Spring security permissions based access for api

Question

We have a solution implemented based on this article and this post. Now we need to enhance this solution. Here is the use case.

There are various permissions like CREATE_USER, CREATE_ORG etc... But based on user roles we need to apply certain restrictions. For example ROLE_ADMIN as well as ROLE_ORG_ADMIN can create users. But ROLE_ORG_ADMINcan only create users with some specific permission (or ROLE_ORG_ADMIN should not be able to create a user with ROLE_ADMIN privileges)

ROLE is simply a group of permissions
User is associated with a role and on login org.springframework.security.core.userdetails.User.authorities is set with permissions instead of ROLE

We have REST application with token based authentication.

@RequestMapping(value = "/users",
     method = RequestMethod.POST,
     produces = MediaType.APPLICATION_JSON_VALUE)
@Secured(AuthoritiesConstants.CREATE_USER)
public ResponseEntity<?> createUser(@RequestBody ...)

Now we have an admin interface where we control these restrictions from UI, in UI for creating user we do not display ROLE_ADMIN in select list for ROLE_ORG_ADMIN. We are going to expose api for third party. We are not sure how this can be done at api level.

POST /api/users
{
  "id": null,
  "login": "name",
  "firstName": "first",
  "lastName": "Last",
  "email": "first.last@email.com",
  "activated": true,
  "langKey": "en",
  "createdBy": null,
  "createdDate": null,
  "lastModifiedBy": null,
  "lastModifiedDate": null,
  "resetDate": null,
  "resetKey": null,
  "authorities": [
    "ROLE_ORG_ADMIN",
    "ROLE_ADMIN"
  ]
}

What we want to do is to restrict a user with role ROLE_ORG_ADMIN creating users with role ROLE_ADMIN. Both ROLE_ORG_ADMIN and ROLE_ADMIN has permission CREATE_USER. If the current user role is not ROLE_ADMIN api should respond with access denied when tried to create a user with role ROLE_ADMIN. Please help.

@willie-wheeler since you are the author of article i mentioned please review this question. — titogeo, Dec 21 '15 at 12:20

score 0 · Answer 1 · answered Dec 22 '15 at 03:06

I would like to share two ways to handle this, Option 1. How you are listing the available User_Roles to the user while creating the user? If you are displaying all the user roles and allowing the user to select the respective role, then while listing the available user roles itself you can avoid listing the ROLE_ADMIN if the logged user is ROLE_ORG_ADMIN.

Option 2. If you don't like to handle it in UI, then while creating the USER in the back end, you can through the exception if the logged in user ROLE_ORG_ADMIN tries to create the USER with ROLE_ADMIN. You can access the logged in user details through principle object.

Hope any one option can be implemented.

I have no issue in handling this in UI. I am already doing what you mentioned. I am trying to figure out how to control when I expose API's. Looking if there are any inbuilt spring way of doing this. — titogeo, Dec 22 '15 at 08:54

Spring security permissions based access for api

1 Answers1