Spring Data Rest: How to secure findById() but not for projections?

Question

I'm using Spring-Data-Rest and I want to secure the GET-Request of an entity only if one does not request a projection (since the projections hide all the sensible stuff). e.g.:

public interface UsergroupRepository extends OwnableRepository<User> {
    @PostAuthorize("@userService.isMe(returnObject)")
    Optional<Usergroup> findById(Long id);
}

But this rule forbids the access to the projections, too. So what can I do?

https://stackoverflow.com/questions/28794145/spring-data-rest-security-based-projection — identigral, Aug 04 '19 at 19:23
Spring Security is protecting methods. I see only one method in your interface. If you have a second method, show that method. Is it in your `OwnableRepository` interface? — dur, Aug 05 '19 at 08:24

score 0 · Answer 1 · answered Aug 10 '19 at 20:34

public interface UsergroupRepository extends OwnableRepository<User> {
    @PostAuthorize("@userService.isMe(returnObject)")
    Optional<User> findById(Long id);

    Optional<UserProjection> findByIdWithProjection(Long id);
}

Do not add @Projection to the projection interface. Users don't need to know about it.

The only drawback is that the other endpoint will be different: /users/search/findByIdWithProjection (However you can rename the endpoint with the @RestResource)

Spring Data Rest: How to secure findById() but not for projections?

1 Answers1