1.

State the difference between @PreAuthorize and @Secured in Spring security.

Answer»

A variety of security options are available with SPRING Framework. This framework offers many useful tools or methods for securing applications. In order to PROVIDE method-level security, @Secured and @PreAuthorize are the most commonly used annotations. Compared to @Secured, @PreAuthorize is quite new but becoming well known very fast. There aren't many differences between @Secured and @PreAuthorize; they're nearly identical. However, @PreAuthorize is CONSIDERABLY more powerful than @Secured. 

@PreAuthorize@Secured
We can access the methods and properties of SecurityExpressionRoot while using @PreAuthorize. We cannot access the methods and properties of SecurityExpressionRoot while using @Secured. 
It can work with Spring EL. It cannot work with Spring EL. 

It supports MULTIPLE roles in conjunction with AND operator. 

For example: 

@PreAuthorize("hasRole('ROLE_role1') and hasRole('ROLE_role2')")

It does not SUPPORT multiple roles in conjunction with an AND operator. If more than one role is defined, they will be combined/treated using the OR operator.

For example: 

@Secured({"ROLE_role1", "ROLE_role2"})     // is treated as an OR

Add the following line to spring-security.xml and spring boot to enable @PreAuthorize and @PostAuthorize annotations in your code: 

XML: <global-method-security pre-post-annotations="enabled"/> Spring boot: @EnableGlobalMethodSecurity(prePostEnabled = true)

Add the following line to spring-security.xml and spring boot to enable the @Secured annotation in your code. 

XML: <global-method-security secured-annotations="enabled" /> Spring boot: @EnableGlobalMethodSecurity(securedEnabled=true)


Discussion

No Comment Found

Related InterviewSolutions