发表新帖
发表新帖

How to allow a User only access their own data in Spring Boot / Spring Security?

后端 未结
关注
3 507
情歌与酒
情歌与酒 2020-12-05 12:19

I have some rest api like this:

/users/{user_id}
/users/{user_id}/orders
/users/{user_id}/orders/{order_id}

How I must secure them? every u

相关标签:
3条回答
  • 小蘑菇
    2020-12-05 12:42

    You should first choose your security strategy, What you need names "Row Filtering", one of Authorization Concepts of 3A( Authentication, Authorization,Audit ) Concepts.

    If you want to implement comprehensive solution, take a look at :

    https://docs.spring.io/spring-security/site/docs/3.0.x/reference/domain-acls.html

    Spring ACL completely covers concepts like "Row Filtering", "White-Black List", "Role Base Authorization", "ACL Inheritance", "Role Voter", ....

    Otherwise you should save the owner per business case you want to be secured and filter them in your Service Layer.

    0 讨论(0)
  • 生来不讨喜
    2020-12-05 12:43

    You can also use @PreAuthorize on the service interface. If you have a custom userdetails object then you can do it easily. In one of my projects I did it like this:

    @PreAuthorize(value = "hasAuthority('ADMIN')"
        + "or authentication.principal.equals(#post.member) ")
void deletePost(Post post);

    BTW this is in a service interface. You have to make sure to add the right annotations to get preauthorize to work.

    0 讨论(0)
  • 甜味超标
    2020-12-05 12:53

    In any @Controller, @RestController annotated bean you can use Principal directly as a method argument.

        @RequestMapping("/users/{user_id}")
    public String getUserInfo(@PathVariable("user_id") Long userId, Principal principal){
        // test if userId is current principal or principal is an ADMIN
        ....
    }

    If you don't want the security checks in your Controllers you could use Spring EL expressions. You probably already use some build-in expressions like hasRole([role]).

    And you can write your own expressions.

    1. Create a bean
        @Component("userSecurity")
    public class UserSecurity {
         public boolean hasUserId(Authentication authentication, Long userId) {
            // do your check(s) here
        }
    }
    1. Use your expression
        http
     .authorizeRequests()
     .antMatchers("/user/{userId}/**")
          .access("@userSecurity.hasUserId(authentication,#userId)")
        ...

    The nice thing is that you can also combine expressions like:

        hasRole('admin') or @userSecurity.hasUserId(authentication,#userId)
    0 讨论(0)
 看不清?
提交回复
热议问题