Reputation: 11117
Spring Security and the Proper Way to Verify that User has Access to a Resource
I'm using Spring Security which works great to make sure that a user has a certain role before accessing a resource. But now I need to verify something a little different:
`/product/edit/{productId}`
What is the best way to verify that the logged in user "owns" productId? My business mappings handle the relationship (a user has a list of products). I need to verify this product belongs to the user and hence, they can edit it.
I know how to gain access to productId and the logged in user in both the controller and an interceptor. I don't believe this logic belongs in the controller at all. The interceptor seems better but I wondered if Spring Security had an "accepted" way of handling this situation.
Upvotes: 2
Views: 647
Answers (1)
Reputation: 8574
Yes, in Spring you can implement this by implementing Access Control Lists. ACL declaration specifies permissions for individual objects per user. Once you have everything setup like acl entries in your database and logic, you can use SpEL and @PostFilter annotation to control the list of objects returned to a user.
Upvotes: 1
Related Questions
- Implementing Authorization in Spring
- How should a user-specific resource be protected using spring boot security?
- Better way to secure REST resources in Spring?
- Spring security check if user has access to mentioned url
- Best practice to make sure an AUTHENTICATED user is AUTHORISED to access a resource - Spring mvc, Spring Security, Hibernate
- Spring MVC & Security - Identification of protected resource during authorization
- What is the correct approach for denying access to specific resources in spring MVC + security
- Spring - How to protect RESTful private resources?
- Spring Security: User Authorization in Java Class
- Spring Security: Advice needed on how to handle GrantedAuthority