How to get User-Information in Spring-Boot-REST calls?

Question

We are currently evaluating Spring-Boot as a framework for a project. There are security-requirements to this project, basically we want to limit webservice calls to certain roles, but at the same time, results of said calls are dependent on the roles, a user is in.

Example: I do understand, I can prevent or allow a user access to a certain REST call by using

@PreAuthorize("...")
@PostAuthorize("...")

but what I need is something more along the lines of this code (which is from DropWizard):

@Path("/for_date_sec/{date}")
@GET
@RolesAllowed("ADMIN")
public void doSecured(@Auth User user, @PathParam(value = "date") String date) {
  selectReadableObjects(user.getRoles());
  ...
}

From what I understand, the '@PreAuthorize/@PostAuthorize' annotations have access to the principal. Can we also expose it to the Is this possible?

[You can see here](http://stackoverflow.com/questions/6161985/get-userdetails-object-from-security-context-in-spring-mvc-controller) You can get all other info by retrieving UserDetails. — Zico, Jul 14 '16 at 11:11

score 0 · Accepted Answer · answered Jul 15 '16 at 08:24

0

It seems, there is no way to let Spring introduce an artificial additional parameter. Instead Spring provides context-information via SecurityContextHolder as described in the answer referred by Nur Alam Zico.

answered Jul 15 '16 at 08:24

Jonathan

2,698
24
37

How to get User-Information in Spring-Boot-REST calls?

1 Answers1