小贝子编程

限制浏览器中 REST URL 的访问



如何在浏览器中限制REST URL的访问,任何人都可以指导我在安全性方面进行哪些必要的更改.xml。我的Web应用程序在Spring MVC框架上运行。

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"   xmlns:p="http://www.springframework.org/schema/p"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
          http://www.springframework.org/schema/security  http://www.springframework.org/schema/security/spring-security.xsd">
<http pattern="/images/**" security="none" />
<http pattern="/styles/**" security="none" />
<http pattern="/scripts/**" security="none" />
<http pattern="/assets/**" security="none" />

<http auto-config="true">
    <intercept-url pattern="/app/admin/**" access="ROLE_ADMIN" />
    <intercept-url pattern="/app/passwordHint*" access="ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER" />
    <intercept-url pattern="/app/requestRecoveryToken*" access="ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER, ROLE_PHYSICIAN, ROLE_PRACTICE_STAFF" />
    <intercept-url pattern="/app/updatePassword*" access="ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER, ROLE_PHYSICIAN, ROLE_PRACTICE_STAFF" />
    <intercept-url pattern="/app/signup*" access="ROLE_ADMIN" />
    <intercept-url pattern="/app/practice*" access="ROLE_ADMIN"/>   
    <!-- <intercept-url pattern="/app/patientReports*" access="ROLE_ADMIN"/> -->        
    <intercept-url pattern="/app/mediaFile/**" access="ROLE_ANONYMOUS"/>
    <intercept-url pattern="/app/**" access="ROLE_ADMIN, ROLE_USER, ROLE_PHYSICIAN, ROLE_PRACTICE_STAFF" />
    <form-login login-page="/login" authentication-failure-url="/login?error=true" login-processing-url="/j_security_check" />
    <remember-me user-service-ref="userDao" key="e37f4b31-0c45-11dd-bd0b-0800200c9a66" />
</http>
<authentication-manager>
    <authentication-provider user-service-ref="userDao">
        <password-encoder ref="passwordEncoder">
        </password-encoder>
    </authentication-provider>
</authentication-manager>

<!-- Override the default password-encoder (BCrypt) by uncommenting the following and changing the class -->
<!-- <bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/> -->
<global-method-security>
    <protect-pointcut expression="execution(* *..service.UserManager.getUsers(..))" access="ROLE_ADMIN" />
    <protect-pointcut expression="execution(* *..service.UserManager.removeUser(..))" access="ROLE_ADMIN" />
</global-method-security>

你读过 Spring 安全手册吗?

您需要限制某些角色对其余 URL 的访问权限。如何通过用户获取这些角色取决于您的设置。对于 REST 调用,您可能不需要表单登录,而是基本身份验证。

相关内容

  • 没有找到相关文章

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium