春季-如何保护RESTful私有资源? [英] Spring - How to protect RESTful private resources?
问题描述
我有一些使用Spring MVC实现的RESTful服务,它公开了一组资源.我已经使用基于HTTPBasicAuthentication和HTTPS的身份验证.某些资源必须只能由某些用户访问.
I've some RESTful services, implemented with Spring MVC, exposing a set of resources. I already use authentication, based on HTTPBasicAuthentication and HTTPS. Some of the resources must be accessible only to some users.
例如,我希望仅用户userid
可以访问URI /users/{userid}/photos
中的所有子资源.实际上,在我的应用程序中,所有经过身份验证的用户都可以访问它们.如何保护他们免受userid
以外的其他用户的侵害?
如果我只想允许一部分用户(例如userid
的朋友)访问此资源,怎么办?
For example, I want that all sub-resources in the URI /users/{userid}/photos
are accessible only to the user userid
. Actually in my application they are accessible to all authenticated users. How can I protect them from other users except userid
?
And what if I want to allow access to this resources only to a subset of users (like, for example, userid
's friends)?
推荐答案
我通过使用@PreAuthorize("authentication.name == #userId")
而不是建议的@Secured(value = {"userid"})
或@Secured(value = {"#userid"})
来解决了这个问题,
I solved it by using @PreAuthorize("authentication.name == #userId")
, instead of @Secured(value = {"userid"})
or @Secured(value = {"#userid"})
like suggested, that were not working.
请注意,必须将<security:global-method-security pre-post-annotations="enabled"/>
添加到servlet上下文配置文件中.
Note it's necessary to add <security:global-method-security pre-post-annotations="enabled"/>
to the servlet context configuration file.
这篇关于春季-如何保护RESTful私有资源?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!