Announcement Announcement Module
Collapse
No announcement yet.
Using Spring Security with REST Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Using Spring Security with REST

    Suppose I am writing a restful web services and I have a URL such as:
    https://www.mycompany.com/Orders/7777

    I only want certain web service users to be able to access Order#7777, and I need something more finer tuned than role based security. For example, I can't just say that all users with the role "admin" can access the order, but no users with the role "regular" can access the order. It's going to be the case that some regular users can access the particular order, but others can't.

    I was thinking what I would do is have Spring authentiate based upon the username given in the https session. Is something like this possible? If somebody has a better idea, I'd be willing to look into that as well.

    I tried looking for information for this on google and I haven't had much luck. If you can tell me how to do this or point me to a good resource, I would really appreciate it.

  • #2
    Here's an example that might steer you in the right direction.

    Comment


    • #3
      Originally posted by jamestastic View Post
      Here's an example that might steer you in the right direction.
      James, thanks very much. That page has been by far the most practically helpful I've seen on the topic.

      Comment


      • #4
        You're quite welcome! I'm happy you found it useful!

        Comment


        • #5
          Exception Handling

          Hi can u pls tell me how to handle Exceptions in Restful Webservices in Spring3.0??

          Im using @ExceptionHandler but it is not working as expected..

          Comment


          • #6
            Spring Security exceptions will occur outside of any exception handlers in your Spring context. Do you need to handle application-level exceptions, or security-related exceptions?

            Comment


            • #7
              Spring Security exceptions will occur outside of any exception handlers in your Sprin

              jamestastic,

              I wanted to handle application-level exceptions..if u can give sample code of how to handle exception it will be helpful.

              Comment


              • #8
                *Please don't hack threads, post your queries, if not related to the existing thread, as a new thread *

                Here is a sample example -

                Code:
                @Controller
                public class MyServiceController{
                 
                	private static Logger logger = Logger.getLogger(MyServiceController.class);
                	@Autowired
                	MyService myService;
                 
                	@ExceptionHandler(Exception.class)
                	@ResponseStatus(HttpStatus.INTERNAL_SERVER_ERROR)
                	public ModelAndView handleNoConfigException(Exception ex, HttpServletRequest request, HttpServletResponse response){
                			logger.error(ex.getMessage());			
                			ModelAndView mav = 
                				new ModelAndView("myAppXmlView", BindingResult.MODEL_KEY_PREFIX + "myapp", ex);
                	        return mav;
                	}
                	
                    @RequestMapping(value = "/", method=RequestMethod.GET)
                	public ModelAndView getAllCards() throws Exception{
                    	logger.info("Entering");
                		....
                                ....
                                ....
                		ModelAndView mav = 
                			new ModelAndView("myAppXmlView", BindingResult.MODEL_KEY_PREFIX + "myapp", collect);
                		logger.info("Exiting");
                		return mav;
                	}
                ..........................
                ..........................
                ...........................

                Comment


                • #9
                  Originally posted by Chandra Praba
                  Can u tell me how do i handle 404,500 exceptions??
                  Configure exception mappings in your web.xml. Note this your question doesn't seem to be related to Spring Security, so you shouldn't really be posting it here.

                  I'll also second the comment about thread hijacking - please don't post unrelated questions in existing threads. Start a new thread and clearly explain what you need to know, posting links to other threads if you want to reference relevant content.

                  Comment


                  • #10
                    Originally posted by jamestastic View Post
                    Here's an example that might steer you in the right direction.
                    This looks like a great article james, but I can't find the solution I'm looking for in there, suppose I have a similar REST service /rest/cust/${custNum}/orders where ${custNum} is the customer ID. I want to restrict the viewing of customer orders to certain sales representatives where they have been associated to that customer, is this possible?

                    Role based security is to broad by stating "you don't or you do have access to data" but not pieces of data to certain conditions. Another example could be from the article you posted, say the Employee wanted to access their own salary but shouldn't be able to for other employees, how would that be achieved?

                    Would I need to do service level requests like this manually by passing in the user name each time the request is called?

                    Comment


                    • #11
                      I think this kind of fine-grained access control should be possible with a custom AccessDecisionManager.

                      Comment

                      Working...
                      X