I'm using spring security and I've 2 methods in my MovieService-
@PreAuthorize("hasRole('ROLE_DIRECTOR')")
public Map<String, Movie> getAllMovies() {
.......
.......
}
And another method is -
public Movie getMovieByMovieCode(String movieCode) {
Map<String, Movie> movies = getAllMovies();
Movie movie = movies.get(movieCode);
return movie;
}
As shown in code, I'm calling getAllMovies() method from inside the getMovieByMovieCode() method. So, if a user who does NOT have ROLE_DIRECTOR role, it tries to access getMovieByMovieCode() method and from inside this method, getAllMovies() method is also accessed.
But the expected behavior is that this user should not be able to access getAllMovies() method as this user does not have role ROLE_DIRECTOR.
How can I achieve this behavior? Do I need to use <dispatcher> inside filter mapping?
Aucun commentaire:
Enregistrer un commentaire