Restrict access to spring REST data based on credentials - spring

I have a CrudRepository throug which I can access my entities. Let's say I have an entity called Report (all oversimplified and not compiling):
#Entity
public class Report{
#Id
private Long id;
private boolean classified;
private Date date;
private String reportdata;
}
And a CrudRepository:
#RepositoryRestResource(collectionResourceRel = "reports", path = "report")
public interface ReportRepository extends CrudRepository<Report, Long>
{
findByDate(Date date); // <---- I want this to return only reports which are not classified for users who do not have the appropriate role
}
The findByDate will return all reports, including all classified reports for all users making the request. I want to restrict the access to the data based on the currently authenticated user. Is this possible?

You need Spring Security 4. It now integrates with Spring Data.
http://docs.spring.io/spring-security/site/docs/4.0.2.RELEASE/reference/htmlsingle/#data
Something like:
#Repository
public interface ReportRepository extends CrudRepository<Report,Long> {
#Query("select r from Report r where r.date=?1 and r.owner.id = ?#{ principal?.id }")
Report findByDate(Date date);
}

REST is stateless. It means that the server stores NO runtime informations (session, role etc.) about client. So if you want to use REST you should generate an API key for you client. Use a simple path filter to check whether the API key valid or not.
But perhaps you mean AJAX ?

Related

How to access Spring properties from an entity?

I have a spring app, that pushes data in an s3 bucket.
public class Ebook implements Serializable {
#Column(name= "cover_path", unique = true, nullable = true)
private String coverPath;
private String coverDownloadUrl;
#Value("${aws.cloudfront.region}")
private String awsCloudFrontDns;
#PostLoad
public void init(){
// I want to access the property here
System.out.println("PostConstruct");
String coverDownloadUrl = "https://"+awsCloudFrontDns+"/"+coverPath;
}
When a data is pushed, let's say my cover here, I get the key 1/test-folder/mycover.jpg which is the important part of the future http URL of the data.
When I read the data from database, I enter inside #PostLoad method and I want construct the complete URL using the cloudfront value. This value changes frequently so we don't want to save hardly in the database.
How could I do to construct my full path just after reading the data in database?
The only way to do this is to use a service that update the data after using repository to read it? For readbyId it can be a good solution, but for reading list or using other jpa methods, this solutions won't work because I have each time to create a dedicated service for the update.
It doesn't look good for Entity to depend on property.
How about EntityListener.
#Component
public class EbookEntityListener {
#Value("${aws.cloudfront.region}")
private String awsCloudFrontDns;
#PostLoad
void postload(Ebook entity) { entity.updateDns(awsCloudFrontDns); }
}
I recommend trying this way :)

Hibernate LAZY loading and spring's UserDetails

I have a stateless REST backend. So no HTML views. Just JSON and REST endpoints.
Authentication is done with Json Web Tokens. The client sends a JWT in each request.
My backend takes the user's email from the subject claim in this JWT. Then it loads the UserModel from the database in class LiquidoUserDetailsService implements UserDetailsService { ...}
Each user is part of a team. But the Team is a big entity with a lot of information in it. So teams are only loaded lazily, when necessary:
UserModel.java
#Entity
#Table(name = "users")
public class UserModel extends BaseModel {
#NotNull
#NonNull
#Column(unique = true)
public String email;
#ManyToOne(fetch = FetchType.LAZY) // only load team info (with all info) if required
public TeamModel team;
[...]
}
Now I have a service that should return the team of the current user:
TeamService.java
#PreAuthorize(HAS_ROLE_USER)
#RequestMapping("/getOwnTeam")
#Transactional // [1]
public TeamModel getOwnTeam() {
// Get currently logged in user (that was loaded with info from JWT)
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
LiquidoAuthUser authUser = (LiquidoAuthUser)authentication.getPrincipal();
// LiquidoAuthUser is the Adapter betwen spring's User and my USerModel
UserModel currentUser = authUser.getLiquidoUserModel()
TeamModel team = currentUser.getTeam() // <=== [2] throws LazyInitializationException
return team
}
Now I think I know where the problem is. But I do not yet have a clean solution for it.
My UserModel is loaded in class LiquidoUserDetailsService implements UserDetailsService But this happens very early, in a filter, when the HTTP request is processed. As it seams the #Transaction in my TeamService class is not yet started at that time.
Then when the code enters the getOwnTeam() method, a new transaction is started [1]. But in there I cannot lazy load the user's team anymore. [2]
How can I model my users and teams, so that
The team data is only loaded when necessary
I can load the data manually when neccessary
If you need different load startegy you can use:
Native sql when query
jpql with construction like join fetch
Entity Graph (https://www.baeldung.com/jpa-entity-graph)
The main benefit when you use such way to load is single request to database.
You can read more https://thorben-janssen.com/lazyinitializationexception/
Your object in deatached state - this is reason of LazyInitializationException (you cat move it to other state to load your object)
for example
entityManager.merge(deatachedEntity);

Trying to get related entities from H2 database in Java Spring Boot

I've just started learning Spring Boot and am using a H2 database, I've got mostly everything working but I'm running into trouble trying to make a slightly more complex request. I've got 2 tables 'User' and 'Purchase', and I want to create and end point that returns all purchases that contain a given users ID. This seems simple if I used an SQL join or some similar query but I have no idea how to implement one.
I have a repository (CrudRepository) for both user and purchases, and then a service for each that gets the relevant data from database. This works perfect for the basic needs such as get, getById, etc. But I have no idea how to specify queries such as join and what not.
public interface UserRepo extends CrudRepository<User, Integer> {}
public interface ReceiptRepo extends CrudRepository<Receipt, Integer> {}
#Service
public class UserService {
#Autowired
UserRepo userRepo;
public User getUser(int id) { return userRepo.findById(id).get(); }
}
#RestController
public class UserController {
#Autowired
UserService userService;
#GetMapping("/user/{id}")
private User getUser(#PathVariable("id") int id) {
return userService.getUser(id);
}
}
That's basically the set up for both entities, and I'm not sure where and how I'd write more specific queries. Any help would be greatly appreciated.
Yoy can use #Query() annotation in order to write query.
You need to declare a method in your repo and on that method you can put this annotation.
Eg:
#Query("SELECT u FROM User u WHERE u.status = 1")
Collection<User> findAllActiveUsers();
You can take some more idea about this from here

Why does graphql java query all fields in entity when I only ask for a few?

I created a basic graphql-java app with the spring boot starter and using the graphql spqr library against an MSSQL database utilizing Hibernate and Jpa.
I have an entity called "Task" with 5 fields. I have a simple Jpa repository and a simple Jpa service that calls a "findAllTasks" method. It works great, but if I specify, for example, only one field to query with graphiql, I can see through my SQL log that the select command executed is querying for ALL fields in my Task entity/table, rather than the one I want. Is this expected? I thought graphql only selects the fields you specify in the query command?
Here is my code:
Entity
#Entity
#Getter
#Setter
#AllArgsConstructor
#NoArgsConstructor
#Builder
public class Task {
#Id
#GeneratedValue(strategy = GenerationType.IDENTITY)
public Long id;
#Column
public String desc;
#Column
public LocalDateTime createdOn;
#Column
public LocalDateTime modifiedOn;
#Column
public String owner;
}
Repository
#Repository
public interface TaskRepository extends JpaRepository<Task, Long> {}
Service
#GraphQLApi
#Service
public class TaskService {
private TaskRepository taskRepo;
#Autowired
public TaskService(TaskRepository taskRepo) {
this.taskRepo = taskRepo;
}
#GraphQLQuery
public List<Task> findAllTasks() {
return taskRepo.findAll();
}
}
When I run the following in graphiql:
query {
findAllTasks {
id
}
}
I get the following SQL statement that was generated from my log:
select task0_.id as Task1_1_0_. task0_.desc as Task1_2_0, task0_.createdOn as Task1_3_0, task0_.modifiedOn as Task1_4_0, task0_.owner as Task1_4_0 from Task as task0_
You have to make a distinction between your GraphQL API and your database. You defined a query method GraphQL that is called findAllTasks. In consequence, when you call this GraphQL query with any number of fields, it will call the Java method implementation findAllTasks.
You can see that the implementation of this Java method calls taskRepo.findAll(). Therefore, you will fetch all data from your tasks in database.
GraphQL will then filter the data from the tasks fetched by your Java method to match what is asked in the GraphQL query.
In a nutshell, GraphQL is in charge in returning just the fields that you requested, but your implementation is in charge of getting the data from the database.
Disclaimer: I'm not an expert of graphql-spqr, so the upcoming information might not work in your case (as it applied to graphql-java).
If you feel that your implementation is however not efficient enough (here we are really talking about efficiency), you could look into dataloaders.

Security filtering entity collection with jax-rs and jersey

I've been looking around on how to filter results based on certain security roles. I've been looking at filters but this just seems to filter out certain fields rather than the complete entity itself. Let me try to explain what I need. Lets say I have 2 entity classes:
public class Project {
private Long id;
private String name;
private String description;
// getters and setters
}
public class User {
private Long id;
private String name;
private String email;
// getters and setters
}
resource:
#Path("projects")
#Produces("application/json")
public class ProjectsResource {
#GET
public List<Project> getProjects() {
return getDetailedProjects();
}
}
Also I have 2 companies, each with their own projects. For convenience lets call them company A and company B.
What I would like to achieve is that 3 users all using this same resource get different results based on their security role.
User 1: the Super user, should get everything
User 2: manager for company A, should only get projects for company A
User 3: manager for company B, should only get projects for company B
How should I go about doing this? It just doesn't seem right to do this filtering in each resource.
I'm using jax-rs, with role based security. Users are linked to a role which grants them access to projects for a specific company.
I think you would have to parameterize your getDetailedProjectsmethod with the accessing user.
To achieve that you can inject the jersey SecurityContextinto your Resource like so (from jersey documentation):
#Path("basket")
public ShoppingBasketResource get(#Context SecurityContext sc) {
if (sc.isUserInRole("PreferredCustomer") {
return new PreferredCustomerShoppingBasketResource();
} else {
return new ShoppingBasketResource();
}
}
The securityContext.getUserPrincipal().getName()method will allow you to get hold of the requesting user and map that to a method parameter (or use it plain).

Resources