All geek questions in one place

How do you protect SpringBoot / Spring -Data Rest, so the user can only access their own objects

I am using Spring -Data / Rest ( http://docs.spring.io/spring-data/rest/docs/current/reference/html/ ) with Spring Boot and Spring Security Base.

I have the following objects.

Items -->ID User --> ID --> List<Items> items

Currently, with Spring rest, any user can see / items / 1,2,3,4,5

I only want to allow users to see only their own elements.

Is this achievable without the need for coding a user controller?

+5
source share
2 answers

Yes you could.

To do this, you can assign a specific role to each user. For example, in your case, designate the user who owns the items as the column of the ADMIN role and all other ANONYMOUS or USER you choose. After that, using spring you can make the request unsuccessful for users who have the ANONYMOUS or USER role for the URL of the elements and allow users with the ADMIN role to view the elements.

This can now be achieved using spring security in several ways:

1. Using @PreAuthorize tags for individual controller methods and test roles ADMIN / USER / .. But, I think you do not want to change the controller as such.

  1. A short manual way to create an authentication object in a context holder and use the spring security configuration to load, for example below:

      @Order(1) public class UserFilter extends Filter { @Autowired UserService userService; ... UserObject userObject = userService.getUser(arg..); List<GrantedAuthority> grantedAuthorityList = new ArrayList<GrantedAuthority>(); grantedAuthorityList.add( new SimpleGrantedAuthority((userObject.getRoleName()));//Either ROLE_ADMIN or ROLE_USER Authentication authentication = new PreAuthenticatedAuthenticationToken(userObject.getId(), new Object(), grantedAuthorityList); SecurityContextHolder.getContext().setAuthentication(authentication); chain.doFilter(request,response); ... }

And the security configuration class:

  @Configuration @EnableWebSecurity public class SecurityConfigREST extends WebSecurityConfigurerAdapter { SecurityConfigREST(){ super(true); } @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { PreAuthenticatedAuthenticationProvider pap=new PreAuthenticatedAuthenticationProvider(); pap.setPreAuthenticatedUserDetailsService(new PreAuthenticatedGrantedAuthoritiesUserDetailsService()); auth.authenticationProvider(pap); } @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .regexMatchers("^/items.*$").hasAuthority("ROLE_ADMIN") //The role which should have access to /items/1,2.. URL .anyRequest().authenticated(); } }
  1. Use the UserDetailsService in the security configuration above and load the user and his role into the authenticated authentication provider. See http://docs.spring.io/autorepo/docs/spring-security/3.2.2.RELEASE/apidocs/org/springframework/security/core/userdetails/UserDetailsService.html

Having said all this, it’s also a good design not to skip numbers (1,2,3) at the URL, which can lead to potential problems later, so use GET and pass the JSON request body to it, for example:

 /items RequestMethod.GET { "itemList" : [1,2,3,4,5] } Hope that helps.
0
source

I think multilevel at the JPA level can be a good transparent approach to copying the data that the user can see. Please see my answer here for details: fooobar.com/questions/832553 / ...

0
source

Source: https://habr.com/ru/post/1235932/

More articles:


All Articles