Adding role based logic on a spring controller

Question

So i've been looking around for a solution but I can't find anything that's exactly what I want, I'm looking to overload a method for different permissions based on the user. I'm using Spring boot and Spring security. For example:

@ResponseBody
@GetMapping("/role")
@Secured("ROLE_ADMIN")
public ResponseEntity<String> areYouAdmin() {
    return new ResponseEntity<>("ADMIN YES", HttpStatus.OK);
}

@ResponseBody
@GetMapping("/role")
@Secured("ROLE_USER")
public ResponseEntity<String> areYouUser() {
    return new ResponseEntity<>("USER YES", HttpStatus.OK);
}

so for here, if the user is ROLE_USER they would recieve a response of "USER YES" and the ROLE_ADMIN would "ADMIN YES". I know this is is possible with adding a check in the actual method and using the role as a condition but wondering if there is a cleaner approach. A possible usecase here would be if they were searching for a resource and if they were user, it would only display ones where the status was OPEN or something, wheras admin can filter and search by all status. Another one would be if we want to return a different dto, ie admin can view all information about a user.

I also thought about just using different pathing and use my web security config, IE:

        .antMatchers("/api/admin").hasRole(ADMIN)
        .antMatchers("/api/user").hasRole(USER)

but i really dont want my front end to be "smart", the backend should just display data depending on the role without any special pathing required, or a new servlet. Thanks in advance for any help!

Maybe this similar post will help: https://stackoverflow.com/questions/17995744/spring-security-mvc-same-requestmapping-different-secured — Jens Van Reusel, Mar 01 '19 at 15:02
Does my answer solve your doubt? If solved then close the issue by accepting the answer — Romil Patel, Mar 05 '19 at 09:51
@PatelRomil no, i specifically said that i didn't want to use different routes in my question. — Bradley Williams, Mar 10 '19 at 10:53

score 0 · Answer 1 · answered Mar 01 '19 at 15:41

Normally Admin related URLs starts with /admin/** so in my opinion, it's a good practice to have different URL for Admin and User as you have in your Config file.

You can use Same URL for Different Role as below

// REST version, Content-type is "application/json"
@RequestMapping(value = "/", consumes = "application/json")
public void myRestService() {
...

// HTML version, Content-type is not "application/json"
@RequestMapping(value = "/", consumes = "!application/json")
public void myHtmlService() {
...

// the url is /?role=guest
@RequestMapping(value = "/", param = "role=guest")
public void guestService() {

// the url is / with header role=admin
@RequestMapping(value = "/", headers = "role=admin")
public void adminService() {

Custom Properties @RequestMapping

For More Details, you should Refer Refer 1 and Refer 2

Adding role based logic on a spring controller

1 Answers1