Can you use Java Annotations to evaluate something in a method?

2018-06-20 03:17:35

I want to see if it is possible to use annotations to evaulate if a user is logged in or not.

Example

@AuthRequired
public String myProtectedArea() {
  return View("view/protectedArea"); // If user is NOT authenticated, return "view/login"
}

As per your edit: Check this SO Post:

Scanning Java annotations at runtime

I'd still recommend using Spring Security for this, it's tested and secure:

@PreAuthorize("hasRole('ROLE_USER')")
public String myProtectedArea() {
  return View("view/protectedArea"); 
}

The annotation will check if the user is logged in and has the required credentials.

Another way with Spring Security is to intercept the URL pattern by setting this inside a spring.security-settings.xml:

    <intercept-url pattern="/view/protectedArea/*" access="hasRole('ROLE_USER')" />

I'd recommend using both to maximize security.

In the security settings file you can then tell spring security where to redirect the user to login. If the user is already logged in, you can redirect him to yet another page:

<form-login login-page="/view/login.xhtml" default-target-url="/view/protectedArea/home.xhtml"
            authentication-failure-url="/view/login.xhtml" />

It's a tested framework and thus secure and versatile. However it requires a bit of setting up if you want more than the standard behaviour.

The annotation doesn't check if the user is logged in or not--annotations are metadata on classes/methods. Something must still make use of the annotation.

Something in your code checks to see if the method is annotated with @AuthRequired , if it is, checks if logged in, then executes the method based on that.

For example, a web app might look for the annotation in a filter, base servlet, interceptor, etc. and decide whether or not the request process should continue.

Depending upon what type of application you are creating there are a number of options available to you for defining authentication levels for specific methods.

I would most likely recommend to you Spring Security for such a task.

Something like the below example would be the end result after configuration using Spring Security.

 @Secured( {"USER_ROLE"} )
 public String getSecretData() {
      return "SECRET! SHHH!";
 }

Then only users verified by Spring Security to have the role you provide to the annotation will have authorization to call the method.

There are a couple other annotation options in Spring Security you can utilize such as @PreAuthorize.

链接地址: http://www.djcxy.com/p/56642.html

上一篇: 要求一个来自组

下一篇: 你可以使用Java Annotations来评估方法中的某些东西吗？