如何配置Spring Boot Security,以便仅允许用户更新自己的配置文件 [英] How to configure Spring Boot Security so that a user is only allowed to update their own profile
问题描述
为了保护我的Web服务,我已经实现了基本的Spring Boot Security.我知道您只能向某些用户角色授予对某些服务的访问权限,但是也可以向特定用户授予访问权限(用户可以是动态的)吗?
假设我们有一个社交应用程序,每个用户都有自己的个人资料.使用以下REST服务,他们应该是唯一可以编辑配置文件的人:
@RestController
public class UserController {
@RequestMapping(method = RequestMethod.PUT, path = "/user/{userId}", ...)
public UserDetails updateUserDetails(@PathVariable("userId") String userId) {
// code for updating the description for the specified user
}}
}
我如何通过spring安全性确保只有用户自己才能更新其个人资料?任何其他用户都应被拒绝.有没有一种优雅的方法可以配置这种行为?
我试图在WebSecurityConfig中找到用于该方法的方法,但没有成功.
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
// configure authorization for urls
.authorizeRequests()
// grant access to all users for root path and /home
//.antMatchers("/", "/home").permitAll()
// here i would like to grant access in the way, that only the user is allowed to perform this request by calling url with his userId
.antMatchers(HttpMethod.PUT,"/user/<userId>").and().httpBasic();
}
什么是实现此行为的好方法?
我认为实现这样的最佳方法是注入请注意,如果要添加用户ID,则需要自定义UserDetails界面,因为默认情况下它仅提供用户名.如果您想知道如何查看此问题.
I have implemented the basic Spring Boot Security stuff in order to secure my web services. I know that you can grant access to some services only to some user Roles, but is it also possible to grant access to a specified user (user can be dynamic)?
Let's say we have a social app, where every user has their own profile. With the following rest-service, they should be the only one able to edit the profile:
@RestController
public class UserController {
@RequestMapping(method = RequestMethod.PUT, path = "/user/{userId}", ...)
public UserDetails updateUserDetails(@PathVariable("userId") String userId) {
// code for updating the description for the specified user
}}
}
How can i ensure with spring security, that only the user itself can update his personal profile? Any other user should be rejected. Is there an elegant way, how you can configure this behaviour?
I have tried to find a method for that inside my WebSecurityConfig, but with no success.
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
// configure authorization for urls
.authorizeRequests()
// grant access to all users for root path and /home
//.antMatchers("/", "/home").permitAll()
// here i would like to grant access in the way, that only the user is allowed to perform this request by calling url with his userId
.antMatchers(HttpMethod.PUT,"/user/<userId>").and().httpBasic();
}
What is a good approach to implement this behaviour?
I think that the best way to implement something like this would be to inject the Principal (Object containing the user that is logged in for this request) into the controller and then check if the user id or username is matching.
@RestController
public class UserController {
@RequestMapping(method = RequestMethod.PUT, path = "/user/{userId}", ...)
public UserDetails updateUserDetails(@PathVariable("userId") String userId, Principal principal) {
CustomUserDetails userDetails = (CustomUserDetails) principal;
if (userDetails.getUserId().equals(userId)) {
// Update the user
}
}}
}
Note that you will need a custom UserDetails interface if you want to add the user id, because it only provided the username by default. Check this question if you want to know how.
这篇关于如何配置Spring Boot Security,以便仅允许用户更新自己的配置文件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
