Field Security in Spring Data Rest

Question

This representative example:

There is an admin user A and a normal user B.

A can see and change x,y,z.

B can see x,y (not z) and change x (not y,z) only when z has certain value.

public class U{
    private Long id;
    private String x;
    private String y;
    private String z;
    [... getter and setter]
}

The question is how to realize this with Spring Data Rest generically. ResourceProcessor only seems to be applicable for links and a Validator can't see if an user has changed a field...

I have implemented an Attribute-Based Access Control, so I can create and save roles, permissions and policies(using SpEl), which determine who can see and change a specific field, in database easily.

Update 1

I've added a Jackson BeanSerializerModifier to filter attributes, but there is the problem that I don't know the original (database) value of z and can't check if B has permission to change x.

Update 2

I've added a custom Jackson Std(De)Serializer, but now I can't use it for every entity dynamically, because I had to write the complete (de)serialzer for each entity.

Update 3

After two weeks with many unsuccessful attempts to solve this problem, I am going to try to integrate filters into SDR.

Update 4

While I added a filter for PUT and PATCH requests I relized that https://jira.spring.io/browse/DATAREST-373 and https://jira.spring.io/browse/DATAREST-428 would be better solutions. Now I'm going to find solutions for them.

Why don't you just create custom controller and a service for such a logic? — David Siro, Apr 10 '17 at 19:33
Because I would have to do it with every entity (10 entites and growing) and that implies many unnecessary redundant code. — benkuly, Apr 11 '17 at 07:21

score -1 · Answer 1 · answered Apr 11 '17 at 09:28

-1

Maybe you can use @JsonView to describe what you can read and what you can write from a DTO ? http://www.baeldung.com/jackson-json-view-annotation

So you will have one view for admin and one view for simple user.

answered Apr 11 '17 at 09:28

Oreste Viron

3,592
3
22
34

Thats not generic. I do not search for a hardcoded solution. Then I would do manullay write controllers. – benkuly Apr 11 '17 at 09:43
The cleaner way to do this, I think, is to add annotations with spring-spel expression on each field and create a custom jackson serializer/deserializer to process each field individually. For exemple : @Deserialize("hasRole('ADMIN'") private String x; But lot of work expected. – Oreste Viron Apr 11 '17 at 13:06
But do this for each field is also very redundant. (De)Serializer are actually my favourites to find a solition but I just wanted to extend the default SDR de(serializer) and failed... – benkuly Apr 11 '17 at 13:14
Hey, I have possibilly found something that match your requirements : http://stackoverflow.com/questions/17276081/spring-3-2-filtering-jackson-json-output-based-on-spring-security-role Read the rcomblen's answer. – Oreste Viron Apr 13 '17 at 15:38
My roles and permissions are dynamic (e.g. an "admin" can create a new role "bla", which is saved in database) and therefore hardcoded interfaces can't solve my poblem. Thanks anyway! – benkuly Apr 13 '17 at 16:25

Field Security in Spring Data Rest

1 Answers1