问题
I am new in Spring Security and have an issue with authenticating specific URLs with path variables or parameters.
Let's say I have some URL: /messages/1 where 1 is an user's ID.
What I want to do is to let ONLY user with ID=1 accessing page with this URL.
Spring Security allows accessing some content if user is authenticated, but how can I make authentication more narrow?
回答1:
Assuming that you have an id property in your UserDetails:
@RequestMapping(value="/messages/{userId}", method=HttpMethod.GET)
@PreAuthorize("#userId == authentication.principal.id")
public List<Message> getMessages(@PathVariable String userId) {
// retrieve from DAO here
}
Make sure you have enabled pre/post-annotations in your security config.
来源:https://stackoverflow.com/questions/35817200/accessing-url-with-params-in-spring-security