From version 2.0 onwards Spring Security has improved support substantially for adding security to your service layer methods. It provides support for JSR-250 annotation security as well as the framework’s original @Secured annotation. From 3.0 you can also make use of new expression-based annotations

. You can apply security to a single bean, using the intercept-methods element to decorate the bean declaration, or you can secure multiple beans across the entire service layer using the AspectJ style pointcuts.

從版本2.0開始，Spring Security大大提高了對服務層方法的安全性的支援。它為JSR-250註釋安全性以及框架的原始@Secured註釋提供支援。從3.0開始，您還可以使用基於表示式的新註釋。您可以將安全性應用於單個bean，使用intercept-methods元素來裝飾bean宣告，或者可以使用AspectJ樣式切入點在整個服務層中保護多個bean。  

6.4.1 The <global-method-security> Element

This element is used to enable annotation-based security in your application (by setting the appropriate attributes on the element), and also to group together security pointcut declarations which will be applied across your entire application context. You should only declare one <global-method-security>

 element. The following declaration would enable support for Spring Security’s @Secured:

此元素用於在應用程式中啟用基於註釋的安全性（通過在元素上設定適當的屬性），還可以將安全性切入點宣告組合在一起，這些宣告將應用於整個應用程式上下文。您應該只聲​​明一個<global-method-security>元素。以下宣告將支援Spring Security的@Secured：  

<global-method-security secured-annotations="enabled" />

Adding an annotation to a method (on an class or interface) would then limit the access to that method accordingly. Spring Security’s native annotation support defines a set of attributes for the method. These will be passed to the AccessDecisionManager for it to make the actual decision:

然後，在方法（類或介面）上添加註釋會相應地限制對該方法的訪問。 Spring Security的本機註釋支援為該方法定義了一組屬性。這些將傳遞給AccessDecisionManager，以便做出實際決定：  

public interface BankService {

@Secured("IS_AUTHENTICATED_ANONYMOUSLY")
public Account readAccount(Long id);

@Secured("IS_AUTHENTICATED_ANONYMOUSLY")
public Account[] findAccounts();

@Secured("ROLE_TELLER")
public Account post(Account account, double amount);
}

Support for JSR-250 annotations can be enabled using

可以使用支援JSR-250註釋  

<global-method-security jsr250-annotations="enabled" />

These are standards-based and allow simple role-based constraints to be applied but do not have the power Spring Security’s native annotations. To use the new expression-based syntax, you would use

這些是基於標準的，允許應用簡單的基於角色的約束，但沒有Spring Security的本機註釋功能。要使用新的基於表示式的語法，您可以使用  

<global-method-security pre-post-annotations="enabled" />

and the equivalent Java code would be

和等效的Java程式碼  

public interface BankService {

@PreAuthorize("isAnonymous()")
public Account readAccount(Long id);

@PreAuthorize("isAnonymous()")
public Account[] findAccounts();

@PreAuthorize("hasAuthority('ROLE_TELLER')")
public Account post(Account account, double amount);
}

Expression-based annotations are a good choice if you need to define simple rules that go beyond checking the role names against the user’s list of authorities.

如果您需要定義簡單的規則，而不是根據使用者的許可權列表檢查角色名稱，那麼基於表示式的註釋是一個不錯的選擇。   The annotated methods will only be secured for instances which are defined as Spring beans (in the same application context in which method-security is enabled). If you want to secure instances which are not created by Spring (using the  new operator, for example) then you need to use AspectJ. 只有在定義為Spring bean的例項（在啟用了method-security的同一應用程式上下文中）才會保護帶註釋的方法。如果要保護不是由Spring建立的例項（例如，使用new運算子），則需要使用AspectJ。   You can enable more than one type of annotation in the same application, but only one type should be used for any interface or class as the behaviour will not be well-defined otherwise. If two annotations are found which apply to a particular method, then only one of them will be applied. 您可以在同一個應用程式中啟用多種型別的註釋，但是任何介面或類只應使用一種型別，否則行為將無法明確定義。如果找到適用於特定方法的兩個註釋，則只應用其中一個註釋。

Adding Security Pointcuts using protect-pointcut（使用protect-pointcut新增安全性切入點）

The use of protect-pointcut is particularly powerful, as it allows you to apply security to many beans with only a simple declaration. Consider the following example:

使用protect-pointcut特別強大，因為它允許您只使用簡單的宣告將安全性應用於許多bean。請考慮以下示例：  

<global-method-security>
<protect-pointcut expression="execution(* com.mycompany.*Service.*(..))"
	access="ROLE_USER"/>
</global-method-security>

This will protect all methods on beans declared in the application context whose classes are in the com.mycompany package and whose class names end in "Service". Only users with the ROLE_USER role will be able to invoke these methods. As with URL matching, the most specific matches must come first in the list of pointcuts, as the first matching expression will be used. Security annotations take precedence over pointcuts.

這將保護在應用程式上下文中宣告的bean上的所有方法，這些bean的類在com.mycompany包中，其類名以“Service”結尾。只有具有ROLE_USER角色的使用者才能呼叫這些方法。與URL匹配一樣，最具體的匹配必須首先出現在切入點列表中，因為將使用第一個匹配表示式。安全註釋優先於切入點。