I develloping a simple website using spring-mvc. The question is what is the best way to secure an url? For example, i have users and notes. Users can only edit/delete their owns notes. A user edit a note with the link as localhost/note/edit/1
but i dont want other users to just change the id parameter and see others notes.
how dow you secure url in those cases?
Then you need to check at the beginning of your edit page that the userID of the logged in person matches that of the owner of the data.
Since you're using Spring and you want your authorization decisions based on user ID, you should read up on Spring Access Control.
To use expressions to secure individual URLs, you would first need to set the use-expressions attribute in the element to true. Spring Security will then expect the access attributes of the elements to contain Spring EL expressions. The expressions should evaluate to a boolean, defining whether access should be allowed or not.
But there are a lot of other ways to deal with authorization. Don't get in the habit of assuming that user ID is the best way to make these decisions. Read "From ABAC to ZBAC" to learn about alternatives.
精彩评论