CODEWITHSUNDEEP
springspring-security
alexanoid
alexanoid

Reputation: 25780

Spring security hasAnyRole and different flows for different permissions

In my Spring Boot application I have a REST controller with a following method:

@PreAuthorize("hasAnyRole('PERMISSION_UPDATE_OWN_COMMENT', 'PERMISSION_UPDATE_ANY_COMMENT')")
@RequestMapping(value = "/update", method = RequestMethod.POST)
public CommentResponse updateComment(@AuthenticationPrincipal User user, @Valid @RequestBody UpdateCommentRequest commentRequest) {
    Comment comment = commentService.updateComment(commentRequest.getCommentId(), commentRequest.getTitle(), commentRequest.getContent(), user);
    return new CommentResponse(comment);
}

Only users with PERMISSION_UPDATE_OWN_COMMENT or PERMISSION_UPDATE_ANY_COMMENT are allowed to use this endpoint.

Inside of this method I need to create two different flows - one for users with PERMISSION_UPDATE_OWN_COMMENT and another one for users with PERMISSION_UPDATE_ANY_COMMENTpermissions.

So my question is - what is best practice for Spring security in order to implement these different flows of logic inside of the single method ?

Should I validate inside of the updateComment method that the user has one or another permission and based on this condition implement my logic ?

Upvotes: 0

Views: 1680

Answers (1)

Faraj Farook
Faraj Farook

Reputation: 14875

The easiest way is to do the logic inside updateComment function inside controller. Because, you can easily get the instance of SecurityContextHolderAwareRequestWrapper from the action param to find the role.

But the best practice is to put your logic inside service. This will make your life easier to reuse the logic in another place like RESTFul APIs.

So you may use the below code or something similar to check the role inside the Service.

Collection<? extends GrantedAuthority> authorities = authentication.getAuthorities();
boolean authorized = authorities.contains(new SimpleGrantedAuthority("PERMISSION_UPDATE_OWN_COMMENT"));

(edited with further information)

Complete function which can be used to check the roles

protected boolean roleExist(String role) {
    SecurityContext context = SecurityContextHolder.getContext();
    Authentication authentication = context.getAuthentication();
    for (GrantedAuthority auth : authentication.getAuthorities()) {
        if (role.equals(auth.getAuthority()))
            return true;
    }
    return false;
}

Upvotes: 3

Related Questions