Method Security
Spring recommends you apply method security to the service layer.
Modify UserService.java as shown below.
UserService.java
import org.springframework.security.access.prepost.PreAuthorize; public int addUser(User user); public void addAuthority(String email, String authority); public User login(String email, String passwd); @PreAuthorize("#user.email == principal.username or hasRole('ROLE_ADMIN')") public int editAccount(User user); @PreAuthorize("#email == principal.username or hasRole('ROLE_ADMIN')") public int changePasswd(String currentPasswd, String newPasswd, String email); @PreAuthorize("#user.email == principal.username or hasRole('ROLE_ADMIN')") public void bye(User user); @PreAuthorize("#email == principal.username or hasRole('ROLE_ADMIN')") public User getUser(String email);
Modify BoardService.java as shown below.
BoardService.java
@PreAuthorize("hasAnyRole('ROLE_ADMIN','ROLE_USER')") public List<Article> getArticleList(String boardCd, String searchWord); public int getTotalRecord(String boardCd, String searchWord); @PreAuthorize("hasAnyRole('ROLE_ADMIN','ROLE_USER')") public int addArticle(Article article); @PreAuthorize("hasAnyRole('ROLE_ADMIN','ROLE_USER')") public void addAttachFile(AttachFile attachFile); @PreAuthorize("#article.email == principal.username or hasRole('ROLE_ADMIN')") public void modifyArticle(Article article); @PreAuthorize("#article.email == principal.username or hasRole('ROLE_ADMIN')") public void removeArticle(Article article); @PreAuthorize("hasAnyRole('ROLE_ADMIN','ROLE_USER')") public void increaseHit(int articleNo); @PreAuthorize("hasAnyRole('ROLE_ADMIN','ROLE_USER')") public Article getArticle(int articleNo); @PreAuthorize("hasAnyRole('ROLE_ADMIN','ROLE_USER')") public Article getNextArticle(int articleNo, String boardCd, String searchWord); @PreAuthorize("hasAnyRole('ROLE_ADMIN','ROLE_USER')") public Article getPrevArticle(int articleNo, String boardCd, String searchWord); @PreAuthorize("hasAnyRole('ROLE_ADMIN','ROLE_USER')") public List<AttachFile> getAttachFileList(int articleNo); @PreAuthorize("#attachFile.email == principal.username or hasRole('ROLE_ADMIN')") public void removeAttachFile(AttachFile attachFile); @PreAuthorize("hasAnyRole('ROLE_ADMIN','ROLE_USER')") public String getBoardNm(String boardCd); @PreAuthorize("hasAnyRole('ROLE_ADMIN','ROLE_USER')") public void addComment(Comment comment); @PreAuthorize("#comment.email == principal.username or hasRole('ROLE_ADMIN')") public void modifyComment(Comment comment); @PreAuthorize("#comment.email == principal.username or hasRole('ROLE_ADMIN')") public void removeComment(Comment comment); @PreAuthorize("hasAnyRole('ROLE_ADMIN','ROLE_USER')") public List<Comment> getCommentList(int articleNo); @PreAuthorize("hasAnyRole('ROLE_ADMIN','ROLE_USER')") public AttachFile getAttachFile(int attachFileNo); @PreAuthorize("hasAnyRole('ROLE_ADMIN','ROLE_USER')") public Comment getComment(int commentNo);
Test
After build, visit http://localhost:8080/users/login.
Log in as username: jane@gmail.org, password: 1111.
On the bulletin board list, click on a post written by john@gmail.org.
Click Modify button to go to the modify form page.
On the Modify form screen, edit the content and click the Submit button.
If method security works well, you will see noAuthority.jsp.