为什么要在Spring Security中保护方法而不只是URL? [英] Why to secure methods in Spring Security and not just urls?

问题描述

• 是否没有足够的安全化URL?
• 有没有一种方法可以让用户无需过多的凭据就可以调用url，这就是确保方法安全的原因?
• 为什么必须使用安全方法而不仅仅是URL的真实示例?

谢谢

推荐答案

在简单情况下，仅保护URL通常就足够了.将方法级安全性考虑为URL级安全性的补充.例如，借助URL级安全性，可以简单地检查用户是否具有访问您应用程序中某些URL的特定角色.

It is usually enough to secure only URLs in simple cases. Think about method level security as an addition to URL level security. For example a simple check that a user has a particular role to access some URL in your app can be achieved with the aid of URL level security.

但是，在某些情况下，您需要更细粒度的安全性.如果您只允许访问给定产品(id = 5)的创建者，那么您不仅会获得URL级别的安全性.但是您可以通过方法级别的安全性来实现.

However, there are cases you need more fine-grained security. If you want to allow to access the given product (id=5) only to its creator, you do not get by with URL level security only. But you can achieve this with method level security.

考虑此URL.

https://myapp.com/products/5

您可以检查访问此URL的用户是否具有角色REQUIRED_ROLE.

You can check that a user accessing this URL has role REQUIRED_ROLE.

<security:intercept-url pattern="/products/**" access="hasRole('REQUIRED_ROLE')" />

如果您需要确保用户也是产品创建者，则需要这样的内容:

If you need to ensure that the user is also the product creator, you need something like this:

...

@PreAuthorize("#product.creator == authentication.name")
public void doSomething(Product product);

...

这篇关于为什么要在Spring Security中保护方法而不只是URL?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！