Using Spring Security ACL with Spring Data REST

Question

I am trying to authorize apis exposed by Spring Data REST. So far I am able to do role-based authorization i.e:

@RepositoryRestResource(path = \"book\")
public i         


        

Answer 1

using JpaRepository was shadowing List findAll() method. Then I used CrudRepository, and PostFilter got applied.

For more details, a sample project is available on GitHub: https://github.com/charybr/spring-data-rest-acl

ACL-based authorization is working for below entity exposed by Spring Data REST.

import org.springframework.data.repository.CrudRepository;
import org.springframework.data.rest.core.annotation.RepositoryRestResource;
import org.springframework.security.access.method.P;
import org.springframework.security.access.prepost.PostFilter;
import org.springframework.security.access.prepost.PreAuthorize;

@RepositoryRestResource(path = "book")
public interface BookRepository extends CrudRepository {

    @PreAuthorize("hasRole('ROLE_ADMIN') or hasPermission(#book, 'write')")
     Book save(@P("book") Book book);

    @Override
    @PostFilter("hasPermission(filterObject, 'read') or hasPermission(filterObject, admin)")
    Iterable findAll();
}