I am developing a REST API using Spring 4. I would like to secure some of the endpoints using Spring Security, but based on what I've read this can be done with either @EnableGlobalMethodSecurity
or @EnableWebSecurity
. Unfortunately, the documentation that I have found for these don't clearly explain what they do (or how they compare). If I want to secure a Spring REST API with authentication and authorization based on data and relationships declared in a standard relational database, what is the recommended method for achieving this in Spring 4?
EnableWebSecurity
will provide configuration via HttpSecurity providing the configuration you could find with <http></http>
tag in xml configuration, it's allow you to configure your access based on urls patterns, the authentication endpoints, handlers etc...
EnableGlobalMethodSecurity
provides AOP security on methods, some of annotation it will enable are PreAuthorize
PostAuthorize
also it has support for JSR-250. There is also more parameters in configuration for you
For your needs, it's better mix the two. With REST you can achieve all you need only with @EnableWebSecurity
, since HttpSecurity#antMatchers(HttpMethod,String...)
accepts controls over Http methods