0

I am currently developping a REST API server based on Spring Boot. Thanks to Spring Data Rest, the 10-ish entities can easily have their own controller via a simple repository (@RepositoryRestResource plus JpaRepository and JpaSpecificationExecutor). Now i need to integrate the security control with @PreAuthorize.

The question here is which method should I put the annotation on to restrain GET / POST / etc. ?

For example, if I limit the permission of delete, does it affect similarly on deleteById, deleteInBatch, deleteAll? I see in the documentation the annotation of exported is put on deleteById and delete without any further explanation, which confuses me.

qnhant5010
  • 195
  • 2
  • 12

1 Answers1

1

For example, if I limit the permission of delete, does it affect similarly on deleteById, deleteInBatch, deleteAll?

To the best of my knowledge: no. Check this sample code where searches are authorized, but deletion is strictly limited to admins only:

public interface RecordRepository<T extends Record> extends MongoRepository<T, String> {

    // paginated queries
    @RestResource(path = "names", rel = "name")
    public Page<T> findByName(@Param("name") String name, Pageable pageable);
    @RestResource(path = "types", rel = "types")
    public Page<T> findByTypeIn(@Param("type") List<String> types, Pageable pageable);

    // restrict delete operations to administrators only

    @PreAuthorize("hasRole('ADMIN')")
    @Override
    void deleteById(String id);

    @PreAuthorize("hasRole('ADMIN')")
    @Override
    void delete(T entity);

    @PreAuthorize("hasRole('ADMIN')")
    @Override
    void deleteAll(Iterable<? extends T> records);

    @PreAuthorize("hasRole('ADMIN')")
    @Override
    void deleteAll();
}

That being said, if your purpose is to restrict deletion to admins only, you can extend WebSecurityConfigurerAdapter and configure it to block all http DELETE requests:

public class WebSecurityBaseConfiguration extends WebSecurityConfigurerAdapter {
    ...

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
          .antMatchers(HttpMethod.DELETE).hasRole("ADMIN");
    }

}

Note that this is a quick and dirty copy paste that may not work out of the box (you will probably need to configure a role hierarchy).

Kirill Rakhman
  • 42,195
  • 18
  • 124
  • 148
Marc Tarin
  • 3,109
  • 17
  • 49
  • Role hierarchy is a nice idea, i'll look into it. For instance, i already implement a hybrid solution by creating a generic super interface to be subclassed by any repository dedicated for certain role, given the inheritance of permission control annotation in Spring Security – qnhant5010 Mar 06 '20 at 10:10
  • Indeed, I completely forgot to mention that possibility. – Marc Tarin Mar 06 '20 at 11:01
  • Maybe it would worth to mention the Spring ACL as an additional (optional) layer of security: check [this](https://stackoverflow.com/questions/26546072/using-spring-security-acl-with-spring-data-rest) question too – m4gic Apr 06 '22 at 07:57