开发者

How to use spring security3.0.3 to secure such business logic?

问答 作者:

I have such a requirement. There is a main business object,user a and user b, and administrator. User a or b can create/update/delete their own business object. And user a can't modify user b's business object. Administrator can do every thing. And the business object has a status, in some status, even the owner user can't modify it. I want to secure this by spring security.But it seems can achieve it just by role based security. I feel I need to use spring voter开发者_如何转开发,but I don't know how to configure. Can anybody provide some code snip or give me suggestion?

Thanks in advance.

Spring Security 3 supports @PreAuthorize annotation that allows you to express authorization logic in Spring Expression Language, like this:

public class BusinessService {
    @PreAuthorize("hasRole('ADMINISTRATOR') or " + 
        "(#o.status != 'someStatus' and hasRole('USER') and #o.ownerName == principal.name)")
    public void updateBusinessObject(BusinessObject o) {
        ...
    }
}

And you need <security:global-method-security pre-post-annotations="enabled"/> to apply security aspect.

If the expression is too complex to represent in Spring Expression Language, you can move some logic to Java code by adding custom variables into expression's EvaluationContext (by customizing MethodSecurityExpressionHandler).

Note, however, that you need to have your code compiled in debug mode in order to use method arguments in the expression.

See also:

  • 15.3.1 @Pre and @Post Annotations

继续阅读:spring-security

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9