CODEWITHSUNDEEP
springspring-securityspring-data
meerlol
meerlol

Reputation: 366

Restrict access to spring REST data based on credentials

I have a CrudRepository throug which I can access my entities. Let's say I have an entity called Report (all oversimplified and not compiling):

@Entity
public class Report{
   @Id
   private Long id;
   private boolean classified;
   private Date date;
   private String reportdata;
}

And a CrudRepository:

@RepositoryRestResource(collectionResourceRel = "reports", path = "report")
public interface ReportRepository extends CrudRepository<Report, Long>
{
   findByDate(Date date); // <---- I want this to return only reports which are not classified for users who do not have the appropriate role
}

The findByDate will return all reports, including all classified reports for all users making the request. I want to restrict the access to the data based on the currently authenticated user. Is this possible?

Upvotes: 0

Views: 956

Answers (2)

Neil McGuigan
Neil McGuigan

Reputation: 48287

You need Spring Security 4. It now integrates with Spring Data.

http://docs.spring.io/spring-security/site/docs/4.0.2.RELEASE/reference/htmlsingle/#data

Something like:

@Repository
public interface ReportRepository extends CrudRepository<Report,Long> {

    @Query("select r from Report r where r.date=?1 and r.owner.id = ?#{ principal?.id }")
    Report findByDate(Date date);
}

Upvotes: 2

devops
devops

Reputation: 9197

REST is stateless. It means that the server stores NO runtime informations (session, role etc.) about client. So if you want to use REST you should generate an API key for you client. Use a simple path filter to check whether the API key valid or not.

But perhaps you mean AJAX ?

Upvotes: 0

Related Questions