Spring HATEOAS Link Security

Question

I have a question concerning security in exposed REST APIs via Spring Date / HATEOAS:

Reqeusts for an entity will result in responses like these:

{
  "id": 1,
  "someAttr": "val",
  "_links": {
    "someCollection": {
      "href": "http://localhost:8080/entities/1/someCollection"
    }
  }
}

The entity is currently exposed via Spring Data's ability to export Repositories automatically.

The question for me now is: How can I add security configuration to these kind of link endpoints? They will be a bit more complex (eg testing if the requesting user owns the entity which links to the collection).

Thanks in advance!

@Secured is supported on repository methods, sorry that I don't have an example I've never actually had to do it. You can also set up access to the security context via SpEL. — xenoterracide

Rafael Rafael · Accepted Answer · 2017-05-25T15:42:35

I think a better approach is to perform securization at the repository level.

http://docs.spring.io/spring-data/rest/docs/current/reference/html/#security

http://docs.spring.io/spring-security/site/docs/current/reference/html/data-query.html

http://techqa.info/programming/question/29688195/repository-access-control-in-spring-data-rest-based-off-user-princpal

Spring HATEOAS Link Security

1 Answers