I'm wondering what is good approach to secure handler method in Spring MVC controller. Now i use @Secured annotation, that ensure that some method may be accessed by logged user only. But how to ensure that one logged user doesn't do something bad for other users ? For example i have method that delete item with given id. To ensure that someone can't remove other than his items i check item owne开发者_开发知识库r. Is better way to do something like that ?
@Secured("ROLE_USER")
@RequestMapping("/deleteitem.html")
public String delete(@RequestParam(value="id") Long id) {
Item b = itemDAO.get(id);
if(b.getOwner().getId().equals(((UserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal()).getUser().getId())) {
itemDAO.delete(id);
}
return "redirect:/user/items.html";
}
Perhaps you can look at @Preauthorize annotation. You can do something like
@PreAuthorize("#item.id == authentication.id")
public void doSomething(Item item);
You would need to rewrite your current code suitably.
Look into Spring Security ACL (Access control list) you can create a list of permissions that users have for this object. Permissions include read, write, delete...
You need to implement role base system, base on privileges user can perform delete operation.
If specific user having delete access then he/she do the delete stub.
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论