为什么要在Spring Security中保护方法而不只是URL? [英] Why to secure methods in Spring Security and not just urls?
问题描述
- 是否没有足够的安全化URL?
- 有没有一种方法可以让用户无需过多的凭据就可以调用url,这就是确保方法安全的原因?
- 为什么必须使用安全方法而不仅仅是URL的真实示例?
谢谢
推荐答案
在简单情况下,仅保护URL通常就足够了.将方法级安全性考虑为URL级安全性的补充.例如,借助URL级安全性,可以简单地检查用户是否具有访问您应用程序中某些URL的特定角色.
It is usually enough to secure only URLs in simple cases. Think about method level security as an addition to URL level security. For example a simple check that a user has a particular role to access some URL in your app can be achieved with the aid of URL level security.
但是,在某些情况下,您需要更细粒度的安全性.如果您只允许访问给定产品(id = 5)的创建者,那么您不仅会获得URL级别的安全性.但是您可以通过方法级别的安全性来实现.
However, there are cases you need more fine-grained security. If you want to allow to access the given product (id=5) only to its creator, you do not get by with URL level security only. But you can achieve this with method level security.
考虑此URL.
https://myapp.com/products/5
您可以检查访问此URL的用户是否具有角色REQUIRED_ROLE.
You can check that a user accessing this URL has role REQUIRED_ROLE.
<security:intercept-url pattern="/products/**" access="hasRole('REQUIRED_ROLE')" />
如果您需要确保用户也是产品创建者,则需要这样的内容:
If you need to ensure that the user is also the product creator, you need something like this:
...
@PreAuthorize("#product.creator == authentication.name")
public void doSomething(Product product);
...
这篇关于为什么要在Spring Security中保护方法而不只是URL?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!