春天如何添加拦截器
[英]how to add interceptor in spring
问题描述
I am using Spring Security 3.0.3 for a project.My user info is loaded from the database. 
我正在为项目使用Spring Security 3.0.3。我的用户信息是从数据库中加载的。 I have following interceptor 我有以下拦截器
<intercept-url pattern="/admin/**" access="ROLE_ADMIN"/>
<intercept-url pattern="/**" access="ROLE_USER"/>
I want to add interceptor to user data. 我想将拦截器添加到用户数据。 When I logging with user1(requester as role) he can see only specific user1 data. 当我使用user1(请求者作为角色)登录时,他只能看到特定的user1数据。
http://localhost:7009/Test/requester//30351?menuId=app.requester.new
but when I logging with another user2(requester as role) and Enter above URL in browser. 但是,当我使用另一个user2(请求者角色)登录并在浏览器中输入上述URL时。
http://localhost:7009/Test/requester//30351?menuId=app.requester.new.
he can see user1 data. 他可以看到user1数据。
How can I add interceptor so that it restrict another user data. 如何添加拦截器,以限制其他用户数据。
Following is scenario 1> login with user1 and he can see following list of data 101 102 103 when i clicks on 102 data it opens details of 102 data. 以下是场景1>使用user1登录,当我单击102数据时,他可以看到以下数据列表101 102 103,它打开了102数据的详细信息。
http://localhost:7009/Test/requester//102?menuId=app.requester.new.
2> login with user2 and he can see following list of data 104 105 106 2>使用user2登录,他可以看到以下数据列表104105106
when i clicks on 105 data it opens details of 105 data. 当我单击105数据时,它将打开105数据的详细信息。
http://localhost:7009/Test/requester//105?menuId=app.requester.new.
but when i copy user1 link 但是当我复制user1链接时
http://localhost:7009/Test/requester//102?menuId=app.requester.new.
and paste into browser . 并粘贴到浏览器中。 user2 can see details of user1 data. user2可以查看user1数据的详细信息。
2 个解决方案
解决方案1
0 已采纳 2011-11-07 06:52:06
You don't filter everything in the spring security configuration but rather do it in view or controller. 您不会在spring安全配置中过滤所有内容,而是在视图或控制器中进行过滤。 Here is a very good tutorial which shows you how to use spring security in your case. 这是一个很好的教程,向您展示了如何在您的案例中使用spring安全性。
http://static.springsource.org/spring-security/site/petclinic-tutorial.html http://static.springsource.org/spring-security/site/petclinic-tutorial.html
If you use JSP for your view, you can use spring security taglib to handle the view of user own data and, for other user's data, you will need to put the filtering logic inside the controller and pass them as model to the view. 如果您在视图中使用JSP,则可以使用spring security taglib来处理用户自己的数据的视图,对于其他用户的数据,则需要将过滤逻辑放入控制器内部,并将其作为模型传递给视图。 However, the exact solution depends on your application. 但是,确切的解决方案取决于您的应用程序。
解决方案2
0 2011-11-07 15:50:04
One option to do this is to use the Spring Expression Language and a custom Permission Evaluator. 一种选择是使用Spring Expression Language和自定义的Permission Evaluator。 Here's what we did to implement a department/sub-department authorization scheme how to control the user authentication using spring mvc . 这是我们实现部门/子部门授权方案的方法,该方案如何使用spring mvc控制用户身份验证 。 This will allow you to create custom logic to identify what user1 is allowed to see, etc. 这将允许您创建自定义逻辑以标识允许user1查看的内容,等等。
Check out http://static.springsource.org/spring-security/site/docs/3.0.x/reference/el-access.html . 查看http://static.springsource.org/spring-security/site/docs/3.0.x/reference/el-access.html 。 Take a look at the @PostFilter annotation - if your data set is returned as a collection or an array Spring Security can automatically filter out data elements based on your custom Permission Evaluator. 看一下@PostFilter注释-如果您的数据集以集合或数组的形式返回,Spring Security可以基于您的自定义权限评估器自动过滤掉数据元素。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.