Spring Security: Securing URL and Parameters
Question
I have a requirement where application needs to secure URL for users based on the role user is having and parameter passsed..
Eg: There are four roles PREVIEW_VIEW, PREVIEW_MODIFY, PUBLIC_VIEW, PUBLIC_MODIFY
And URL hit is http://myapp:8080/console/editGroups.action?orgId=1&recipientType=PREVIEW
Lets say User is having only 'PUBLIC_VIEW' and 'PUBLIC_MODIFY' permission.
If user is passing parameter 'recipientType=PREVIEW' then page should be accessible only if user is having 'PREVIEW_MODIFY' permission.
So how to secure URL and parameter together?
ie Allow this URL( http://myapp:8080/console/editGroups.action?orgId=1&recipientType=PREVIEW ) only if user is having PREVIEW_MODIFY permission and allow this URL( http://myapp:8080/console/editGroups.action?orgId=1&recipientType=PUBLIC ) only if user is having PUBLIC_MODIFY permission
Thanks
Chetan
1 answers
solution1
0 2016-02-22 12:12:35
to me, this is the wrong way of proceeding. URLs are changable by definition by the client because it's the client itself who decides who or what to call. Therefore, URLs are the worse place to put security information. Besides, if you need to walk this way, I think you can't but leverage encyption.
The server is the one to decide which role(s) the client is associated to, therefore it forces the client to include a parameter with its roles combination. Of course, this MUST be encypted (symmetric encryption will be enough) since the client MUST NOT be able to alter it in anyway.
When the client performs the request, the server retrieves the encrypted attribute and decrypt it to obtain the client's roles.
If you need to make this attribute understandable, you could show it in clear and use an additional cryptographic HASH parameter.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.