Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to restrict access by role to a Spring Data REST projection?

Tags:

java

rest

spring

spring-data

spring-data-rest

In an application using Spring Data JPA and Spring Data REST, let's say you have an entity class like this:

@Entity
public class Person {

   @Id @GeneratedValue
   private int id;

   private String name;

   @JsonIgnore
   private String superSecretValue;

   ...

}

We want Spring Data REST to expose all of this entity's fields EXCEPT for superSecretValue, and so we've annotated that field with @JsonIgnore.

However, in some cases we DO want access to superSecretValue, and so we create a projection that will return all of the fields including that one:

@Projection(name = "withSecret", types = {Person.class})
public interface PersonWithSecret {

   String getName();
   String getSuperSecretValue();

}

Awesome. So now we can access Person entities including the superSecretValue field like this:

curl http://localhost:8080/persons?projection=withSecret

My question is how can we secure that projection? How can we configure things such that anyone can retrieve Person entities without the superSecretValue field... but only people with a certain role (say, ROLE_ADMIN) can use the projection to retrieve the hidden field?

I've found endless examples of using @PreAuthorize or @Secured annotations to secure Spring Data JPA repository CRUD methods (e.g. save(), delete())... but no examples of how to restrict usage of a Spring Data REST projection.

like image 858
Steve Perkins Avatar asked Nov 11 '15 23:11

Steve Perkins

People also ask

What is difference between JpaRepository and CrudRepository?

CrudRepository provides CRUD functions. PagingAndSortingRepository provides methods to do pagination and sort records. JpaRepository provides JPA related methods such as flushing the persistence context and delete records in a batch.

What does the @RepositoryRestResource annotation do?

The @RepositoryRestResource annotation is optional and is used to customize the REST endpoint. If we decided to omit it, Spring would automatically create an endpoint at “/websiteUsers” instead of “/users“. That's it! We now have a fully-functional REST API.

Which dependency is needed for Spring Data project?

We need to add following dependencies for our Spring Data JPA example project. postgresql : Postgresql java driver. spring-core , spring-context : Spring Framework Core dependencies. spring-webmvc , jackson-databind : For Spring REST application.

What is @RepositoryRestController?

Annotation Type RepositoryRestControllerAnnotation to demarcate Spring MVC controllers provided by Spring Data REST. Allows to easily detect them and exclude them from standard Spring MVC handling.

1 Answers

You can overload properties in projections using @Value with conditional SpEL expressions - as in this already answered similar question.

Consider other alternatives (others already mentioned):

  1. Model refactoring. Split entity by access logic (e.g. Person <-> Account)
  2. Adding custom endpoints for special logic and access checks. For example, the current user at "/people/me".
  3. Customising standard endpoints. For example, add custom controller for "/people", "/people/{id}" that would preprocess and return custom Resource type (DTO) depending on on user authorities (e.g. returning PublicPerson instead Person). Then you can write custom resource processors for adding custom links and custom projections for these types.

See also: issue on this subject from spring-data-rest DATAREST-428.

like image 121
aux Avatar answered Oct 06 '22 00:10

aux
Sign in to Comment

Related questions

Why is my application starting up in more than 2 minutes?
How to reduce committed heap memory in JVM
in java hashmap implementation key is first assigned to object and then compared
é shown as &eacute; after dom conversion in java
Signal R Native Android app Negotiation Failed
How to get the ID of Toolbar's Navigation Button?
Testing RabbitMQ with Spring and Mockito
Tomcat8 shutdown randomly with AbstractProtocol.pause
Designing a multi-thread matrix in Java
How to find a missing number from a string of digits without spaces between them?
How to translate between windows and IANA timezones in java
How to stop RVM interfering with JRuby
IR transmit ConsumerIrManager class after Android 4.4 not working
Using Spring Dynamic Languages Support from Groovy Configuration
How do you implement one to many relationships in Clean Architecture
Hibernate: foreign key without entity class, only by id
Sign in through Steam with Java [closed]
JPA: Parameterized instances of AttributeConverter
Private is Private, then Why java give facility to access private method using reflection? [duplicate]
Spring generic REST controller: parsing request body

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!