Security

Spring Data REST 与 Spring Security 配合得非常好。本部分展示了一些示例,说明如何使用方法级安全性保护 Spring Data REST 服务。

Spring Data REST works quite well with Spring Security. This section shows examples of how to secure your Spring Data REST services with method-level security.

@Pre and @Post Security

以下用 Spring Data REST 测试套件显示的例子阐述了 Spring Security 的 PreAuthorization model(最高级的安全模型):

The following example from Spring Data REST’s test suite shows Spring Security’s PreAuthorization model (the most sophisticated security model):

Example 1. spring-data-rest-tests/spring-data-rest-tests-security/src/test/java/org/springframework/data/rest/tests/security/PreAuthorizedOrderRepository.java
Unresolved include directive in modules/ROOT/pages/security.adoc - include::example$security/PreAuthorizedOrderRepository.java[]
1 This Spring Security annotation secures the entire repository. The Spring Security SpEL expression indicates that the principal must have ROLE_USER in its collection of roles.
2 To change method-level settings, you must override the method signature and apply a Spring Security annotation. In this case, the method overrides the repository-level settings with the requirement that the user have ROLE_ADMIN to perform a delete.

前述示例展示了一个标准 Spring Data 存储库定义,它通过一些主要更改对 CrudRepository 进行了扩展:指定具体角色以访问各种方法:

The preceding example shows a standard Spring Data repository definition extending CrudRepository with some key changes: the specification of particular roles to access the various methods:

存储库和方法级安全设置不会合并。相反,方法级设置将覆盖存储库级设置。

Repository and method level security settings do not combine. Instead, method-level settings override repository level settings.

之前的示例说明了 CrudRepository 实际上具有四个删除方法。您必须重写所有删除方法才能正确保护它。

The previous example illustrates that CrudRepository, in fact, has four delete methods. You must override all delete methods to properly secure it.

@Secured security

以下示例展示了 Spring Security 较旧的 @Secured 注释,它完全基于角色:

The following example shows Spring Security’s older @Secured annotation, which is purely role-based:

Example 2. spring-data-rest-tests/spring-data-rest-tests-security/src/test/java/org/springframework/data/rest/tests/security/SecuredPersonRepository.java
Unresolved include directive in modules/ROOT/pages/security.adoc - include::example$security/SecuredPersonRepository.java[]
1 This results in the same security check as the previous example but has less flexibility. It allows only roles as the means to restrict access.
2 Again, this shows that delete methods require ROLE_ADMIN.

如果您从新项目开始或首次应用 Spring Security,@PreAuthorize 是推荐的解决方案。如果您已经在应用程序的其他部分使用带 @Secured 的 Spring Security,则可以继续使用,不必全部重写。

If you start with a new project or first apply Spring Security, @PreAuthorize is the recommended solution. If are already using Spring Security with @Secured in other parts of your app, you can continue on that path without rewriting everything.

Enabling Method-level Security

要配置方法级安全性,以下是来自 Spring Data REST 测试套件的简短代码段:

To configure method-level security, here is a brief snippet from Spring Data REST’s test suite:

Example 3. spring-data-rest-tests/spring-data-rest-tests-security/src/test/java/org/springframework/data/rest/tests/security/SecurityConfiguration.java
Unresolved include directive in modules/ROOT/pages/security.adoc - include::example$security/SecurityConfiguration.java[]
	...
}
1 This is a Spring configuration class.
2 It uses Spring Security’s @EnableGlobalMethodSecurity annotation to enable both @Secured and @Pre/@Post support. NOTE: You don’t have to use both. This particular case is used to prove both versions work with Spring Data REST.
3 This class extends Spring Security’s WebSecurityConfigurerAdapter which is used for pure Java configuration of security.

这个配置类的其他部分没有列出,因为与 Spring Security 参考文档所述的 standard practices一致。

The rest of the configuration class is not listed, because it follows standard practices that you can read about in the Spring Security reference docs.