Spring security and spring data : secure access to data that doesn't belong to the current user

Question

I'm build a angular/springboot fullstack project with mongodb. But I have a security issue regarding access to data that doesn't belong to the current user. For example if I have an url /mydata/123 then the current user could use a random id in url like /mydata/7865 and access to data that doesn't belong to him.

here a data model example :

mydatamodel {
    id
    criticaldata
}

How to avoid this usecase and what are the best practises to do this, please. Thanks.

You also may change your URI to `/mydata` and get Logged user from [SecurityContextHolder](https://stackoverflow.com/a/31160173/3710490) — Valijon, Jul 04 '20 at 08:28

Kavithakaran Kanapathippillai · Accepted Answer · 2020-07-04T09:44:05.083

Use have access to the current logged in user via principal in SPEL and you also have access to the userId as it is request param. Then you run your rule in a bean.

@PreAuthorize("@userIdAccessCheckService.hasAccessTo(principal , #userId)")

@GetMapping("/user/{userId}")
public void yourRestControllerMethod(@RequestParam("userId") String userId){
    
}

  @Service
  public class UserIdAccessCheckService{

    
      // In this method, you can run your rule and check 
      // if the logged in person have access to userid
      public boolean hasAccessTo(User principal , String userId){
       ....
      }
  }

Note

There is some down side to it if you allow the controller method but want to show/hide some sections on that page based on similar rule. Since that is not in the question, this is fine

Spring security and spring data : secure access to data that doesn't belong to the current user

1 Answers1