Search code examples
springrestspring-bootspring-securityspring-security-oauth2

How to allow a User only access their own data in Spring Boot / Spring Security?

I have some rest api like this:

/users/{user_id}
/users/{user_id}/orders
/users/{user_id}/orders/{order_id}

How I must secure them? every user must see only her/his data, But admin can see all of them.

How & What I must implement in Spring Security that User by Id == 1 can't see data of user by Id == 2 and vice versa, expect users by role admin that can see all?

Do I check before every method User Id in session is equail with user_id param passed to api? is there a better way?

p.s: I use JWT by spring security.

Solution

  • In any @Controller, @RestController annotated bean you can use Principal directly as a method argument.

        @RequestMapping("/users/{user_id}")
    public String getUserInfo(@PathVariable("user_id") Long userId, Principal principal){
        // test if userId is current principal or principal is an ADMIN
        ....
    }

    If you don't want the security checks in your Controllers you could use Spring EL expressions. You probably already use some build-in expressions like hasRole([role]).

    And you can write your own expressions.

    1. Create a bean
        @Component("userSecurity")
    public class UserSecurity {
         public boolean hasUserId(Authentication authentication, Long userId) {
            // do your check(s) here
        }
    }
    1. Use your expression
        http
     .authorizeRequests()
     .antMatchers("/user/{userId}/**")
          .access("@userSecurity.hasUserId(authentication,#userId)")
        ...

    The nice thing is that you can also combine expressions like:

        hasRole('admin') or @userSecurity.hasUserId(authentication,#userId)

    UPDATE for Spring Security 6.x

    adapt UserSecurity

    @Component
public class UserSecurity implements AuthorizationManager<RequestAuthorizationContext> {

    @Override
    public AuthorizationDecision check(Supplier authenticationSupplier, RequestAuthorizationContext ctx) {
        // get {userId} from the request
        Long userId = Long.parseLong(ctx.getVariables().get("userId"));
        Authentication authentication = (Authentication) authenticationSupplier.get();
        return new AuthorizationDecision(hasUserId(authentication, userId));
    }
    public boolean hasUserId(Authentication authentication, Long userId) {
        // do your check(s) here
        
    }

}

    and use this with requestMatchers

        @Bean
    SecurityFilterChain securityFilterChain(HttpSecurity http, UserSecurity userSecurity) throws Exception {
        http.authorizeHttpRequests(
                auth -> {
                    auth
                        .requestMatchers("/users/{userId}/**").access(userSecurity)
                        ....;
                }
        )....;
        return http.build();
    }

```