I have some rest api like this:
/users/{user_id}
/users/{user_id}/orders
/users/{user_id}/orders/{order_id}
How I must secure them? every user must see only her/his data, But admin can see all of them.
How & What I must implement in Spring Security that User by Id == 1 can't see data of user by Id == 2 and vice versa, expect users by role admin that can see all?
Do I check before every method User Id in session is equail with user_id param passed to api? is there a better way?
p.s: I use JWT by spring security.
In any @Controller
, @RestController
annotated bean you can use Principal
directly as a method argument.
@RequestMapping("/users/{user_id}")
public String getUserInfo(@PathVariable("user_id") Long userId, Principal principal){
// test if userId is current principal or principal is an ADMIN
....
}
If you don't want the security checks in your Controller
s you could use Spring EL expressions.
You probably already use some build-in expressions like hasRole([role])
.
And you can write your own expressions.
bean
@Component("userSecurity")
public class UserSecurity {
public boolean hasUserId(Authentication authentication, Long userId) {
// do your check(s) here
}
}
http
.authorizeRequests()
.antMatchers("/user/{userId}/**")
.access("@userSecurity.hasUserId(authentication,#userId)")
...
The nice thing is that you can also combine expressions like:
hasRole('admin') or @userSecurity.hasUserId(authentication,#userId)
UPDATE for Spring Security 6.x
adapt UserSecurity
@Component
public class UserSecurity implements AuthorizationManager<RequestAuthorizationContext> {
@Override
public AuthorizationDecision check(Supplier authenticationSupplier, RequestAuthorizationContext ctx) {
// get {userId} from the request
Long userId = Long.parseLong(ctx.getVariables().get("userId"));
Authentication authentication = (Authentication) authenticationSupplier.get();
return new AuthorizationDecision(hasUserId(authentication, userId));
}
public boolean hasUserId(Authentication authentication, Long userId) {
// do your check(s) here
}
}
and use this with requestMatchers
@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http, UserSecurity userSecurity) throws Exception {
http.authorizeHttpRequests(
auth -> {
auth
.requestMatchers("/users/{userId}/**").access(userSecurity)
....;
}
)....;
return http.build();
}
```