Spring Security 和多租户 / REST ->如何?最佳实践?参考应用程序?
我一直在寻找一种
@RequestMapping("/owners/{ownerId}/pets/new")
在用户(而不是角色)级别上保护 URL 的方法,即只有 ID 为 {ownerId} 的所有者才能访问。此外,我想确保 RESTful 设计的安全,包括。 动态地在所有者级别异步访问 JSON 服务。
我的问题:
- 如何用 Spring 最好地完成这个任务 安全?
- 这是如何完成的 /owners/{ownerId}/pets/new 是 通过异步请求访问?
- 我如何访问上述 URI 来自第 3 方应用程序,例如 iPhone 应用程序?
- 有任何示例/参考应用/文章吗?
谢谢 呃
I have been looking for a way to secure URLs like
@RequestMapping("/owners/{ownerId}/pets/new")
on user (not role) level, i.e. only owner with ID {ownerId} has access. Moreover, I want to secure RESTful design incl. async access to JSON services on owner level dynamically.
My questions:
- How is this best done with Spring
Security? - How is this done when
/owners/{ownerId}/pets/new is
accessed via async request? - How would I access above-mentioned URI
from a 3rd party app, e.g. iPhone
app? - Any sample/reference applications/articles?
Thanks
Er
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
使用 @预授权。您可以使用 Spring-EL 表达式,如
上面的代码只是代表性的。一些细节取决于您的实施。
阅读更多
Use @PreAuthorize. You can use a Spring-EL expression like
The above code is only representative. Some details depend on your implementation.
Read more here.
关于你的问题1,我能想到的最简单的方法是-在你的控制器方法中,你可以首先根据ID检查用户授权。 UserDetails 可从 SpringSecurityContext 访问,您可以从中检索当前登录用户的 ID。从请求 URL 获取的 ID 也可以作为路径变量访问。如果这两者不匹配,您可以简单地抛出一个异常,例如 AccessDeniedException。
您可以将此逻辑移至 BaseController 中的一个方法,该方法将充当所有控制器的超类,并且所有控制器方法都可以使用相同的方法进行类似的检查。
Regarding your question 1, the simplest approach I can think of is - within your controller method you can first check for the user authorization based on the ID. The UserDetails is accessible from the SpringSecurityContext and you can retrieve ID of currently logged in user from it. The ID obtained from request URL is also accessible as path variable. If these two dont match you can simply throw an exception like AccessDeniedException.
You may move this logic to a method in a BaseController which will act as superclass for all your Controllers and same method can be used by all controller methods for a similar check.