Spring 中的方法安全性

Question

I have a question regarding using Spring Security to protect against SQL injection. First of all, I know that use prepared statement can protect from any SQL injection. But In my project I want to show that use Spring Security could help to protect or mitigate against this kind of attack. what i did so far, i made connection using JDBC & Spring and I applied Spring Security and every thing is fine. My question is in my project i used two ways to protect against SQL injection. The first one is Santizing user input and the second one is using Spring Security. I could pass malicious input through Sanitizaing and I want to show that the role of spring security. for example, I pass this input:

TV' UNION SELECT credit_no From credit;--

In this case how I can tell Spring security that it doesnot give any users the credit number. By the way, I used method security level. Just I want to give me an easy way to analyze the user input to see If it has access to data which he asked such as credit.

I hope that clear

Answer 1

Well, your question is not 100% clear, and it may vary on your architecture, but pre post annotations can work well to grab user input.
You can create your own permission evaluator and check permission for pre authorization in your methods.

@PostFilter("hasPermission(filterObject, 'customoperation')")
public CreditCard getCreditCard(String userInput) {
    //
}

and your hasPermission method (that you've read about in the link above) goes something like:

public boolean hasPermission(Authentication authentication,
        Object target, Object permission) {
    if ("customoperation".equals(permission)) {
        //your logic here, returning true or false, filtering the object
    }
    return false;
}

You can also extend the expression handler to use custom functions. Check this answer .