iSharkFly-Docs/java-tutorials
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #9160 from michael-pratt/BAEL-3972

Browse Source 
BAEL-3972: check user roles in Java
This commit is contained in:
Eric Martin 2020-04-25 21:59:51 -05:00 committed by GitHub
commit 5ddf7ef391
1 changed files with 70 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
spring-security-modules/spring-security-core/src/main/java/com/baeldung/app/controller/TaskController.java
View File

@ -1,8 +1,15 @@
package com.baeldung.app.controller;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
@ -10,6 +17,8 @@ import org.springframework.web.bind.annotation.RequestMethod;
import com.baeldung.app.entity.Task;
import com.baeldung.app.service.TaskService;
import javax.servlet.http.HttpServletRequest;
@Controller
@RequestMapping("api/tasks")
public class TaskController {
@ -17,6 +26,9 @@ public class TaskController {
@Autowired
private TaskService taskService;
@Autowired(required = false)
private UserDetailsService userDetailsService;
@RequestMapping(method = RequestMethod.GET)
public ResponseEntity<Iterable<Task>> findAllTasks() {
Iterable<Task> tasks = taskService.findAll();
@ -30,4 +42,62 @@ public class TaskController {
return ResponseEntity.ok().body(tasks);
}
/**
* Example of restricting specific endpoints to specific roles using @PreAuthorize.
*/
@GetMapping("/manager")
@PreAuthorize("hasRole('ROLE_MANAGER')")
public ResponseEntity<Iterable<Task>> getAlManagerTasks() {
Iterable<Task> tasks = taskService.findAll();
return ResponseEntity.ok().body(tasks);
}
/**
* Example of restricting specific endpoints to specific roles using SecurityContext.
*/
@GetMapping("/actuator")
public ResponseEntity<Iterable<Task>> getAlActuatorTasks() {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
if (auth != null && auth.getAuthorities().stream().anyMatch(a -> a.getAuthority().equals("ACTUATOR")))
{
return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
}
Iterable<Task> tasks = taskService.findAll();
return ResponseEntity.ok().body(tasks);
}
/**
* Example of restricting specific endpoints to specific roles using UserDetailsService.
*/
@GetMapping("/admin")
public ResponseEntity<Iterable<Task>> getAlAdminTasks() {
if(userDetailsService != null) {
UserDetails details = userDetailsService.loadUserByUsername("pam");
if (details != null && details.getAuthorities().stream().anyMatch(a -> a.getAuthority().equals("ADMIN"))) {
return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
}
}
Iterable<Task> tasks = taskService.findAll();
return ResponseEntity.ok().body(tasks);
}
/**
* Example of restricting specific endpoints to specific roles using HttpServletRequest.
*/
@GetMapping("/admin2")
public ResponseEntity<Iterable<Task>> getAlAdminTasksUsingServlet(HttpServletRequest request) {
if (!request.isUserInRole("ROLE_ADMIN")) {
return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
}
Iterable<Task> tasks = taskService.findAll();
return ResponseEntity.ok().body(tasks);
}
}