. There are four annotations that support expression attributes to allow preinvocation and post-invocation authorization checks and also support the filtering of the submitted collection arguments or return values. They are @PreAuthorize
, @PreFilter
, @PostAuthorize
, and @PostFilter
. If you want to create a custom secured method called customCheckUser()
, then you can annotate the method with the @PreAuthorize
tag for a presecurity check before execution.
While the other security methods focus on servlets and controllers, security method-based authorization deals with the service layer components particularly. We can control various services to be accessed by specific principals. For example, an administrative principal can access only the database credential layer or the logging layer can be accessed by all the principals. The global method security tag or the @EnableGlobalMethodSecurity
annotation will help developers in setting up the method level security.