Security framework using shiro, as a result of too much food, run into a problem:
Get request access path "localhost: 8080/user/1" the user can enter 1 background management page, but more than 1 user, as long as the address bar enter the path to all user background management page 1, the first thought method, of course, is authorized, to add authorization rules/user/1, users can access only 1, but come to think of it this simply cannot solve the problem, so many users in the database, can't add authorization rules, and he thought that, according to the request in a different way to deal with only the post request "localhost: 8080/user/1" can into the background management, but you can post requests coming through some methods, this is a big loophole, the decisive method,
Think for a long time, also can't figure out how to solve, let everyone who laughed, sincerely for advice
CodePudding user response:
Can design a permissions table and user rights relationship table, when the user requests came in judging whether the user has a permission, if there is continue to visit, if there is no do other processing,CodePudding user response:
In practical production is to match role permissions for each user,