Chapter 14. Securing methods
This chapter covers
- Securing method invocations
- Defining security rules with expressions
- Creating security expression evaluators
Before I leave my house or before I go to bed, one of the last things I do is make sure the doors to my house are locked. But just before that, I set the alarm. Why? Because although the locks on my doors are a good form of security, the alarm system gives a second line of defense, should any burglar make it past the locks.
In chapter 9, you saw how to use Spring Security to secure the web layer of your application. Web security is important, as it prevents users from accessing content that they’re not authorized to access. But what if there’s a hole in your application’s web layer security? What if somehow a user is able to request content that they may not be allowed to see?
Although there’s no reason to think that a user will be able to crack through your application’s security, a security hole at the web layer can sneak in rather easily. Imagine, for instance, if a user makes a request for a page that they’re allowed to see, but due to a lack of developer diligence, the controller that handles that request calls a method that fetches data that the user isn’t allowed to see. It’s an honest mistake. But security breaches are just as likely to arise from honest mistakes as they are from clever hacking.