I expose a Spring REST service like this..
@RequestMapping(value = "/{id}", method = RequestMethod.GET, headers = Constant.ACCEPT_APPLICATION_JSON)
@ResponseBody
public IndividualProviderDto showJson(@PathVariable("id") Long id) {
IndividualProviderDto individualProviderDto = individualProviderService.findIndividualProvider(id);
if (SecurityUtils.getCurrentLogin().equals(individualProviderDto.getUserName())) {
individualProviderDto.setCredential("");
HttpHeaders headers = new HttpHeaders();
headers.add(Constant.CONTENT_TYPE, Constant.APPLICATION_JSON_CHARSET_UTF8);
return individualProviderDto;
}
throw new IllegalArgumentException("User not found");
}
In the above code I am explicitly making a check to ensure that the id belongs to the logged in USER.
SecurityUtils.getCurrentLogin().equals(individualProviderDto.getUserName()
This check has to be applied wherever I need to protect a resource. Of course I can have an Aspect and apply it from one place using pointcut expressions. I have also heard of ESAPI that forges the url
but I was wondering if Spring Security Configuration provides something out of the box, so that I don't reinvent the wheel.
Spring security is not the answer -- it provides facility for authentication and authorization. Checking availability of a particular entity (in your case id) should be a part of service layer, as it's already implemented in your code.