使用 Spring Security，我如何使用 HTTP 方法(例如 GET、PUT、POST)来区分特定 URL 模式的安全性? [英] Using Spring Security, how can I use HTTP methods (e.g. GET, PUT, POST) to distingush security for particular URL patterns?

问题描述

Spring Security 参考说明:

The Spring Security reference states:

您可以使用多个元素来定义不同的不同 URL 集的访问要求，但它们将是按列出的顺序评估，将使用第一个匹配项.那么你必须将最具体的匹配项放在顶部.您还可以添加一个method 属性将匹配限制为特定的 HTTP 方法(GET、POST、PUT 等).如果一个请求匹配多个模式，无论顺序如何，特定于方法的匹配都将优先.

You can use multiple elements to define different access requirements for different sets of URLs, but they will be evaluated in the order listed and the first match will be used. So you must put the most specific matches at the top. You can also add a method attribute to limit the match to a particular HTTP method (GET, POST, PUT etc.). If a request matches multiple patterns, the method-specific match will take precedence regardless of ordering.

如何配置 Spring Security 以便根据用于访问 URL 模式的 HTTP 方法以不同方式保护对特定 URL 模式的访问?

How can I configure Spring Security so that access to particular URL patterns are secured differently depending on the HTTP method used to access the URL pattern?

推荐答案

这只是关于配置.它说 <intercept-url> 元素将在您的配置文件的 <http/> 标签中从上到下进行评估:

This is only about configuration. It says that the <intercept-url> elements will be evaluated from top to bottom in your <http /> tag of your configuration file:

<http auto-config="true">
    <intercept-url pattern="/**" access="isAuthenticated" />
    <intercept-url pattern="/login.jsp" access="permitAll" />
</http>

在上面的例子中，我们试图只允许经过身份验证的用户访问所有内容，当然，登录页面除外(用户必须先登录，对吗?！).但是，根据文档，这行不通，因为不太具体的匹配位于顶部.因此，(之一)实现此示例目标的正确配置是:

In the above example, we're trying to allow only authenticated users access everything, except, of course, the login page (the user must first log in, right?!). But this, according to the documentation, won't work, because the less specific match are on top. So, (one of) the right configuration to accomplish this example's objective is:

<http auto-config="true">
    <intercept-url pattern="/login.jsp" access="permitAll" />
    <intercept-url pattern="/**" access="isAuthenticated" />
</http>

将更具体的匹配放在最上面.

Placing the more specific match on top.

这句话最后说的是 HTTP 方法.你可以用它来指定匹配，所以:

The last thing the quote says is about the HTTP method. You can use it to specify the match, so:

<http auto-config="true">
    <intercept-url pattern="/client/edit" access="isAuthenticated" method="GET" />
    <intercept-url pattern="/client/edit" access="hasRole('EDITOR')" method="POST" />
</http>

在第二个示例中，要通过 GET 访问 /client/edit 用户只需要进行身份验证，但要通过 POST 访问 /client/edit(可以说, 提交编辑表单) 用户需要具有 EDITOR 角色.在某些地方可能不鼓励这种 url 模式，但这只是一个例子.

In this second example, to access /client/edit via GET the user only needs to be authenticated, but to access /client/edit via POST (lets say, submitting the edit form) the user needs to have the EDITOR role. That url pattern may be not encouraged in some places but it was just an example.

这篇关于使用 Spring Security，我如何使用 HTTP 方法(例如 GET、PUT、POST)来区分特定 URL 模式的安全性?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！