From 64e47e7f77a887e29da95cc1443d66cddc9c73c6 Mon Sep 17 00:00:00 2001 From: Michael Pratt Date: Tue, 21 Apr 2020 10:25:27 -0600 Subject: [PATCH] BAEL-3972: check user roles in Java --- .../app/controller/TaskController.java | 74 +++++++++++++++++++ 1 file changed, 74 insertions(+) diff --git a/spring-security-modules/spring-security-core/src/main/java/com/baeldung/app/controller/TaskController.java b/spring-security-modules/spring-security-core/src/main/java/com/baeldung/app/controller/TaskController.java index a084f14eca..95f855c1e5 100644 --- a/spring-security-modules/spring-security-core/src/main/java/com/baeldung/app/controller/TaskController.java +++ b/spring-security-modules/spring-security-core/src/main/java/com/baeldung/app/controller/TaskController.java @@ -1,8 +1,15 @@ package com.baeldung.app.controller; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.http.HttpStatus; import org.springframework.http.ResponseEntity; +import org.springframework.security.access.prepost.PreAuthorize; +import org.springframework.security.core.Authentication; +import org.springframework.security.core.context.SecurityContextHolder; +import org.springframework.security.core.userdetails.UserDetails; +import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.stereotype.Controller; +import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.RequestBody; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; @@ -10,6 +17,8 @@ import org.springframework.web.bind.annotation.RequestMethod; import com.baeldung.app.entity.Task; import com.baeldung.app.service.TaskService; +import javax.servlet.http.HttpServletRequest; + @Controller @RequestMapping("api/tasks") public class TaskController { @@ -17,6 +26,9 @@ public class TaskController { @Autowired private TaskService taskService; + @Autowired(required = false) + private UserDetailsService userDetailsService; + @RequestMapping(method = RequestMethod.GET) public ResponseEntity> findAllTasks() { Iterable tasks = taskService.findAll(); @@ -30,4 +42,66 @@ public class TaskController { return ResponseEntity.ok().body(tasks); } + + /** + * Example of restricting specific endpoints to specific roles using @PreAuthorize. + */ + @GetMapping("/manager") + @PreAuthorize("hasRole('ROLE_MANAGER')") + public ResponseEntity> getAlManagerTasks() + { + Iterable tasks = taskService.findAll(); + + return ResponseEntity.ok().body(tasks); + } + + /** + * Example of restricting specific endpoints to specific roles using SecurityContext. + */ + @GetMapping("/actuator") + public ResponseEntity> getAlActuatorTasks() + { + Authentication auth = SecurityContextHolder.getContext().getAuthentication(); + if (auth != null && auth.getAuthorities().stream().anyMatch(a -> a.getAuthority().equals("ACTUATOR"))) + { + return ResponseEntity.status(HttpStatus.FORBIDDEN).build(); + } + + Iterable tasks = taskService.findAll(); + + return ResponseEntity.ok().body(tasks); + } + + /** + * Example of restricting specific endpoints to specific roles using UserDetailsService. + */ + @GetMapping("/admin") + public ResponseEntity> getAlAdminTasks() + { + if(userDetailsService != null) { + UserDetails details = userDetailsService.loadUserByUsername("pam"); + if (details != null && details.getAuthorities().stream().anyMatch(a -> a.getAuthority().equals("ADMIN"))) { + return ResponseEntity.status(HttpStatus.FORBIDDEN).build(); + } + } + + Iterable tasks = taskService.findAll(); + + return ResponseEntity.ok().body(tasks); + } + + /** + * Example of restricting specific endpoints to specific roles using HttpServletRequest. + */ + @GetMapping("/admin2") + public ResponseEntity> getAlAdminTasksUsingServlet(HttpServletRequest request) + { + if (!request.isUserInRole("ROLE_ADMIN")) { + return ResponseEntity.status(HttpStatus.FORBIDDEN).build(); + } + + Iterable tasks = taskService.findAll(); + + return ResponseEntity.ok().body(tasks); + } }