Is it possible to make conditional injections with Springsecurity?

Asked

Viewed 28 times

1

What hint would you give when for example a user cannot have access to an X object?

For example:

URL: /student/{id}

The user who is HEADMASTER of a school has access to the profile of all students of the school that he is headmaster The user who is a school teacher has access to the profile of all students in the classes he teaches

then how would I do it using the Springsecurity?

One more thing

I have a screen where I search for students, that famous screen where there are several filters, pagination and etc. There I also wanted to do something similar to the requirement above (from the URL).

I would want the search screen when the user was a teacher, in the list appeared only students of the classes he teaches and when principal of the school he runs. I thought of an interesting way, but I don’t know how to inject the correct implementation when creating the MVC Controller.

Example:

public interface AlunoRepository {

    public List<Aluno> getAlunoByParams(Map<String, Object> params, int offset, int size);

}

Now follow the specific implementations for each PROFILE

Implementation specifies pro Teacher profile

public class AlunoRepositoryImpl4Professor implements AlunoRepository {

    public List<Aluno> getAlunoByParams(Map<String, Object> params, int offset, int size){
        return // retorna uma lista somente dos alunos das turmas que ele seleciona de acordo com os parametros
    }

}

Implementation specifies Director profile pro

public class AlunoRepositoryImpl4Diretor implements AlunoRepository {

    public List<Aluno> getAlunoByParams(Map<String, Object> params, int offset, int size){
        return // retorna uma lista somente dos alunos da escola que ele dirige de acordo com os parametros
    }

}

Controller

@Controller
public class AlunoController {

    @AutoWired
    private AlunoRepository repository; // como injetar o AlunoRepository de acordo com o perfil que esta sendo utilizado aqui?

    @GET
    public List<Alunos> query(Map<String, Object> params, int offset, int size){
        return repository.getAlunoByParams(params, offset, size);
    }

}
spring

1 answer

0

Note that your methods have different purposes, so it would be interesting to separate the responsibilities as follows:

  • getAlunosByEscola Method to return the list of students of the school, making an INNER JOIN with the table that stores the information of which school the principal is linked.

  • getAlunosByTurma Method to return the list of students from the teacher’s classes, making an INNER JOIN with the table that stores the information from which class the teacher is linked.

You can also set unique profile permissions for your methods using the @PreAuthorized being as follows:

@PreAuthorize("hasRole('DIRETOR')")
public List<Alunos> getAlunosByEscola(Map<String, Object> params, int offset, int size);

@PreAuthorize("hasRole('DIRETOR') AND hasRole('PROFESSOR')")
public List<Alunos> getAlunosByTurma(Map<String, Object> params, int offset, int size);

But, if your architecture does not allow, another solution that you can try to address, would pass in your list of parameters some way to change the link, that is, make a different INNER JOIN according to the received list.

Hug.

Source:

Browser other questions tagged spring

You are not signed in. Login or sign up in order to post.