Spring Security - Ownership based access - Code World

Spring Security - Ownership based access

Others 2022-04-22 00:27:57 views: 0

0x1C1B :

Let's say I've a minimal RESTful controller like the following, by the way using Java 8 and Spring Boot 2, ...

@RestController
class MyController {

    @Autowired
    private PostService service;    

    @GetMapping
    public Post get() {

        return service.getLatest();
    }
}

I've secured this route successfully using the Spring Security module. Now I want to allow only the resource owner access to this resource. With resource owner I mean the creator or saying it simple:

Post myPost = new Post();
...
myPost.getCreator().equals(currentUser); // Should be true when access is granted

I found a lot about role based access, but nearly nothing for checking ownership... Of course I could place an if statement inside of the controller and throw an exception, but I intended to use something like Spring's Expression-Based Access Control.

Any other ideas? Does somebody have a good idea or example for ownership checking of a resource?

Joeri Boons :

For a simple get operation you can just return the post linked to your current logged in user

@GetMapping
public Post getPost(Authentication authentication) {
    return service.getPostByUser(authentication.getName());
}

For updating an existing post, you can check within the PreAuthorize if the creator is the logged in user. authentication.getName() gives back an email in my example

@PutMapping
@PreAuthorize("#post.getCreator() == authentication.getName()")
public void update(@RequestBody Post post, Authentication authentication) {
    service.updatePost(post);
}

Basic example of the @Component way

@Autowired
private CreatorCheck creatorCheck;

@PutMapping
@PreAuthorize("@creatorChecker.check(#post,authentication)")
public void update(@RequestBody Post post, Authentication authentication) {
    service.updatePost(post);
}

And the component.. Can be extended to retrieve the original Post and check that creator..

@Component
public class CreatorCheck {

    public boolean check(Post post, Authentication authentication) {
       return post.getCreator().equals(authentication.getName());
    }
}

For a more comprehensive tutorial check out this tutorial link found by 0x1C1B

Guess you like

Origin http://43.154.161.224:23101/article/api/json?id=122907&siteId=1

Spring Security - Ownership based access

Access control based on roles or permissions in Spring Security

Spring Security-access control based on roles or permissions

Do not let your micro streaking service, based on micro-Spring Session & Spring Security service access control

Spring Boot + Spring Security: URL-based dynamic permissions: Extended access () expression of SpEL - Part 15

Spring Security Token based Authentication

Spring Security url dynamic access control (III)

spring security custom access control process

Access is Always Denied in Spring Security - DenyAllPermissionEvaluator

Spring Security and permissions system based JWT

Spring Security (two) memory-based authentication

Spring Security role-based permission management

role based authorization using spring security

The spring boot integration spring security access interface does not respond

Spring Boot configures Spring Security to implement simple access interception

Spring Security出现403，org.springframework.security.access.AccessDeniedException: Access is denied

Spring Boot + Spring Security: authentication information based on memory - Part 3

Transformation based on Spring Security's old project and Spring Session Redis

How to allow anonymous user access from localhost only in Spring security?

Spring Security denies access to `@Secured` method in spite of granted authorities

Spring security check if user has access to mentioned url

Spring security - creating 403 Access denied custom response

Spring Security does not allow anonymous (anonymous) access to the Post interface (403)

Spring Security in Action Chapter 7 Configuring Authorization: Restricting Access

Construction of access REST interfaces for relational database based on Spring Boot

@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) vs ManagementServerProperties.ACCESS_OVERRIDE_ORDER in Spring Security

SpringBoot+Spring Security is based on memory user authentication

Spring Security (15): Permission control based on the RBAC data model

Spring Security (14): Realize SSO single sign-on based on JWT

Spring Security 5 populating authorities based on JWT claims

Recommended

Rushing to the GitHub hot list——How can open source programming languages and frameworks be so cute?

Beijing Humanoid Robot Innovation Center launches Tiangong, the world's first full-size humanoid robot with purely electric drive for anthropomorphic running

Ranking

8个无需编写代码即可使用 Python 内置库的方法

Java collections interview knowledge Lite

Machine learning algorithms foundation - Introduction a (watermelon materials for the book)

(Easy) Ransom Note - LeetCode

[Five days] Qt from entry to actual combat: the second day

Remember once extremely pit father can not download Maven Jar package of issues: IDEA question

The minimum cost Shortest

OSPF study map (the most complete version)

Network Takeaways

GnuPG

Daily

More

2024-04-27(29)

2024-04-26(22)

2024-04-25(32)

2024-04-24(30)

2024-04-23(30)

2024-04-22(5)

2024-04-21(0)

2024-04-20(6)

2024-04-19(5)

2024-04-18(0)