mirror of
https://github.com/spring-projects/spring-security.git
synced 2025-06-01 09:42:13 +00:00
SEC-2870: Add Spring Data Documentation
This commit is contained in:
parent
37740cd020
commit
bfa12ade40
@ -6201,6 +6201,52 @@ public class CsrfController {
|
|||||||
It is important to keep the `CsrfToken` a secret from other domains.
|
It is important to keep the `CsrfToken` a secret from other domains.
|
||||||
This means if you are using https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS[Cross Origin Sharing (CORS)], you should **NOT** expose the `CsrfToken` to any external domains.
|
This means if you are using https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS[Cross Origin Sharing (CORS)], you should **NOT** expose the `CsrfToken` to any external domains.
|
||||||
|
|
||||||
|
[[data]]
|
||||||
|
= Spring Data Integration
|
||||||
|
|
||||||
|
Spring Security provides Spring Data integration that allows referring to the current user within your queries.
|
||||||
|
It is not only useful but necessary to include the user in the queries to support paged results since filtering the results afterwards would not scale.
|
||||||
|
|
||||||
|
[[data-configuration]]
|
||||||
|
== Spring Data & Spring Security Configuration
|
||||||
|
|
||||||
|
To use this support, provide a bean of type `SecurityEvaluationContextExtension`.
|
||||||
|
In Java Configuration, this would look like:
|
||||||
|
|
||||||
|
[source,java]
|
||||||
|
----
|
||||||
|
@Bean
|
||||||
|
public SecurityEvaluationContextExtension securityEvaluationContextExtension() {
|
||||||
|
return new SecurityEvaluationContextExtension();
|
||||||
|
}
|
||||||
|
----
|
||||||
|
|
||||||
|
In XML Configuration, this would look like:
|
||||||
|
|
||||||
|
[source,xml]
|
||||||
|
----
|
||||||
|
<bean class="org.springframework.security.data.repository.query.SecurityEvaluationContextExtension"/>
|
||||||
|
----
|
||||||
|
|
||||||
|
[[data-query]]
|
||||||
|
== Security Expressions within @Query
|
||||||
|
|
||||||
|
Now Spring Security can be used within your queries.
|
||||||
|
For example:
|
||||||
|
|
||||||
|
[source,java]
|
||||||
|
----
|
||||||
|
@Repository
|
||||||
|
public interface MessageRepository extends PagingAndSortingRepository<Message,Long> {
|
||||||
|
@Query("select m from Message m where m.to.id = ?#{ principal?.id }")
|
||||||
|
Page<Message> findInbox(Pageable pageable);
|
||||||
|
}
|
||||||
|
----
|
||||||
|
|
||||||
|
This checks to see if the `Authentication.getPrincipal().getId()` is equal to the recipient of the `Message`.
|
||||||
|
Note that this example assumes you have customized the principal to be an Object that has an id property.
|
||||||
|
By exposing the `SecurityEvaluationContextExtension` bean, all of the <<common-expressions,Common Security Expressions>> are available within the Query.
|
||||||
|
|
||||||
= Appendix
|
= Appendix
|
||||||
|
|
||||||
[[appendix-schema]]
|
[[appendix-schema]]
|
||||||
|
Loading…
x
Reference in New Issue
Block a user