CODEWITHSUNDEEP
springspring-securityroles
Flo
Flo

Reputation: 1499

spring security 3 - restrict role access to actual user

in my web application i want users (role USER) to have their private page, which they can only see themselves. i also want to have a super admin (role ADMIN) which can see all private pages of all user.

So i model the urls like the following way:

/user/{userId}/...

Now apart from ADMIN only USER with userid should be able to invoke this page. Users can be dynamically added and their userid will be a generated serial number.

I started modelling it like this:

<http pattern="/user/**" use-expressions="true"  >
    ...
    <intercept-url pattern="/user/**" access="hasAnyRole('ROLE_USER', 'ROLE_ADMIN')" />
    ... 
</http>

But doing so would e.g. enable USER with userid 2 to invoke /user/1/...

What is the proper way to do this? Can somebody give me an example?

Upvotes: 0

Views: 1066

Answers (1)

coderLMN
coderLMN

Reputation: 3076

The userId in /user/{userId}/ is meaningful only when the user has ADMIN role. For other users, just ignore the parameter and use 

UserDetails userDetails =
      (UserDetails)SecurityContextHolder.getContext().getAuthentication().getPrincipal();

if('ROLE_ADMIN' in userDetails.getAuthorities() ){
    //get user indentified by userId
}
else{
   //get current user 
}

to get current user related information.

Upvotes: 2

Related Questions