Spring - How to protect RESTful private resources?

Question

I've some RESTful services, implemented with Spring MVC, exposing a set of resources. I already use authentication, based on HTTPBasicAuthentication and HTTPS. Some of the resources must be accessible only to some users.

For example, I want that all sub-resources in the URI /users/{userid}/photos are accessible only to the user userid. Actually in my application they are accessible to all authenticated users. How can I protect them from other users except userid? And what if I want to allow access to this resources only to a subset of users (like, for example, userid's friends)?

score 5 · Answer 1 · answered Jan 10 '13 at 14:37

5

you could do something like this on your method:

    @ResponseBody
    @RequestMapping(value = "/users/{userid}/photos", method = RequestMethod.GET)
    @Secured(value = {"userid"})
    public ResponseEntity<ModelMap> getPhotos(....) throws Exception {

you can add more users if you want in the future by just doing

    @Secured(value = {"ROLE_ADMIN", "userid"})

answered Jan 10 '13 at 14:37

justMe

2,200
16
20

Thanks, I was missing these Spring Security functionalities. – user1781028 Jan 10 '13 at 14:48
No worry, glad is useful for you :) – justMe Jan 10 '13 at 14:51
1

To be thorough, it's necessary to enable security annotation adding `` in the spring security context file. – user1781028 Jan 10 '13 at 14:56
are you sure it's possible to specify a value like `"userid"` in `@Secured` annotation? I can't get it working, and in all examples I've found it's used to specify a role, like `@Secured({ROLE_ADMIN})`. – user1781028 Jan 21 '13 at 11:47

score 1 · Answer 2 · edited May 23 '17 at 12:14

1

You can use custom security expression.

<security:intercept-url pattern="/users/{userid}/photos" access="getUserIdUrlPathParameter() == principal.userId"/>

See this post for how to do it.

edited May 23 '17 at 12:14

Community

1
1

answered Jan 10 '13 at 14:41

Maksym Demidas

7,707
1
29
36

score 0 · Answer 3 · edited May 23 '17 at 11:43

0

I would strongly suggest to use Spring Security. Using Spring security you can restrict access to a specific URL endpoints to principals owning specific roles.

See spring security intercept url roles

You can also use JSR-250 annotations: see http://forum.springsource.org/showthread.php?126395-How-to-secure-Spring-MVC-controllers-using-Spring-Security-annotations

--

I do not think you need to restrict the URL /resource/{user} to that specific user. You should deduct the user name from the security context and not let someone inject a specific use name by forging the URL...

edited May 23 '17 at 11:43

Community

1
1

answered Jan 10 '13 at 14:30

Alessandro Santini

1,943
13
17

Thank you for the answer, but @Razh's one was more specific. Moreover, from a RESTful point of view, it's more correct to have `/resource/{user}` to represent user's resources, rather than deduct the user identity from security context, also in the perspective that some roles (es. admin) can access even this resources. – user1781028 Jan 10 '13 at 14:43

score 0 · Accepted Answer · answered Jan 21 '13 at 12:07

I solved it by using @PreAuthorize("authentication.name == #userId"), instead of @Secured(value = {"userid"}) or @Secured(value = {"#userid"}) like suggested, that were not working.

Note it's necessary to add <security:global-method-security pre-post-annotations="enabled"/> to the servlet context configuration file.

Spring - How to protect RESTful private resources?

4 Answers4

Linked