Quantcast
Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

Expression based security with Spring

0
0
Spring Security

Many web apps have a very simple security concept based on user roles. You might have some admin , some common users and maybe some more roles like a moderator or a super-user . Such a role concept can be easily implemented with Spring Security . For example, you could secure your app based on routes:

http.authorizeRequests() .antMatchers("/admin/**").access("hasRole('ROLE_ADMIN')") .antMatchers("/user/**").access("hasRole('ROLE_ADMIN') or hasRole('ROLE_USER')") .and() .formLogin();

If you want to be more flexible, you could also annotate your individual controllers instead of making a central configuration:

@PreAuthorize("hasRole('ROLE_ADMIN')") @RequestMapping(value = "/admin/info", method = RequestMethod.GET) public InfoDtogetAdminInformation() { // ... }

But what if your security model has more constraints than roles?

Spring Security makes it easy to handle roles. But there are a lot of situations where roles are not enough. Image an order system (something like Amazon) where an user can cancel an order. Every user role will have this permission but only on those orders which belong to the user!

More https://www.isostech.com/blogs/spring-2/spring-preauthorize-spel-examples / http://blog.solidcraft.eu/2011/03/spring-security-by-example-securing.html http://stackoverflow.com/questions/6632982/how-to-create-custom-methods-for-use-in-spring-security-expression-language-anno

Viewing all articles
Browse latest Browse all 12749