Is it possible to do conditional injects with SpringSecurity?

1

What tip would you give when for example a user can not access an X object?

For example:

  

URL: / student / {id}

The user who is DIRECTOR of a school has access to the profile of all the students of the school that he is director The user who is a TEACHER of a school has access to the profile of all the students of the classes that he teaches

So how would I do this using SpringSecurity ?

One more thing

I have a screen where I search for students, that famous screen where there are several filters, pagination and etc. There I also wanted to do something like the above requirement (from the URL).

I would want that in the search screen when the user was a teacher, the list would appear only the students of the classes he teaches and when he directs the school he directs. I thought of an interesting way, but I do not know how to inject the correct implementation at the time of creating the MVC Controller.

Example:

public interface AlunoRepository {

    public List<Aluno> getAlunoByParams(Map<String, Object> params, int offset, int size);

}

Now follow the specific implementations for each PROFILE

Teacher specific implementation profile

public class AlunoRepositoryImpl4Professor implements AlunoRepository {

    public List<Aluno> getAlunoByParams(Map<String, Object> params, int offset, int size){
        return // retorna uma lista somente dos alunos das turmas que ele seleciona de acordo com os parametros
    }

}

Implementation Specific to Director Profile

public class AlunoRepositoryImpl4Diretor implements AlunoRepository {

    public List<Aluno> getAlunoByParams(Map<String, Object> params, int offset, int size){
        return // retorna uma lista somente dos alunos da escola que ele dirige de acordo com os parametros
    }

}

Controller

@Controller
public class AlunoController {

    @AutoWired
    private AlunoRepository repository; // como injetar o AlunoRepository de acordo com o perfil que esta sendo utilizado aqui?

    @GET
    public List<Alunos> query(Map<String, Object> params, int offset, int size){
        return repository.getAlunoByParams(params, offset, size);
    }

}
    
asked by anonymous 07.06.2016 / 23:19

1 answer

0

Realize that your methods have different purposes, so it would be interesting to separate the responsibilities as follows:

  • getAlunosByEscola Method to return the list of students of the school by making an INNER JOIN with the table that stores the information of which school the director is linked.

  • getAlunosByTurma Method to return the list of students in teacher classes by making an INNER JOIN with the table that stores the information of which class the teacher is linked.

You can also set unique profile permissions for your methods by using @PreAuthorized as follows:

@PreAuthorize("hasRole('DIRETOR')")
public List<Alunos> getAlunosByEscola(Map<String, Object> params, int offset, int size);

@PreAuthorize("hasRole('DIRETOR') AND hasRole('PROFESSOR')")
public List<Alunos> getAlunosByTurma(Map<String, Object> params, int offset, int size);

But if your architecture does not allow it, another solution you can try to address would be to pass some parameter in your parameter list to change the link, ie to make a different INNER JOIN according to the list received. p>

Hug.

Source:

08.09.2016 / 20:17