Spring MVC:保护处理程序方法
我想知道在 Spring MVC 控制器中保护处理程序方法的好方法是什么。现在我使用 @Secured 注释,确保某些方法只能由登录用户访问。但如何确保一个登录用户不会对其他用户做坏事呢?例如,我有删除具有给定 id 的项目的方法。为了确保某人无法删除除他的物品以外的物品,我会检查物品所有者。做类似的事情有更好的方法吗?
@Secured("ROLE_USER")
@RequestMapping("/deleteitem.html")
public String delete(@RequestParam(value="id") Long id) {
Item b = itemDAO.get(id);
if(b.getOwner().getId().equals(((UserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal()).getUser().getId())) {
itemDAO.delete(id);
}
return "redirect:/user/items.html";
}
I'm wondering what is good approach to secure handler method
in Spring MVC controller. Now i use @Secured
annotation, that ensure that some method may be accessed by logged user only. But how to ensure that one logged user doesn't do something bad for other users ? For example i have method that delete item with given id
. To ensure that someone can't remove other than his items i check item owner. Is better way to do something like that ?
@Secured("ROLE_USER")
@RequestMapping("/deleteitem.html")
public String delete(@RequestParam(value="id") Long id) {
Item b = itemDAO.get(id);
if(b.getOwner().getId().equals(((UserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal()).getUser().getId())) {
itemDAO.delete(id);
}
return "redirect:/user/items.html";
}
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
也许你可以看看 @Preauthorize注释。您可以执行类似的操作,
您需要适当地重写当前代码。
Perhaps you can look at @Preauthorize annotation. You can do something like
You would need to rewrite your current code suitably.
查看 Spring Security ACL(访问控制列表),您可以创建用户对此对象拥有的权限列表。权限包括读、写、删除...
Look into Spring Security ACL (Access control list) you can create a list of permissions that users have for this object. Permissions include read, write, delete...
您需要实现基于角色的系统,基于权限的用户可以执行删除操作。
如果特定用户具有删除访问权限,那么他/她会执行删除存根。
You need to implement role base system, base on privileges user can perform delete operation.
If specific user having delete access then he/she do the delete stub.