How to secure association resources?

Question

The problem can be defined by the following example:

I have a class MainClass which is related with another class called AssociatedClass by a @OneToOne relation. Both have an exposed Repository so I can do a GET on the URL /mainClasses/{some_id} and on the URL /associatedClasses/{some_id}. However, the AssociatedClassRepository has the following code:

@RepositoryRestResource
public interface AssociatedClassRepository extends PagingAndSortingRepository<AssociatedClass, String> {
    @Override
    @PreAuthorize("1 == 2")
    AssociatedClass findOne(String s);
}

So it will never authorize the GET method to an object of type AssociatedClass. However, as the object of type MainClass has an AssociatedClass object associated, I can obtain this object by doing a GET at /mainClasses/{some_id}/associatedClass.

I would like to block the access to /mainClasses/{some_id}/associatedClass but not for all the users. I'd like to define some condition in the same way I can do it through @PreCondition. So that I can allow the access only if the authenticated user is the owner of the resource, which is my real goal.

Any ideas?

Answer 1

One option is to secure Spring Data REST endpoints at the URL level. For example:

        @Override
        public void configure(HttpSecurity http) throws Exception {
            http.authorizeRequests()
           .antMatchers("/entity/{[0-9]+}/{[A-Za-z][A-Za-z0-9]+}").hasRole("ADMIN").
           and().csrf().disable();
            }
        }

Public access:

• /entities
• /entities/entityId

Admin access:

• /entities/entityId/associated entity