I am trying to authorize apis exposed by Spring Data REST. So far I am able to do role-based authorization i.e:
@RepositoryRestResource(path = "book")
public interface BookRepository extends JpaRepository<Book, Long> {
@PreAuthorize("hasRole('ROLE_ADMIN')")
<S extends Book> Book save(Book book);
}
Also in the same project i have a service layer with ACL mechanism, which is working.
I am unable to use PostFilter expression with Spring Data REST i.e:
@PostFilter("hasPermission(filterObject, 'read') or hasPermission(filterObject, admin)")
List<Book> findAll();
It would be of great help, if anyone using ACL with Spring Data REST.
Note: I am aware of below open issues:
https://jira.spring.io/browse/DATAREST-236
https://jira.spring.io/browse/SEC-2409
using JpaRepository was shadowing List<Book> findAll() method. Then I used CrudRepository, and PostFilter got applied.
For more details, a sample project is available on GitHub: https://github.com/charybr/spring-data-rest-acl
ACL-based authorization is working for below entity exposed by Spring Data REST.
import org.springframework.data.repository.CrudRepository;
import org.springframework.data.rest.core.annotation.RepositoryRestResource;
import org.springframework.security.access.method.P;
import org.springframework.security.access.prepost.PostFilter;
import org.springframework.security.access.prepost.PreAuthorize;
@RepositoryRestResource(path = "book")
public interface BookRepository extends CrudRepository<Book, Long> {
@PreAuthorize("hasRole('ROLE_ADMIN') or hasPermission(#book, 'write')")
<S extends Book> Book save(@P("book") Book book);
@Override
@PostFilter("hasPermission(filterObject, 'read') or hasPermission(filterObject, admin)")
Iterable<Book> findAll();
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With