From bfa12ade40cbd413dc1631f6b140ce7358304ae6 Mon Sep 17 00:00:00 2001 From: Rob Winch Date: Tue, 24 Feb 2015 16:08:46 -0600 Subject: [PATCH] SEC-2870: Add Spring Data Documentation --- docs/manual/src/docs/asciidoc/index.adoc | 46 ++++++++++++++++++++++++ 1 file changed, 46 insertions(+) diff --git a/docs/manual/src/docs/asciidoc/index.adoc b/docs/manual/src/docs/asciidoc/index.adoc index a9a0356090..79f4a352d9 100644 --- a/docs/manual/src/docs/asciidoc/index.adoc +++ b/docs/manual/src/docs/asciidoc/index.adoc @@ -6201,6 +6201,52 @@ public class CsrfController { It is important to keep the `CsrfToken` a secret from other domains. This means if you are using https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS[Cross Origin Sharing (CORS)], you should **NOT** expose the `CsrfToken` to any external domains. +[[data]] += Spring Data Integration + +Spring Security provides Spring Data integration that allows referring to the current user within your queries. +It is not only useful but necessary to include the user in the queries to support paged results since filtering the results afterwards would not scale. + +[[data-configuration]] +== Spring Data & Spring Security Configuration + +To use this support, provide a bean of type `SecurityEvaluationContextExtension`. +In Java Configuration, this would look like: + +[source,java] +---- +@Bean +public SecurityEvaluationContextExtension securityEvaluationContextExtension() { + return new SecurityEvaluationContextExtension(); +} +---- + +In XML Configuration, this would look like: + +[source,xml] +---- + +---- + +[[data-query]] +== Security Expressions within @Query + +Now Spring Security can be used within your queries. +For example: + +[source,java] +---- +@Repository +public interface MessageRepository extends PagingAndSortingRepository { + @Query("select m from Message m where m.to.id = ?#{ principal?.id }") + Page findInbox(Pageable pageable); +} +---- + +This checks to see if the `Authentication.getPrincipal().getId()` is equal to the recipient of the `Message`. +Note that this example assumes you have customized the principal to be an Object that has an id property. +By exposing the `SecurityEvaluationContextExtension` bean, all of the <> are available within the Query. + = Appendix [[appendix-schema]]