问题
Hy,
- Is not enough securizing urls?
- Is there a way a user could call a url without the neeeded credentials and this is the reason to secure methods?
- A real example why secure methods is neccesary and not just urls?
Thanks
回答1:
It is usually enough to secure only URLs in simple cases. Think about method level security as an addition to URL level security. For example a simple check that a user has a particular role to access some URL in your app can be achieved with the aid of URL level security.
However, there are cases you need more fine-grained security. If you want to allow to access the given product (id=5) only to its creator, you do not get by with URL level security only. But you can achieve this with method level security.
Consider this URL.
https://myapp.com/products/5
You can check that a user accessing this URL has role REQUIRED_ROLE.
<security:intercept-url pattern="/products/**" access="hasRole('REQUIRED_ROLE')" />
If you need to ensure that the user is also the product creator, you need something like this:
...
@PreAuthorize("#product.creator == authentication.name")
public void doSomething(Product product);
...
来源:https://stackoverflow.com/questions/26127755/why-to-secure-methods-in-spring-security-and-not-just-urls