我如何使用HTTP方法

我如何使用HTTP方法

关注
发信
关注(28)粉丝(399)

使用Spring Security,我如何使用HTTP方法(例如GET,PUT,POST)来确定特定URL模式的安全性?

本文介绍了使用Spring Security,我如何使用HTTP方法(例如GET,PUT,POST)来确定特定URL模式的安全性?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

Spring Security参考说明:

The Spring Security reference states:

如何配置弹簧安全性,以便访问特定URL模式被固定不同,这取决于用来访问URL模式HTTP方法

How can I configure Spring Security so that access to particular URL patterns are secured differently depending on the HTTP method used to access the URL pattern?

推荐答案

此只是关于配置。上面说的是<截距-URL> 元素将从顶部进行评估,以底部在< HTTP /> 配置文件的标签:

This is only about configuration. It says that the <intercept-url> elements will be evaluated from top to bottom in your <http /> tag of your configuration file:

<http auto-config="true">
    <intercept-url pattern="/**" access="isAuthenticated" />
    <intercept-url pattern="/login.jsp" access="permitAll" />
</http>

在上面的示例中,我们尝试仅允许经过身份验证的用户访问所有内容,当然除外,登录页面(用户必须先登录,对吗?!)。但是根据文档,将无法正常工作,因为不太具体的匹配是最重要的。因此,(一个)完成此示例目标的正确配置是:

In the above example, we're trying to allow only authenticated users access everything, except, of course, the login page (the user must first log in, right?!). But this, according to the documentation, won't work, because the less specific match are on top. So, (one of) the right configuration to accomplish this example's objective is:

<http auto-config="true">
    <intercept-url pattern="/login.jsp" access="permitAll" />
    <intercept-url pattern="/**" access="isAuthenticated" />
</http>

将更具体的匹配放在最佳位置。

Placing the more specific match on top.

引用的最后一件事是关于HTTP方法。你可以用它来指定匹配,所以:

The last thing the quote says is about the HTTP method. You can use it to specify the match, so:

<http auto-config="true">
    <intercept-url pattern="/client/edit" access="isAuthenticated" method="GET" />
    <intercept-url pattern="/client/edit" access="hasRole('EDITOR')" method="POST" />
</http>

在第二个例子中,访问 / client / edit 通过获得用户只需要被验证,但要访问 /客户端/编辑通过POST(可以说,提交编辑形式)的用户需要有 EDITOR 角色。在某些地方可能不鼓励这种网址模式,但这只是一个例子。

In this second example, to access /client/edit via GET the user only needs to be authenticated, but to access /client/edit via POST (lets say, submitting the edit form) the user needs to have the EDITOR role. That url pattern may be not encouraged in some places but it was just an example.

这篇关于使用Spring Security,我如何使用HTTP方法(例如GET,PUT,POST)来确定特定URL模式的安全性?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-03 20:54
Powered by LMLPHP ©2024 我如何使用HTTP方法 0.059200