Reputation: 1464
Finer control over Spring Security on Spring Data REST
I have multiple closely related problems in Spring Security. I am developing using Spring Boot and am using Spring Data REST for creating REST endpoints directly from my repositories.
I have multiple entities and the requirement is to have all these entities as REST endpoints. I am letting spring-data-rest handle the creation of these endpoints and I am securing these endpoints by adding @PreAuthorize and @PostAuthorize to the entity repository methods as and where required. This works great when I am calling an endpoint like /entity/id.
But I am facing issues from here. Let's say I have 2 entities, Entity1 and Entity2 and they have a One to One relationship. Spring data rest allows me to fetch the related Entity2 data from Entity1 like /entity1/id/entity2. But I have different access rights over Entity1 and Entity2 and calling the above endpoint only checks the access rights as set up in the repository for Entity1 only. So, if a user has access to Entity1 table and no access to Entity2 table, he can still see some Entity2 data via the foreign key relationship of Entity1. Is this a correct design?
Moreover we have some custom API endpoints wherein we have to aggregate data from multiple entity repositories. Also, these endpoints themselves have to secured. So, I am using a @PreAuthorize over an endpoint method. This works as expected and the endpoint method is called only when the expression is valid. But, when a repository method is called (via a service class of course), the @PreAuthorize over that repository method is also evaluated. I would like to have the check done with at the beginning. Is it possible to do so?
Any suggestions to improving the design is also welcome.
Upvotes: 1
Views: 66
Answers (1)
Reputation: 3423
There is no simple solution without massively modifying/overriding lots of default Spring DataRest features. I'm working such a package for years now and it's working quite well for me. Although switching to this package might be a bit overkill for you, it could worth the trouble in the long run because it also a fixes a lot of problem you will meet only months later.
- you can set up permisison rules via annotation directly in the domain objects.
- it checks the permisisons in the DB side, so the traffic between the API and DB is heavily decreased (Only those objects are fetched form the DB which the current user has permission to)
- you can set READ/UPDATE/DELETE/CREATE permissions separately for roles and/or certain users
- you can use pagination on permission filtered collection
- you can use pagination on property-collections too
(+ some extra features like flexible search on multiple properties)
here is the package (It's an extension of Spring Data JPA / Data Rest)
Upvotes: 1
Related Questions
- How to secure REST API with Spring Boot and Spring Security?
- Securing exclusively the REST access to a Spring Data Rest Repository
- Secure method of spring data rest repository
- Implement Spring Security for Rest Api
- Spring Boot security for rest
- Relax Security for a Spring Data REST Projection
- Configure Security at Spring Boot
- How do I implement fine-grained access control in Spring-Data-Rest?
- Spring 4 Restful Security
- Spring Security Rest