发表新帖
发表新帖

How to allow a User only access their own data in Spring Boot / Spring Security?

后端 未结
关注
3 515
情歌与酒
情歌与酒 2020-12-05 12:19

I have some rest api like this:

/users/{user_id}
/users/{user_id}/orders
/users/{user_id}/orders/{order_id}

How I must secure them? every u

3条回答
  • 小蘑菇
    小蘑菇 (楼主)
    2020-12-05 12:42

    You should first choose your security strategy, What you need names "Row Filtering", one of Authorization Concepts of 3A( Authentication, Authorization,Audit ) Concepts.

    If you want to implement comprehensive solution, take a look at :

    https://docs.spring.io/spring-security/site/docs/3.0.x/reference/domain-acls.html

    Spring ACL completely covers concepts like "Row Filtering", "White-Black List", "Role Base Authorization", "ACL Inheritance", "Role Voter", ....

    Otherwise you should save the owner per business case you want to be secured and filter them in your Service Layer.

    0 讨论(0)
 看不清?
提交回复
热议问题