spattanaik75
Reputation: 143
Spring security : How to use @RolesAllowed with @RequestBody
I have a method like this:
@RolesAllowed("ROLE_A")
@RequestMapping(value = "/",
method = RequestMethod.POST,
produces = MediaType.APPLICATION_JSON_VALUE)
public MRSData modifyMarketData(@RequestBody RequestObject body){
return repository.save(collection, body);
}
@Document
@Data
public class RequestObject {
@Id
@JsonInclude(JsonInclude.Include.NON_NULL)
private String _id;
private Object metadata;
private Object body;
}
Request looks like this:
{
"_id": "5f4ba6b3d93a8c1452f596a0",
"metadata": {
"data_type":"A"
}
}
Now only certain roles are allowed to access "data_type=A".
I want to use @RolesAllowed or equivalent to block the request based on @RequestBody
How should i achieve this?
Tx in advannce
Upvotes: 1
Views: 602
Answers (1)
Benjamin M
Reputation: 24527
If you want to filter based on request value, you can use @PreAuthorize.
Some examples: https://www.baeldung.com/spring-security-method-security
Old answer:
You can use @PostAuthorize (or maybe @PostFilter) to restrict access based on the method's return value.
Upvotes: 1
Related Questions
- @RolesAllowed doesn't work
- Spring security Role based HTTP request Authorization
- Springboot hasAnyRole allow all/any roles
- Spring security doesn't match a given role
- @RolesAllowed interfering with @RequestMapping
- Add 'ROLE' to spring security / Auth0 authorization
- Modify behavior of Spring @RolesAllowed
- Spring Security with Roles
- Spring security roles
- Defining Spring Security user roles