9

In my web app users are able to change their user details. The URL for this page is: 

springproject/usermanagement/edituserinfo/4

where "4" is the user id.

My security-context looks like:

<security:http auto-config="true" use-expressions="true">
    <security:intercept-url pattern="/usermanagement" access="isAuthenticated()" />
    <security:intercept-url pattern="/usermanagement/new" access="hasRole('ROLE_ADMIN')" />
    <security:intercept-url pattern="/usermanagement/edit/*" access="hasRole('ROLE_ADMIN')" />
    <security:intercept-url pattern="/usermanagement/edituserinfo/*" access="isAuthenticated()" />  
</security:http>

How can I restrict the user only to access their own "edituserinfo" page? E.g. user with user id 1 can only access: "springproject/usermanagement/edituserinfo/1 " and not "springproject/usermanagement/edituserinfo/4 "

jorgen
  • 1,217
  • 6
  • 22
  • 41
  • 2
    Do you really need to pass the user id in the URL? Ideally your URL should just be `springproject/usermanagement/edituserinfo`. You should retrieve the user id in the Java code as `SecurityContextHolder.getContext().getAuthentication().getPrincipal()` and use that to load the user details. This will make sure that a user is only able to see and edit their own details and no one else's. – manish Apr 02 '15 at 02:41

2 Answers2

14

You can also accomplish this using Spring Security's @PreAuthorize which supports expressions:

@PreAuthorize("#userId == principal.id")
public void doSomething(@PathVariable String userId);

See the Spring docs:

Access Control using @PreAuthorize and @PostAuthorize

Dijkgraaf
  • 11,049
  • 17
  • 42
  • 54
dbmargo
  • 141
  • 1
  • 3
11

Use a PathVariable on the URL, like @RequestMapping("/usermanagement/edituserinfo/{userid}") and in your code validate the logged-in user's Spring Security context principle (via SecurityContextHolder.getContext().getAuthentication().getPrincipal()) against the userid path variable. If they don't match, bounce the user out, log a SecurityException, and send an email to the admins.

atrain
  • 9,139
  • 1
  • 36
  • 40