java - Is there a point to use method level security in spring if we secured the REST API from the configuration -

-

i ask if there point secure methods call in rest controller pre , post annotations. have configured security through java configuration this:

@override protected void configure(httpsecurity http) throws exception { http     .and()         .formlogin()      (...)      .and()         .authorizerequests()         .antmatchers("/api/**").hasauthority("role_user"); }

so every request under /api should authorized role_user. tried find information in internet thing find this: https://coderanch.com/t/549265/spring/method-security-spring-security

however can't think of use case hacker access somehow methods in service layer.

url security , method security in service layer aims @ different use cases.

if need control users role can call url given prefix (here api) url security need full stop.

if have complex application service methods can called different controllers , want make sure did not fail restrict access, method security can come ensuring valid users can business actions.

if have complex security model, example several officse 1 manager in each has read and/or write access own employees data, method security on service layer directly using business model objects way go.

btw, using method security in controller or worse on rest controller design smell: if can inside controller better use url security. if seems make sense, have imported business logic fat ugly controller. not speaking method security being implemented spring aop using default jdk proxies, when controllers not implement interfaces.


Comments

Post a Comment

Popular posts from this blog

magento2 - Magento 2 admin grid add filter to collection -

-
i created grid in admin xml ui components. need filter collection via url parameter , dont know how achieve that. tried inject requestinterface collection, filter didnt work. di.xml <virtualtype name="slidelistingdataprovider" type="magento\framework\view\element\uicomponent\dataprovider\dataprovider"> <arguments> <argument name="collection" xsi:type="object" shared="false">xxx\xxx\model\resourcemodel\grid\slide\collection</argument> <argument name="filterpool" xsi:type="object" shared="false">slidelistingfilterpool</argument> <!-- define new object filters --> </arguments> </virtualtype> <virtualtype name="slidelistingfilterpool" type="magento\framework\view\element\uicomponent\dataprovider\filterpool"> <arguments> <argument name="applier...
Read more

Android volley - avoid multiple requests of the same kind to the server? -

-
i using volley upload list of images server. happens within service. once image uploaded remove list. problem arises when internet connection breaks. when internet connection breaks , comes again thinking of adding images yet uploaded request queue. this can result in more 1 copy of same image saved on server request same image might have gone through before getting rseponse. how can address scenario? i'm not quite sure why you're using service schedule requests volley automatically runs it's request in seperate thread. nevertheless can listen both request results, successful , unsuccessful adding listeners. you can remove image list schedule request using volley. if succeeds can carry on desired, if fails can add again list. public static request getimageuploadrequest(final string image) { response.listener<t> responselistener = new response.listener<t>() { @override public void onresponse(t response...
Read more

Combining PHP Registration and Login into one class with multiple functions in one PHP file -

-
i'm trying combine registration, activation , login scripts php website backend script front end developer can pass variables different forms to. my question whether appropriate approach this. don't want have lot of php files different pieces of application developing. far have written following 2 functions login, register , activate user front end developer can call: <?php /** * created phpstorm. * user: karl * date: 26/07/2016 * time: 02:25 */ class users { function register_user($email, $password, $user_name) { $server_name = "localhost"; $u_name = "root"; $db_password = "root"; $db_name = "betamath_graspe"; //email notification variable $from_address="info@slack.com"; //registration form $msg_reg_user='username taken. please choose different username'; $msg_reg_email='email registered'; $msg_reg_active=...
Read more