如何通过角色限制对Spring Data REST投影的访问? [英] How to restrict access by role to a Spring Data REST projection?
问题描述
在使用Spring Data JPA和Spring Data REST的应用程序中,假设您具有这样的实体类:
In an application using Spring Data JPA and Spring Data REST, let's say you have an entity class like this:
@Entity
public class Person {
@Id @GeneratedValue
private int id;
private String name;
@JsonIgnore
private String superSecretValue;
...
}
我们希望Spring Data REST公开除superSecretValue之外该实体的所有字段,因此我们用@JsonIgnore注释了该字段.
We want Spring Data REST to expose all of this entity's fields EXCEPT for superSecretValue, and so we've annotated that field with @JsonIgnore.
但是,在某些情况下,我们确实希望访问superSecretValue,因此我们创建了一个投影,该投影将返回包括该字段的所有字段:
However, in some cases we DO want access to superSecretValue, and so we create a projection that will return all of the fields including that one:
@Projection(name = "withSecret", types = {Person.class})
public interface PersonWithSecret {
String getName();
String getSuperSecretValue();
}
太棒了.因此,现在我们可以像这样访问Person实体包括的superSecretValue字段:
Awesome. So now we can access Person entities including the superSecretValue field like this:
curl http://localhost:8080/persons?projection=withSecret
我的问题是我们如何确保投影 ?我们如何配置事物,以便任何人都可以检索Person实体而没有 superSecretValue字段...但是只有具有特定角色(例如,ROLE_ADMIN)的人才能使用投影来检索隐藏的领域?
My question is how can we secure that projection? How can we configure things such that anyone can retrieve Person entities without the superSecretValue field... but only people with a certain role (say, ROLE_ADMIN) can use the projection to retrieve the hidden field?
我发现了使用@PreAuthorize或@Secured批注来保护Spring Data JPA存储库CRUD方法(例如save(),delete())的无穷无尽的示例...但是没有如何限制使用a的示例. Spring Data REST投影.
I've found endless examples of using @PreAuthorize or @Secured annotations to secure Spring Data JPA repository CRUD methods (e.g. save(), delete())... but no examples of how to restrict usage of a Spring Data REST projection.
推荐答案
您可以使用带有条件SpEL表达式的@Value重载投影中的属性-如
You can overload properties in projections using @Value with conditional SpEL expressions - as in this already answered similar question.
考虑其他替代方法(已经提到的其他方法):
Consider other alternatives (others already mentioned):
- 模型重构.通过访问逻辑(例如
Person<->Account) 来拆分实体
- 添加用于特殊逻辑和访问检查的自定义端点.例如,当前用户位于"/people/me".
- 定制标准端点.例如,为"/people","/people/{id}"添加自定义控制器,这些控制器将根据用户权限进行预处理并返回自定义
Resource类型(DTO)(例如,返回PublicPerson而不是Person).然后,您可以编写用于添加这些类型的自定义链接和自定义投影的自定义资源处理器.
- Model refactoring. Split entity by access logic (e.g.
Person<->Account) - Adding custom endpoints for special logic and access checks. For example, the current user at "/people/me".
- Customising standard endpoints. For example, add custom controller for "/people", "/people/{id}" that would preprocess and return custom
Resourcetype (DTO) depending on on user authorities (e.g. returningPublicPersoninsteadPerson). Then you can write custom resource processors for adding custom links and custom projections for these types.
另请参阅:spring-data-rest DATAREST-428 .
See also: issue on this subject from spring-data-rest DATAREST-428.
这篇关于如何通过角色限制对Spring Data REST投影的访问?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
