Secure CrudRepository.save() to specific owner

Asked Feb 13 '17 at 03:12

Active Feb 13 '17 at 09:55

Viewed 308 times

I'm using spring-data-rest with spring-security.

Suppose I have this model:

public class Item {
    private @Id @GeneratedValue Long id;
    private final String description;
    private final String username;
}

Its repository:

public interface ItemRepository extends CrudRepository<Item, Long> {
    @Override
    @PostFilter("filterObject.username == principal.username")
    Iterable<Item> findAll();
}

findAll() method worked, it returns only items which belong to username.

Question 1: How to override method save() to restrict user saves item only if it belong to him?

@Override
<S extends Item> S save(S s);

Question 2: Currently I use many @PostFilter for each method like findAll and findOne... How to restrict whole repository items to user at once, by one annotation, at repo level? I saw this answer, but also want to ask for more pretty solution.

edited May 23 '17 at 12:16

Community

asked Feb 13 '17 at 03:12

Akivamu

1. Use event handler instead: http://docs.spring.io/spring-data/rest/docs/current/reference/html/#events – Cepr0 Feb 13 '17 at 23:01
I cant find event for `find` action. Does it support event like BeforeFind AfterFind? – Akivamu Feb 14 '17 at 01:36
1

No, it doesn't. If you need to implement security in your project see this tutorial: https://spring.io/guides/tutorials/react-and-spring-data-rest/#react-and-spring-data-rest-part-5 – Cepr0 Feb 14 '17 at 06:35
Thank you very much for the link. I finally did it like `@PreAuthorize(#entityName?username == principal?.username")` – Akivamu Feb 14 '17 at 13:57

Secure CrudRepository.save() to specific owner

0 Answers0