问题
The problem can be defined by the following example:
I have a class MainClass which is related with another class called AssociatedClass by a @OneToOne relation. Both have an exposed Repository so I can do a GET on the URL /mainClasses/{some_id} and on the URL /associatedClasses/{some_id}. However, the AssociatedClassRepository has the following code:
@RepositoryRestResource
public interface AssociatedClassRepository extends PagingAndSortingRepository<AssociatedClass, String> {
@Override
@PreAuthorize("1 == 2")
AssociatedClass findOne(String s);
}
So it will never authorize the GET method to an object of type AssociatedClass. However, as the object of type MainClass has an AssociatedClass object associated, I can obtain this object by doing a GET at /mainClasses/{some_id}/associatedClass.
I would like to block the access to /mainClasses/{some_id}/associatedClass but not for all the users. I'd like to define some condition in the same way I can do it through @PreCondition. So that I can allow the access only if the authenticated user is the owner of the resource, which is my real goal.
Any ideas?
回答1:
One option is to secure Spring Data REST endpoints at the URL level. For example:
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/entity/{[0-9]+}/{[A-Za-z][A-Za-z0-9]+}").hasRole("ADMIN").
and().csrf().disable();
}
}
Public access:
- /entities
- /entities/entityId
Admin access:
- /entities/entityId/associated entity
回答2:
Apply an excerpt projection to the associated entity's repository and add there security checks as described in
Spring Data Rest: Security based projection
The associated resource will be returned but you can hide certain fields or all of them.
来源:https://stackoverflow.com/questions/39955961/how-to-secure-association-resources