Saturday, 15 September 2012

java - Controlling security on model updates in RESTful Spring MVC / HATEOS -


Consider the following object:

  class user {long user id string email address; Boolean lock; }   

If I apply a endpoint to the user resource, then it is as follows:

  @controller public Class UserController {@RequestMapping (Value = "/ user / {userId}", method = RequestMethod.PUT) public void updateUser (@PathVariable ("userId") Long userId, User updatedUser) {user dbUser = userRepository.find (userId) // map updatedUser DbUser userRepository.save (dbUser); }}   

Is currently a standard way of exposing the end code to / user / {userId} , but specific areas updates based on user privileges To limit?

With the example ROLE_ADMIN , users may want to restrict updates to the isLocked property, while still updating their email address to the user. Can allow.

Note - This question is not strictly related to Spring Haetos - I am interested in any spring standard solution to this problem. "post-text" itemprop = "text">

Two possibilities come into my mind:

  • Verification ( @Valid
  • Binder Configuration ( @InitBinder )

    You can validate incoming objects and check such changes . Or you can set up WebDataBinder # setAllowedFields within your @initbinder method, depending on the user's rights, the latter will probably be the easiest way, but instead of returning the verification error your application Completely ignore the field

No comments:

Post a Comment