All geek questions in one place

Spring security, secure method and url secure

I am learning spring security, but I am embarrassed with this flexibility.

I know that I can protect the URL by defining the rules in the tag, then I saw that there is an @secure annotation that can protect methods. and then there are other annotations for reading / updating domains (or POJOs)

so when I want to develop a typical permission / role / user web application, in addition to creating rules for protecting URLs, do I also need to use @secure annotation to protect methods?

EJ.

  • user enters restricted URL
  • the application will ask you to enter
  • check if the role has access to the url
  • select "add new"
  • check again if this user has permission to call the "addNew ()" method ??

or one of steps 4 or 5 is redundant.

sorry for my English

+4
source share
2 answers

The most important thing to remember here. You should assume that the user can send anything to your web application through raw HTTP GET or POST. This is also called "never trust a customer." Thus, steps 4 and 5 above are not redundant. For example, if you have reached step 5, you cannot be sure that step 3 has been taken.

However, if you can precisely distinguish what the user intends to do through one URL, and you do not need to protect this method through another access channel (say, from a queue or RMI), you can leave providing only the URL. However, it is still a good idea to have method-level security regardless of this ... for several reasons. First, it documents expected roles right where the logic runs. This can be useful for understanding the assumptions that were made during development, which can help create future improvements. Secondly, it can guarantee that security through a future access channel will not be inadvertently compromised.

+2
source

URL level security is quite rich, as you can see, for example, by looking at the free HttpSecurity API . But there are at least two reasons for using method level security in Spring Security:

  • As pointed out by Jonathan W, your secure logic can be accessed through connector types other than http. For example, logic can be opened through EJB.

  • For a REST API, the same URI can support different http methods that have different authorization rules. For example, /myapi/order/{id} can accept GET and DELETE, and DELETE can only be accessed by users with the Supervisor role. You cannot specify this rule with URL security, but you can do it with method protection, for example, using @Secured("Supervisor") for a method that processes DELETE.

+3
source

Source: https://habr.com/ru/post/1415273/

More articles:


All Articles