0

I'm building a rest API with Spring Boot, Article entities have a status property of PUBLISHED or DRAFT. Drafts are restricted and only authenticated users can access them.

With spring-security-data and spring-boot-starter-security I can use @Query annotations on the ArticleRepository to filter or deny access to drafts.

@NoRepositoryBean
public interface PublishableEntityRepository<T, ID extends Serializable>
        extends PagingAndSortingRepository<T, ID> {

    @PostFilter("hasPermission(filterObject, 'read')")
    List<T> findAll();

    @PostAuthorize("hasPermission(returnObject, 'read')")
    T findOne(ID id);

    @Query("select o from #{#entityName} o where o.status = 'PUBLISHED' " +
            "or 1 = ?#{security.hasRole('ROLE_ADMIN') ? 1 : 0}")
    Page<T> findAll(Pageable var1);
}

This works as expected. The problem is when the endpoint for /categories/{id}/articles is requested. When this endpoint is requested, none of the @Pre/@Post annotations apply. In fact, ArticleRepository isn't accessed AFAIK.

My question is, how do I implement the same ACL to these related resources?

This example project will run out of the box https://github.com/jdgiotta/rest-security-example

John Giotta
  • 16,432
  • 7
  • 52
  • 82
  • _"ArticleRepository isn't accessed AFAIK."_ That should have been a hint to think about your design. `Category` is not an aggregate and cannot have any knowledge about articles. If you want all articles from a certain category use an appropriate query of `ArticleRepository`. – a better oliver Jun 04 '16 at 11:30
  • @zeroflagL thank you, but how? Have you looked at the source? – John Giotta Jun 04 '16 at 12:35
  • I'm not sure I understand your question. `ArticleRepository` could have a method `findByCategoryId` and the generated URL would be `/articles/search/findByCategoryId?id={id}´. – a better oliver Jun 04 '16 at 14:37
  • I don't want a search. I want the articles to be embedded in the uri I mentioned. – John Giotta Jun 04 '16 at 14:50

0 Answers0