4

I am currently using the latest spring data rest over jpa to generate the HATEOS HAL based rest api for my persistance layer which we expose to external clients .The solution works well but is there a way where based on roles I can restrict access to fields depending on the user . I was wondering if we can use @JsonView with spring data rest like we do with spring mvc via @ResponseView.But is there a way or hook to do the same in spring data repositories to provide me role based api access.

Gaurav Rawat
  • 1,294
  • 1
  • 25
  • 52
  • Its not out of the box .. You have to customize . .http://stackoverflow.com/questions/17276081/spring-3-2-filtering-jackson-json-output-based-on-spring-security-role – ArunM Jun 06 '15 at 07:17
  • thanks @ArunM that helped but I was using spring data rest with Jpa to generate HAL based services out of the box I was loooking if they had a hook in those to support jsonview as well .The spring security role to json view thing I think can still be managed . – Gaurav Rawat Jun 06 '15 at 15:39
  • You can also think of projection as an approach .. Though again integrating with spring security will be a problem – ArunM Jun 06 '15 at 16:20
  • I found one more question related to this .. but again no solution. Just for your reference http://stackoverflow.com/questions/28794145/spring-data-rest-security-based-projection – ArunM Jun 06 '15 at 16:21
  • ya seems a hack hope someone from the spring data team at-least gives a hook for jsonview support and then it could be a much cleaner way to work it out. I think else need to go for a more custom approach with pure restcontrollers ..Also think it is a plausible use case for having role based access to rest resources if you exposing an api .. – Gaurav Rawat Jun 06 '15 at 17:32
  • What route did you go for role based resource access? – Eric Kim Dec 08 '15 at 01:05
  • Hi I used a custom jackson module to bring list of fields to be shown based on role (ideally from a data store) .The spring security roles dictate the access and fetch data from those tables then used in the jacksonmodifer to remove fields from the response . – Gaurav Rawat Dec 12 '15 at 14:17

0 Answers0