Reputation: 4864
Spring Security 3.2 separate data between users
Spring Security - web application
Having two users with identical Permissions UserA UserB
and two Event objects
class Event {
objectId owner;
...
}
event1 owner set to userA event2 owner set to userB accessible for logged in users @
http://service/event1
http://service/event2
what is considered the best way to secure web application so that userA can only see
http://service/event1
but NOT
http://service/event2
(and reverse for the other user)
currently I have implemented solution on the controller level that is getting list of events for the user performs checks and redirect to appropriate place.. I do not like it.
Upvotes: 0
Views: 110
Answers (1)
Reputation: 522
You can check that the event's owner id matches the currently authenticated principal's id. See Obtaining information about the current user.
You could possibly then set up a URL pattern access rule that performs this check for event URLs (/event*). See Expression-Based Access Control.
Upvotes: 1
Related Questions
- Ensure a particular user can only see their own user details - Using Spring
- What is the proper way to restrict the access of some data
- Spring Security - Get user details from another table
- Only one user accessible spring security
- Allowing access for specific users in Spring Security
- Spring Security: separating controller by user role
- Spring Security User Information
- How to implement different type of users in Spring Security
- Spring MVC multi user application
- Spring MVC - Spring Security : How to have two different "types" of users, to which I will display different content in the jsp pages