堆栈内存溢出
  简体   繁体   English

Spring Security:保护URL和参数

[英]Spring Security: Securing URL and Parameters

 原文  2016-02-22 08:35:31       spring/ security/ spring-mvc/ spring-security

问题描述

I have a requirement where application needs to secure URL for users based on the role user is having and parameter passsed.. 我有一个要求,其中应用程序需要根据用户具有的角色和参数传递来保护用户的URL。

Eg: There are four roles PREVIEW_VIEW, PREVIEW_MODIFY, PUBLIC_VIEW, PUBLIC_MODIFY 例如:有四个角色PREVIEW_VIEW,PREVIEW_MODIFY,PUBLIC_VIEW,PUBLIC_MODIFY

And URL hit is http://myapp:8080/console/editGroups.action?orgId=1&recipientType=PREVIEW URL命中为http:// myapp:8080 / console / editGroups.action?orgId = 1&recipientType = PREVIEW

Lets say User is having only 'PUBLIC_VIEW' and 'PUBLIC_MODIFY' permission. 假设用户仅具有“ PUBLIC_VIEW”和“ PUBLIC_MODIFY”权限。

If user is passing parameter 'recipientType=PREVIEW' then page should be accessible only if user is having 'PREVIEW_MODIFY' permission. 如果用户传递参数'recipientType = PREVIEW',则仅当用户具有'PREVIEW_MODIFY'权限时,页面才可访问。

So how to secure URL and parameter together? 那么如何一起保护URL和参数呢?

ie Allow this URL( http://myapp:8080/console/editGroups.action?orgId=1&recipientType=PREVIEW ) only if user is having PREVIEW_MODIFY permission and allow this URL( http://myapp:8080/console/editGroups.action?orgId=1&recipientType=PUBLIC ) only if user is having PUBLIC_MODIFY permission 即仅在用户具有PREVIEW_MODIFY权限的情况下才允许此URL( http:// myapp:8080 / console / editGroups.action?orgId = 1&recipientType = PREVIEW )并允许该URL( http:// myapp:8080 / console / editGroups.action ?orgId = 1&recipientType = PUBLIC ),仅当用户具有PUBLIC_MODIFY权限时

Thanks 谢谢

Chetan 车丹

1 个解决方案

解决方案1
 0  2016-02-22 12:12:35

to me, this is the wrong way of proceeding. 对我来说,这是错误的处理方式。 URLs are changable by definition by the client because it's the client itself who decides who or what to call. 客户端可以根据定义更改URL,因为由客户端本身来决定呼叫谁或呼叫什么。 Therefore, URLs are the worse place to put security information. 因此,URL是放置安全信息的最糟糕的地方。 Besides, if you need to walk this way, I think you can't but leverage encyption. 此外,如果您需要这样走,我想您只能利用加密技术。

The server is the one to decide which role(s) the client is associated to, therefore it forces the client to include a parameter with its roles combination. 服务器是决定客户端与哪个角色相关联的服务器,因此它强制客户端将参数与其角色组合一起包括在内。 Of course, this MUST be encypted (symmetric encryption will be enough) since the client MUST NOT be able to alter it in anyway. 当然,这必须是encypted(对称加密也就足够了),因为客户端必须不能改变它,无论如何。

When the client performs the request, the server retrieves the encrypted attribute and decrypt it to obtain the client's roles. 当客户端执行请求时,服务器将检索加密的属性并将其解密以获得客户端的角色。

If you need to make this attribute understandable, you could show it in clear and use an additional cryptographic HASH parameter. 如果需要使该属性易于理解,则可以清楚地显示它,并使用其他加密的HASH参数。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用用户角色和 Spring Security 保护 URL - Securing URL using User Roles and Spring Security 基于用户属性保护URL模式Spring Security - Securing url pattern based on user properties Spring security 使用 Spring Security 保护 REST 微服务 - Securing REST microservices with Spring Security 使用Spring Security保护RESTful API - Securing RESTful api with Spring Security 使用Spring Security保护GWT Servlet - Securing GWT servlets with Spring Security 使用Spring Security保护REST API - Securing REST API with Spring Security 使用 Spring Security 和 LDAP 保护应用程序 - securing an application with spring security and LDAP 带有Spring Security中查询参数的URL的regexMatcher - regexMatcher for URL with query parameters in Spring Security Spring Security将URL参数传递给Authentication Provider - Spring Security pass URL parameters to Authentication Provider Spring Security - 忽略请求参数规则的Url - Spring Security - Url with request parameters rules ignored
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM