Spring Security-通过针对@RequestParam参数的验证原理来保护请求?
[英]Spring security - Secure a request by validating principle against @RequestParam parameter?
问题描述
I work with Restful API (with many urls) using Spring 3.1.2, and want to apply security filters per request that uses both data from the authenticated user "principal" and the data sent by the request. 
我使用Spring 3.1.2使用Restful API(具有许多URL),并且希望为每个请求应用安全过滤器,该请求同时使用来自经过身份验证的用户“主要”的数据和该请求发送的数据。
example: 例:
validate accountId from request url: 从请求网址验证accountId:
http://www.foo.com/accountRecords?accountId=23
with principal data principal.accountId = 23 . 主体数据principal.accountId = 23 。
I know this can be done from within the @requestMapping methods, but want to do it outside the actual method, so it will be maintainable and configurable without interfering the business logic. 我知道可以在@requestMapping方法中完成此操作,但希望在实际方法之外执行此操作,因此它可以在不干扰业务逻辑的情况下进行维护和配置。
But I didn't find any advice\\sample about it.. 但是我没有找到任何建议\\样本。
I believe it should look something like: @PreAuthorize("principal.accountId == requestParam.accountId") 我认为它应该类似于: @PreAuthorize("principal.accountId == requestParam.accountId")
1 个解决方案
解决方案1
0 已采纳 2014-06-18 06:18:38
I think you are looking for filters to filter the request and response. 我认为您正在寻找过滤器以过滤请求和响应。 In Spring, you can use interceptors for this purpose. 在Spring中,您可以为此使用interceptors 。
public class MyInterceptor extends HandlerInterceptorAdapter {
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
HttpSession session = request.getSession(false);
String requestParam = request.getParameter("your request param");
}
}
Finally, you need to configure these interceptors in your context.xml file: 最后,您需要在context.xml文件中配置这些拦截器:
<mvc:interceptors>
<mvc:interceptor>
<mvc:mapping path="/**"/>
<bean class="com.example.MyInterceptor" />
</mvc:interceptor>
</mvc:interceptors>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.