How to secure association resources?

Question

The problem can be defined by the following example:

I have a class MainClass which is related with another class called AssociatedClass by

Answer 1

Apply an excerpt projection to the associated entity's repository and add there security checks as described in

Spring Data Rest: Security based projection

The associated resource will be returned but you can hide certain fields or all of them.

Answer 2

One option is to secure Spring Data REST endpoints at the URL level. For example:

        @Override
        public void configure(HttpSecurity http) throws Exception {
            http.authorizeRequests()
           .antMatchers("/entity/{[0-9]+}/{[A-Za-z][A-Za-z0-9]+}").hasRole("ADMIN").
           and().csrf().disable();
            }
        }

Public access:

• /entities
• /entities/entityId

Admin access:

• /entities/entityId/associated entity