Spring Boot 和 JPA 存储库——如何通过 ID 过滤 GET [英] Spring Boot and JPA Repository -- how to filter a GET by ID
问题描述
我正在重写一个应用程序,这次使用的是 Spring 的 RESTful 接口.我认为服务器端授权是最好的.即:
I'm rewriting an application, this time using a RESTful interface from Spring. I'm presuming that server-side authorization is best. That is:
假设用户 1 使用此 REST 存储库.他/她访问 mysite.com/heroes/1 并从 hero 表中获取 (id = 1) 英雄.
Supppose user 1 works this REST repository. He/she accesses mysite.com/heroes/1 and gets the (id = 1) hero from the hero table.
用户 2 无权查看 (id = 1) 英雄,但可以编写 cURL 语句进行尝试.我声称服务器应该阻止用户 2 访问 (id = 1) 英雄.
User 2 doesn't have rights to see the (id = 1) hero, but could craft a cURL statement to try anyway. I claim the server should prevent user 2 from accessing the (id = 1) hero.
我相信服务器可以提取一个 JWT 负载,它给我用户名或密码(我把它放在那里).服务器从该负载中获取用户的帐户并知道他/她有权看到哪些英雄.
I believe that the server can extract a JWT payload that gives me the user name or password (I put it in there). From that payload the server fetches the user's account and knows what heroes he/she is entitled to see.
我已经通过服务和 DAO 类实现了这个目标.但是,我看到的 Spring Boot 和 JPA 教程提倡使用 CrudRepository 实现来减少编码.我想知道如何使用这项技术进行过滤.
I have already accomplished this goal through services and DAO classes. However, the Spring Boot and JPA tutorials I see promote using CrudRepository implementations to reduce coding. I'd like to know how to do my filtering using this technology.
以下是网络上的示例:
@RepositoryRestResource(collectionResourceRel = "heroes", path = "heroes")
public interface HeroRepository extends CrudRepository<Hero, Long> {
}
当访问 mysite.com/heroes/1 时,它会自动返回来自 hero (id = 1) 的数据.我想指示它让我选择要允许的 ID 值.即在运行时通过代码向其提供查询参数.
When mysite.com/heroes/1 is accessed it automagically returns the data from hero (id = 1). I'd like to instruct it to let me choose which ID values to permit. That is, at runtime a query parameter is provided to it through code.
作为测试,我提供了以下代码:
As a test I provided this code:
@RepositoryRestResource(collectionResourceRel = "heroes", path = "heroes")
public interface HeroRepository extends CrudRepository<Hero, Long> {
@Query ("from Hero h where id in (1, 3, 5)")
public Hero get();
}
但是,它不会阻止 mysite.com/heroes/2 返回 (id = 2) 英雄.
However, it doesn't block mysite.com/heroes/2 from returning the (id = 2) hero.
我如何达到我想要的目标?
How do I get to my desired goal?
谢谢,杰罗姆.
更新 5/13,下午 5:50
我的请求被误解了,所以我进一步解释了我的意图.
My request is being misunderstood, so I further explain my intent.
- 用户 1 和 2 是普通用户,访问他们的帐户.
- 每个用户必须限制在他/她自己的帐户中.
- 用户不能通过制作对他人数据的请求来作弊.
因此,服务器需要从 JWT 令牌中提取用户 ID 等,并将其应用到代码中,从而使/heroes 查询起作用.
Thus the need for the server to extract a user ID, or such, from a JWT token and apply it in code to whatever causes the /heroes query to work.
我的原始示例源自本教程.其中仅有的 Java 类是 Hero 和 HeroRepository.DAO、服务或控制器没有明确的类.包含的 Spring 库让所有/heroes 获取都发生而无需进一步编码.
My original example originated with this tutorial. In it the only Java classes are Hero and HeroRepository. There are no explicit classes for DAO, services or controllers. The included Spring libraries let all of the /heroes fetching occur without further coding.
再次感谢您的关注和帮助.杰罗姆.
Thanks again for all of your interest and help. Jerome.
推荐答案
您可以创建一个自定义的 @Query,它使用记录的信息(此处:id)在用户.使用此解决方案,用户只能访问与他拥有相同 id 的实体.
You can create a custom @Query, that uses informations (here: id) of the logged in user. With this solution an user have only access to an entity with the same id as he has.
@Override
@Query("SELECT h FROM Hero h WHERE h.id=?1 AND h.id=?#{principal.id}")
public Hero findOne(Long id);
您需要为 @Query 启用 SpEl (link) 并创建自定义 UserDetailsService (link) 与自定义 UserDetails,其中包含用户的 id,所以你可以做 主体.id.
You need to enable SpEl for @Query (link) and create an custom UserDetailsService (link) with custom UserDetails, that contains the id of the user, so you can do principal.id.
以同样的方式保护 findAll() 方法.
In the same way you should secure the findAll() method.
这篇关于Spring Boot 和 JPA 存储库——如何通过 ID 过滤 GET的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
