Understanding Spring Security Permission Annotations and Their Practical Use in a Microservice System
This article explains the eight built‑in Spring Security permission annotations, how to enable them with @EnableGlobalMethodSecurity, provides Java code examples for each annotation, and demonstrates their practical use in the Codeape Chronic Disease Cloud Management System for fine‑grained microservice authorization.
Spring Security provides eight built‑in permission annotations that can be used to enforce method‑level security in microservices. To activate these annotations, add @EnableGlobalMethodSecurity (with prePostEnabled = true, securedEnabled = true, and jsr250Enabled = true) to a configuration class.
The eight annotations are: @PostAuthorize: checks permissions after method execution. @PostFilter: filters the returned collection/array after execution. @PreAuthorize: checks permissions before method execution (supports SpEL expressions). @PreFilter: filters method arguments before execution. @Secured: restricts access to specific roles (no SpEL support). @DenyAll: denies every access (JSR‑250). @PermitAll: allows every access (JSR‑250). @RolesAllowed: restricts access to specified roles (JSR‑250).
Typical usage examples:
@RestController
@RequestMapping
public class HelloService {
@PreAuthorize("hasRole('IN_HOS_NURSE')")
@GetMapping
public String hello() {
return "hello";
}
}For @PreFilter you can specify a SpEL expression and the target argument:
@RestController
@RequestMapping
public class HelloService {
@PreFilter(value = "obj.id!=1", filterTarget = "users")
@GetMapping
public String hello(List<Obj> obj, Integer a) {
return "hello";
}
}@PostAuthorizecan validate the returned object using the built‑in returnObject variable:
@RestController
@RequestMapping
public class HelloService {
@PostAuthorize("returnObject.id==1")
@GetMapping
public Obj hello(List<Obj> obj, Integer a) {
return new Obj();
}
}@PostFilterfilters each element of the returned collection via filterObject:
@RestController
@RequestMapping
public class HelloService {
@PostFilter("filterObject.id==1")
@GetMapping
public List<Obj> hello() {
return list;
}
}The JSR‑250 annotations ( @Secured, @DenyAll, @PermitAll, @RolesAllowed) do not support SpEL but are useful for simple role‑based checks.
In the "Codeape Chronic Disease Cloud Management System" the author mainly uses @PreAuthorize to enforce data permissions, e.g.:
@PreAuthorize("@pms.hasPermission('inhos_patinfohot_get')")
public Page<Patient> getPatients(Pageable pageable) { ... }The expression calls
com.code.ape.codeape.common.security.component.PermissionService#hasPermission, which compares the required permission with the current user's authorities obtained from SecurityContext.
For most projects the four annotations @PreAuthorize, @PreFilter, @PostAuthorize and @PostFilter are sufficient, offering rich SpEL‑based permission control.
Finally, the article includes a brief promotion of the author's knowledge‑sharing platform, but the technical content remains a valuable guide for implementing fine‑grained authorization in Spring‑based microservices.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Code Ape Tech Column
Former Ant Group P8 engineer, pure technologist, sharing full‑stack Java, job interview and career advice through a column. Site: java-family.cn
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.