Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch '6.1.x' into 6.2.x

This commit is contained in:
Steve Riesenberg 2023-12-28 10:47:44 -06:00
parent d385b53e3c 7ec9188f5b
commit 0aebc63e0a
No known key found for this signature in database
GPG Key ID: 3D0169B18AB8F0A9
1 changed files with 0 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
docs/modules/ROOT/pages/servlet/authorization/method-security.adoc
View File

@ -394,11 +394,6 @@ fun readAccountWithWrongRoleThenAccessDenied() {
While `@PreAuthorize` is quite helpful for declaring needed authorities, it can also be used to evaluate more complex <<using_method_parameters,expressions that involve the method parameters>>. While `@PreAuthorize` is quite helpful for declaring needed authorities, it can also be used to evaluate more complex <<using_method_parameters,expressions that involve the method parameters>>.
The above two snippets are ensuring that the user can only request orders that belong to them by comparing the username parameter to xref:servlet/authentication/architecture.adoc#servlet-authentication-authentication[`Authentication#getName`].
The result is that the above method will only be invoked if the `username` in the request path matches the logged-in user's `name`.
If not, Spring Security will throw an `AccessDeniedException` and return a 403 status code.
[[use-postauthorize]] [[use-postauthorize]]
=== Authorization Method Results with `@PostAuthorize` === Authorization Method Results with `@PostAuthorize`