春季-如何保护RESTful私有资源? [英] Spring - How to protect RESTful private resources?

问题描述

我有一些使用Spring MVC实现的RESTful服务，它公开了一组资源.我已经使用基于HTTPBasicAuthentication和HTTPS的身份验证.某些资源必须只能由某些用户访问.

I've some RESTful services, implemented with Spring MVC, exposing a set of resources. I already use authentication, based on HTTPBasicAuthentication and HTTPS. Some of the resources must be accessible only to some users.

例如，我希望仅用户userid可以访问URI /users/{userid}/photos中的所有子资源.实际上，在我的应用程序中，所有经过身份验证的用户都可以访问它们.如何保护他们免受userid以外的其他用户的侵害? 如果我只想允许一部分用户(例如userid的朋友)访问此资源，怎么办?

For example, I want that all sub-resources in the URI /users/{userid}/photos are accessible only to the user userid. Actually in my application they are accessible to all authenticated users. How can I protect them from other users except userid? And what if I want to allow access to this resources only to a subset of users (like, for example, userid's friends)?

推荐答案

我通过使用@PreAuthorize("authentication.name == #userId")而不是建议的@Secured(value = {"userid"})或@Secured(value = {"#userid"})来解决了这个问题，

I solved it by using @PreAuthorize("authentication.name == #userId"), instead of @Secured(value = {"userid"}) or @Secured(value = {"#userid"}) like suggested, that were not working.

请注意，必须将<security:global-method-security pre-post-annotations="enabled"/>添加到servlet上下文配置文件中.

Note it's necessary to add <security:global-method-security pre-post-annotations="enabled"/> to the servlet context configuration file.

这篇关于春季-如何保护RESTful私有资源?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！