lundi 11 juillet 2016

Spring security- Attribute level security restriction in REST API

We are in a process of implementing REST API on top of our existing services backend. The controller has the following simple getter method, which returns a Json.

The controller method

@RequestMapping(value = "/{id}" , method = RequestMethod.GET, produces = MediaType.APPLICATION_JSON_VALUE)
    public ResponseEntity<IDTO> getIDTO(@PathVariable long id){
    }

DTO Interface

public interface IDTO {
    public long getId();
    public double getCost();
    public void setCost(double cost);
    public double getPrice();
    }

need to restrict "cost" attribute according to the user permission, in both getter and setter

I have tried with custom @PostAuthorize() and @PreAuthorize()

Bu in this method, i have to use reflection to read each field associated with the DTO. Which might produce slower execution in large DTO s.

What is the correct way of achieving this ?





Aucun commentaire:

Enregistrer un commentaire