I just faced,that in order to use specific annotations for Spring Security, I should explicitely allow them in my config(applicationContext.xml)
Example:
<sec:global-method-security secured-annotations="enabled" />
<sec:global-method-security jsr250-annotations="enabled" />
...
What advantages do you see in approach of explicitely declare what annotations are allowed in our frameworked application?
Looks like overconfiguration,isn't it?
One possible benefit is that it allows Spring Security to throw an exception when desired annotations are not present in the classpath (though it's mostly about JSR-250 annotations, since other annotations are parts of Spring Security itself).
Otherwise Spring Security would have to silently ignore absence of annotations, that may lead to surprising behaviour.
Related
When specifying the XML configuration below:
<aop:aspectj-autoproxy>
<aop:include name="myBean" />
</aop:aspectj-autoproxy>
We all know that the #EnableAspectJAutoProxy annotation is the equivalent to the aspectj-autoproxy XML configuration but is there a java-based annotation equivalent for the aop:include XML configuration? I searched extensively and could not find.
Normally you tell Spring that you are using a particular feature, like Transaction management and it will create the proxies needed.
For instance #EnableTransactionManagement will cause Spring to create proxies for Components (services, controllers and repositories) which use #Transactional, you don't need to declare this, Spring automatically finds the beans that need to be proxied.
It works the same way with #EnableScheduling causing Spring to detect #Scheduled methods, and #EnableCaching to detect #Cached method.
Nowadays I've got to know spring mvc.
exactly about
context:component-scan
and
mvc:annotation-driven
and
tx:annotation-driven
in spring config xml
Here is my question.
As I know, "context:component-scan" scans all beans.
and As I heard, mvc:annotation-driven, tx:annotation-driven"s also scan all beans.
I think this is not efficient and not reasonable.
Why scan twice, three times.
Is there any way to avoid this duicate parsing?
Any answer will be appreciated.
Thank you.
In my opinion, scanning process are not twice, three times as you think.
They are declare for related beans I think.
Please refer to below summarize and find out how differences.
<context:annotation-config>
Declares support for general annotations such as #Required, #Autowired, #PostConstruct, and so on.
<context:component-scan>
can also do what <context:annotation-config> does but <context:component-scan> also scans packages to find and register beans within the application context.
<mvc:annotation-driven />
Enables the Spring MVC #Controller programming model and
declares explicit support for annotation-driven MVC controllers (i.e. #RequestMapping, #Controller, although support for those is the default behaviour), as well as adding support for declrative validation via #Valid and message body marshalling with #RequestBody/ResponseBody.
<tx:annotation-driven />
You do provide the transaction-manager instace directly within element. annotation-config and component-scan won't.
I am creating a custom namespace for use in the Spring XML configuration. I already implemented a NamespaceHandler and BeanDefinitionParser. So, now I can just put <myns:some-awesome-feature /> into my Spring configuration and it creates the required beans automatically.
In addition to creating some normal Spring beans I would also like to have this annotation register a OncePerRequestFilter to extract some information off of a request for my code to be able to utilize. Is there a way to register a filter programmatically using the two classes I have available when implementing a custom XML tag?
It is not possible without touching web.xml or WebApplicationInitializer, respectively.
But you can create an extendable solution that allows modifications in future without hassle.
Spring Security's <http pattern='...' security="..."/> automatically creates and registers a series of chained filter beans for you. All you have to do is to
register DelegatingFilterProxy in you web.xml and reference springSecurityFilterChain.
You can create a similar solution where you are defining e.g. <myns:awesome-http pattern='...' /> which instantiates OncePerRequestFilter. In web.xml you are declaring a DelegatingFilterProxy which references your awesomeFilterChain. In a future version you can add more filter to your chain without touching the configuration.
I have never implemented such a feature but I'm quite confident that it is possible.
As a starting point take a look at the source of HttpConfigurationBuilder and HttpSecurityBeanDefinitionParser to see how Spring Security implemented <http .../>.
I am trying to configure security annotations in spring security. But I have a question about this -
....
<security:http auto-config="true" use-expressions="true">
....
and when I use
#Secured("CUSTOM_ACCESS")
public String query();
it doesn't work. But I use
#PreAuthorize("hasRole('CUSTOM_ACCESS')")
public String query();
it works correctly and applies relevant Role. Does this mean #Secured annotations doesn't work with #PreAuthorize?
I also tried adding
<security:global-method-security secured-annotations="enabled" />
But it doesn't help.
<security:global-method-security pre-post-annotations="enabled" />
The above config works fine. Any ideas?
First off, the use-expressions setting in your <http> element has no effect on method security annotations. Those are enabled using global-method-security.
Using
<security:global-method-security pre-post-annotations="enabled" />
will enable PreAuthorize and its related annotations. The reason the secured annotation isn't working when you enable that is because there is no voter which knows what CUSTOM_ACCESS means. In its default setup Spring Security's RoleVoter only consumes attributes which start with the prefix ROLE_. See this FAQ for more information.
Voters can be used for things other than checking for simple roles, so they typically need some way of determining which of the attributes configured for a method apply to them. The expression-based annotations operate differently from the standard voters. The hasRole expression just looks for a named authority which is assigned to the user.
So if you created an AccessDecisionManager for method security, with an AccessDecisionVoter which consumes your CUSTOM_ACCESS attribute then the #Secured annotation would have an effect. However since you have it working with PostAuthorize already you may just want to stick with that.
There seem to be multiple XML tags for telling Spring to use annotations:
<context:annotation-config/>
<context:component-scan base-package="org.example" />
<mvc:annotation-driven />
<tx:annotation-driven transaction-manager="transactionManager" />
I think the first tag says to scan for annotations, the second says which package to scan (and optionally, can exclude/include what to search for). Then maybe the third says to scan for controller classes. And the last one to scan for data access annotations.
My problem understanding is:
I would think tags 1 and 2 could be combined into one. So I don't know why they are separated.
Tags 3 and 4 seem redundant to 1 and 2.
Could anyone give me a breakdown of what each tag does, and why they're not redundant? And if there are any other annotation XML tags, let me know.
EDIT
After further investigation, I believe I found some additional information:
The <context:annotation-config/> tag allows you to use annotations on variables, constructors, and methods (e.g. #Autowired, #Resource, etc).
The <context:component-scan base-package="org.example" /> tag allows you to use annotations on classes (e.g. #Repository, #Controller, etc).
The <tx:annotation-driven transaction-manager="transactionManager" /> tag actually enables the #Transactional tag (the <context:annotation-config/> tag allowed the #Transactional tag, but it didn't do anything).
Still not completely sure on the <mvc:annotation-driven />. I think maybe it adds further support for JSON, etc.
Difference between annotation-config and component-scan
a) <context:annotation-config/> only looks for annotations on beans in the same application context in which it is defined. This means that, if you put <context:annotation-config/> in a WebApplicationContext for a DispatcherServlet, it only checks for #Autowired beans in your controllers, and not your services. See Section 15.2, “The DispatcherServlet” for more information.
b) Spring provides the capability of automatically detecting 'stereotyped' classes and registering corresponding BeanDefinitions with the ApplicationContext. To autodetect these classes and register the corresponding beans requires the inclusion of the component-scan element in XML where 'basePackage' would be a common parent package (or alternatively a comma-separated list could be specified that included the parent package of each class).
tx:annotation-driven
You do provide the transaction-manager instace directly within element. annotation-config and component-scan won't.
mvc:annotation-driven
This tag registers the DefaultAnnotationHandlerMapping and AnnotationMethodHandlerAdapter beans that are required for Spring MVC to dispatch requests to #Controllers. The tag configures those two beans with sensible defaults based on what is present in your classpath. Read more at Spring doc.
I would think tags 1 and 2 could be combined into one. So I don't know why they are separated.
For reasons of backwards compatibility. Old Spring apps have to keep working, and merging the tags (which were introduced in different versions of Spring) would break that by changing the default behaviour.
Tags 3 and 4 seem redundant to 1 and 2.
See above. The 4 tags do slightly different, but complimentary things. Yes, if Spring were designed from scratch, there would be fewer of them, but the functionality needs to remain seperate.
To summarise:
<context:annotation-config/> enables annotation support in the context. This was added as part of Java 5 support, at a time when Spring still supported Java 1.4
<context:component-scan base-package="org.example" /> enables automatic scanning and configuration of beans, instead of using explicit declarations. This was added in Spring 2.5.
<mvc:annotation-driven /> is an odd one. It is not required in order to support annotated controller (those work by default). What it does is to actually disable the old style of non-annotated controller, as well as adding support for things like JSON. This is required because older apps still use the older controller style.
<tx:annotation-driven> is required because Spring supports many different styles of transaction demarcation, one of which is the annotation style. This is most popular style, but by no means the only one.