My app wants to use the Spring REST library for getting and saving my Org objects. I've a CrudRepository extension that checks if the userId field matches that of the principal:
@RepositoryRestResource(path="org")
public interface OrgRepository extends CrudRepository<Org, Long> {
@Override
@PostAuthorize("returnObject.userId == principal.id || hasRole('ROLE_ADMIN')")
public Org findOne(@Param("id") Long id);
@Override
@PostFilter("filterObject.userId == principal.id || hasRole('ROLE_ADMIN')")
public Iterable<Org> findAll();
@Override
@SuppressWarnings("unchecked")
@PostAuthorize("reutrnObject.userId == principal.id || hasRole('ROLE_ADMIN')")
}
I've successfully tested this on Ajax request for:
- PUT /org/2, with field (userId: 2) when the principal has role ROLE_ADMIN.
- PUT /org/2, with field (userId: 2) when the principal is not admin and has (returnObject.userId == 2 and principal.id == 2).
- PUT /org/1, with field (userId: 1), when the principal is not admin and has (returnObject.userId == 1 and principal.id == 2). It fails with HTTP 403, which is desirable.
- POST /org, with field (userId: 2), when the principal is not admin.
The OrgRepository configuration seems to be working OK. However, I've one more concern. What if the browser user edits the POST so that its (userId: 99). Then user 2 has altered the data for some other user.
If I were using a controller with DAO classes I could use code to patch the uploaded data, so that the userId field was forced to match the principal.id value. But all I have here are annotations.
Is there a way to force (userId <-- principal.id) into my POST before it gets saved? Or is there another security scheme that I'm apparently unaware of that keeps me out of coding DAOs and controllers?
Thanks,
Jerome