DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports
Events Video Library
Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
View Events Video Library
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

Modern Digital Website Security: Prepare to face any form of malicious web activity and enable your sites to optimally serve your customers.

Containers Trend Report: Explore the current state of containers, containerization strategies, and modernizing architecture.

Low-Code Development: Learn the concepts of low code, features + use cases for professional devs, and the low-code implementation process.

E-Commerce Development Essentials: Considering starting or working on an e-commerce business? Learn how to create a backend that scales.

Related

  • Secure Spring Boot Application With Keycloak
  • Secure Communication with Token-based RSocket
  • Optimizing API Lifecycles: A Comprehensive Guide for Product Managers
  • Safeguarding Data Exchange: A Comprehensive Overview of API Gateways and Their Imperative Role in Ensuring Robust Security

Trending

  • Simplify Java: Reducing Unnecessary Layers and Interfaces [Video]
  • Testing Swing Application
  • Using Unblocked to Fix a Service That Nobody Owns
  • Live Database Migration
  1. DZone
  2. Data Engineering
  3. Databases
  4. Custom Security With a Spring Boot/Elide Json API Server

Custom Security With a Spring Boot/Elide Json API Server

Here's a look at security permissions that are applicable to JPA entities, controlling attributes like reading, deletion, updating, and assignment of entities.

Matthew Casperson user avatar by
Matthew Casperson
·
Mar. 16, 16 · Tutorial
Like (2)
Save
Tweet
Share
5.3K Views

Join the DZone community and get the full member experience.

Join For Free

In the last article, we looked at some simple security permissions that could be applied to JPA entities to allow or prevent the reading, creation, updating, deletion, and assignment of entities through relationships.

The built in Role.ALL and Role.NONE classes are useful for coarse-grained authorization but offer no ability to distinguish between users. A more likely scenario is one where privileged users can perform operations like create, delete, update and share, while all users can read entities.

The groundwork for providing different levels of access based on the user was laid down when we added authentication to the API. This provided us with a Principal object that has been passed into Elide’s various methods like get() and post().

In order to make use of this Principal to permit or deny actions based on who is logged in, we need to create a custom instance of the Elide UserCheck class.

package com.matthewcasperson.elidetest.permissions;

import com.yahoo.elide.security.User;
import com.yahoo.elide.security.checks.UserCheck;
import org.springframework.security.authentication.AbstractAuthenticationToken;

/**
 * A security check that passes for admin users
 */
public class AdminCheck extends UserCheck {
    @Override
    public boolean ok(User user) {
        final AbstractAuthenticationToken springUser = (AbstractAuthenticationToken) user.getOpaqueUser();
        return springUser.getAuthorities().stream()
                .anyMatch(a -> "ROLE_ADMIN".equalsIgnoreCase(a.getAuthority()));

    }
}

The AdminCheck class gets access to the opaque user object, which is the Principal that Spring injected into our REST API methods and we passed into the Elide get() and post() methods.

This opaque user object is then cast to a Spring AbstractAuthenticationToken object. AbstractAuthenticationToken implements the Java Principal interface, but exposes some additional information, like what roles have been assigned to the user via the getAuthorities() method. Converting this collection to a Java 8 stream and finding an admin role allows us to return true for admin users, and false for everyone else. If we return true, the security check passes, and the operation is allowed to succeed. Return false, and the operation will be blocked.

In order to give admin users full access to our API, while providing everyone else with read-only access, we need to assign our new class to the @SharePermission, @CreatePermission, @UpdatePermission and @DeletePermission annotations on our JPA entities.

The @ReadPermission annotation will still continue to reference the Role.ALL class.

@ReadPermission(any={ Role.ALL.class })
@SharePermission(any={ AdminCheck.class })
@CreatePermission(any={ AdminCheck.class })
@UpdatePermission(any={ AdminCheck.class })
@DeletePermission(any={ AdminCheck.class })

With this code in place, all users can read entities, but only admin users can make modifications.

Download the source code for this project from GitHub.

API security Spring Framework

Opinions expressed by DZone contributors are their own.

Related

  • Secure Spring Boot Application With Keycloak
  • Secure Communication with Token-based RSocket
  • Optimizing API Lifecycles: A Comprehensive Guide for Product Managers
  • Safeguarding Data Exchange: A Comprehensive Overview of API Gateways and Their Imperative Role in Ensuring Robust Security

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Core Program
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • support@dzone.com

Let's be friends: