This element is the primary means of adding support for securing methods on Spring Security beans. Methods can be secured by the use of annotations (defined at the interface or class level) or by defining a set of pointcuts.
pre-post-enabled Enables Spring Security’s pre and post invocation annotations (@PreFilter, @PreAuthorize, @PostFilter, @PostAuthorize) for this application context. Defaults to "true".
secured-enabled Enables Spring Security’s @Secured annotation for this application context. Defaults to "false".
jsr250-enabled Enables JSR-250 authorization annotations (@RolesAllowed, @PermitAll, @DenyAll) for this application context. Defaults to "false".
mode If set to "aspectj", then uses AspectJ to intercept method invocations.
proxy-target-class If true, class based proxying will be used instead of interface based proxying. Defaults to "false".
security-context-holder-strategy-ref Specifies a SecurityContextHolderStrategy to use when retrieving the SecurityContext. Defaults to the value returned by SecurityContextHolder.getContextHolderStrategy().
observation-registry-ref A reference to the
ObservationRegistryused for the
FilterChainand related components
Child Elements of <method-security>
This element is the primary means of adding support for securing methods on Spring Security beans. Methods can be secured by the use of annotations (defined at the interface or class level) or by defining a set of pointcuts as child elements, using AspectJ syntax.
access-decision-manager-ref Method security uses the same
AccessDecisionManagerconfiguration as web security, but this can be overridden using this attribute. By default an AffirmativeBased implementation is used for with a RoleVoter and an AuthenticatedVoter.
authentication-manager-ref A reference to an
AuthenticationManagerthat should be used for method security.
jsr250-annotations Specifies whether JSR-250 style attributes are to be used (for example "RolesAllowed"). This will require the javax.annotation.security classes on the classpath. Setting this to true also adds a
AccessDecisionManager, so you need to make sure you do this if you are using a custom implementation and want to use these annotations.
metadata-source-ref An external
MethodSecurityMetadataSourceinstance can be supplied which will take priority over other sources (such as the default annotations).
mode This attribute can be set to "aspectj" to specify that AspectJ should be used instead of the default Spring AOP. Secured methods must be woven with the
It is important to note that AspectJ follows Java’s rule that annotations on interfaces are not inherited. This means that methods that define the Security annotations on the interface will not be secured. Instead, you must place the Security annotation on the class when using AspectJ.
order Allows the advice "order" to be set for the method security interceptor.
pre-post-annotations Specifies whether the use of Spring Security’s pre and post invocation annotations (@PreFilter, @PreAuthorize, @PostFilter, @PostAuthorize) should be enabled for this application context. Defaults to "disabled".
proxy-target-class If true, class based proxying will be used instead of interface based proxying.
run-as-manager-ref A reference to an optional
RunAsManagerimplementation which will be used by the configured
secured-annotations Specifies whether the use of Spring Security’s @Secured annotations should be enabled for this application context. Defaults to "disabled".
Child Elements of <global-method-security>
This element can be used to decorate an
AfterInvocationProvider for use by the security interceptor maintained by the
You can define zero or more of these within the
global-method-security element, each with a
ref attribute pointing to an
AfterInvocationProvider bean instance within your application context.
Parent Elements of <after-invocation-provider>
Allows the default expression-based mechanism for handling Spring Security’s pre and post invocation annotations (@PreFilter, @PreAuthorize, @PostFilter, @PostAuthorize) to be replaced entirely. Only applies if these annotations are enabled.
Parent Elements of <pre-post-annotation-handling>
Child Elements of <pre-post-annotation-handling>
Defines the PrePostInvocationAttributeFactory instance which is used to generate pre and post invocation metadata from the annotated methods.
Parent Elements of <invocation-attribute-factory>
PostInvocationAdviceProvider with the ref as the
PostInvocationAuthorizationAdvice for the <pre-post-annotation-handling> element.
Parent Elements of <post-invocation-advice>
PreInvocationAuthorizationAdviceVoter with the ref as the
PreInvocationAuthorizationAdviceVoter for the <pre-post-annotation-handling> element.
Parent Elements of <pre-invocation-advice>
Securing Methods using
Rather than defining security attributes on an individual method or class basis using the
@Secured annotation, you can define cross-cutting security constraints across whole sets of methods and interfaces in your service layer using the
You can find an example in the namespace introduction.
Parent Elements of <protect-pointcut>
Can be used inside a bean definition to add a security interceptor to the bean and set up access configuration attributes for the bean’s methods
access-decision-manager-ref Optional AccessDecisionManager bean ID to be used by the created method security interceptor.
Child Elements of <intercept-methods>
Creates a MethodSecurityMetadataSource instance
id A bean identifier, used for referring to the bean elsewhere in the context.
use-expressions Enables the use of expressions in the 'access' attributes in <intercept-url> elements rather than the traditional list of configuration attributes. Defaults to 'false'. If enabled, each attribute should contain a single Boolean expression. If the expression evaluates to 'true', access will be granted.
Child Elements of <method-security-metadata-source>
Defines a protected method and the access control configuration attributes that apply to it. We strongly advise you NOT to mix "protect" declarations with any services provided "global-method-security".