How to allow a User only access their own data in Spring Boot / Spring Security?
I have some rest api like this:
/users/{user_id}
/users/{user_id}/orders
/users/{user_id}/orders/{order_id}
How I must secure them? every user must see only her/his data, But admin can see all of them.
How & What I must implement in Spring Security that User by Id == 1 can't see data of user by Id == 2 and vice versa, expect users by role admin that can see all?
Do I check before every method User Id in session is equail with user_id param passed to api? is there a better way?
p.s: I use JWT by spring security.
Answer
In any @Controller, @RestController annotated bean you can use Principal directly as a method argument.
@RequestMapping("/users/{user_id}")
public String getUserInfo(@PathVariable("user_id") Long userId, Principal principal){
// test if userId is current principal or principal is an ADMIN
....
}
If you don't want the security checks in your Controllers you could use Spring EL expressions.
You probably already use some build-in expressions like hasRole([role]).
And you can write your own expressions.
- Create a
bean
@Component("userSecurity")
public class UserSecurity {
public boolean hasUserId(Authentication authentication, Long userId) {
// do your check(s) here
}
}
- Use your expression
http
.authorizeRequests()
.antMatchers("/user/{userId}/**")
.access("@userSecurity.hasUserId(authentication,#userId)")
...
The nice thing is that you can also combine expressions like:
hasRole('admin') or @userSecurity.hasUserId(authentication,#userId)