How to allow a User only access their own data in Spring Boot / Spring Security?

by

In any @Controller, @RestController annotated bean you can use Principal directly as a method argument.

    @RequestMapping("/users/{user_id}")
    public String getUserInfo(@PathVariable("user_id") Long userId, Principal principal){
        // test if userId is current principal or principal is an ADMIN
        ....
    }

If you don’t want the security checks in your Controllers you could use Spring EL expressions.
You probably already use some build-in expressions like hasRole([role]).

And you can write your own expressions.

  1. Create a bean
    @Component("userSecurity")
    public class UserSecurity {
         public boolean hasUserId(Authentication authentication, Long userId) {
            // do your check(s) here
        }
    }
  1. Use your expression
    http
     .authorizeRequests()
     .antMatchers("/user/{userId}/**")
          .access("@userSecurity.hasUserId(authentication,#userId)")
        ...

The nice thing is that you can also combine expressions like:

    hasRole('admin') or @userSecurity.hasUserId(authentication,#userId)

More Related Contents:

  1. Spring Security: mapping OAuth2 claims with roles to secure Resource Server endpoints
  2. Spring Boot Security CORS
  3. How to use OAuth2RestTemplate?
  4. Spring Boot CORS filter – CORS preflight channel did not succeed
  5. can I include user information while issuing an access token?
  6. Prevent Spring Boot from registering a servlet filter
  7. How to get custom user info from OAuth2 authorization server /user endpoint
  8. Spring Security 5 : There is no PasswordEncoder mapped for the id “null”
  9. antMatchers that matches any beginning of path
  10. How to use multiple login pages one for admin and the other one for user
  11. Spring Boot with embedded Tomcat behind Apache proxy
  12. Spring Social Authentication Filter for Stateless REST Endpoints which use Facebook Token for authentication
  13. Spring Boot: How to specify the PasswordEncoder?
  14. Spring Boot SSL Client
  15. With Spring Data REST, why is the @Version property becoming an ETag and not included in the representation?
  16. How to Solve 403 Error in Spring Boot Post Request
  17. Spring Resttemplate exception handling
  18. Spring Boot – How to get the running port
  19. Fire and forget with reactor
  20. How do I get the Session Object in Spring?
  21. Spring Data – ignore parameter if it has a null value
  22. Spring Security 3.2 CSRF support for multipart requests
  23. implement dynamically datasource in spring data jpa
  24. How to conditionally declare Bean when multiple profiles are not active?
  25. Spring boot how to read properties file outside jar
  26. Added Springfox Swagger-UI and it’s not working, what am I missing?
  27. Spring Security and @Async (Authenticated Users mixed up)
  28. Changing default welcome-page for spring-boot application deployed as a war
  29. Modify default JSON error response from Spring Boot Rest Controller
  30. Using Maven properties in application.properties in Spring Boot

Leave a Comment