3

I am building a cloud based applications using spring, spring security, hibernate and Oauth.

  • It has different products and each product has multiple modules. Modules also have multiple functionality.
  • Clients has to subscribe to each product independently to use them

  • Each client can have multiple user and client will have to provide access their user to product.

  • Client have to select packages(silver, gold, ..) while subscribing for each product

  • Package will have modules details and No of users allowed for each product and client user will be able to access only to the modules(selected package) which client is subscribed to and user have access to.

I have to create Rest Api's for each functionality.

Problem : I am using Spring Oauth2 to secure my API's so only registered clients and their users can access them but they can access all the API's .I should allow clients to access only those API's which it has access to/subscribed to. How can I achieve that in Spring?

Currently I am planning to use inteceptors but it highly depends on URL pattern. So for each product and module i will be having different Interceptor

URL pattern : http://abc/rest/PRODUCT/MODULE/..

Is there a better way to implement it?

Shankari vatsalkumar
  • 698
  • 7
  • 26

1 Answers1

6

You can choose another way, which might be better as you don't have to write custom URL interceptors.

You can use Spring Security with it's @Secured({"ROLE"}) or @PreAuthorize annotations for which you can create roles for each product and you give the clients the roles for which they subscribed. You can find more information about this annotation and how it works here.

For @Secured and @PreAuthorize to work, you need to have the annotation @EnableGlobalMethodSecurity on the Spring Boot context class.

Hope it helps.

Turbut Alin
  • 2,568
  • 1
  • 21
  • 30
  • thanks for the reply. Please check I have edited the question. what if the products are different application in different server(Resource server). How will the @Secured help? I have multiple users within clients. Should i assign access to them as well? – Shankari vatsalkumar Feb 07 '17 at 08:38
  • Are you using an microservice arhitecture? It depends on your arhitecture, but eventually, every logged in user should get the corresponding roles (of the client which they are assigned to). – Turbut Alin Feb 07 '17 at 15:48
  • Yes it is micro-service architecture. sorry I am relatively new to spring and spring security. I understand the we can implement the way you suggested. But I want to restrict access at product level and module level. would I have to create Roles for each module as well? And User can have access to multiple module. so every time everytime client subscribes to new product,I have add roles to user right?. Also user are authenticated using Ouath token. how would I get user access from Oauth token? – Shankari vatsalkumar Feb 07 '17 at 16:32
  • If you are using a microservice architecture, I guess you an authorization server or something like that, where you can make HTTP calls to validate you OAuth token. This should return user info and authorization. Every service you have should take of the itself on the authorization part, but your roles are shared among services (i.e. a user can have roles from multiple services). And yes, you have to add roles to each user every time it's authorization (you give him access to a new module/product) changes. – Turbut Alin Feb 08 '17 at 07:02
  • Have a look here: https://spring.io/guides/tutorials/spring-security-and-angular-js/ It is a bit different from what you need, but maybe you can understand the problem better. – Turbut Alin Feb 08 '17 at 07:05
  • 1
    Thanks for your help. Role based authorization seems much better approach then creating interceptors. – Shankari vatsalkumar Feb 13 '17 at 08:26