Spring data Rest Partitioning Data

238 views Asked by At

I was wondering, if one were to use Spring Security with Spring data rest, would it be possible to partition the data so that the user of the REST API can only say data related to them?

More specifically, assuming Spring data ne04j exposed over HATEOAS with Spring security. If the client is given an oauth2 token, can that token be programmatically used to only give the user the subset of the graph that he created or related to him?

E.g. A Bank is exposing some actions on a account. The client is given an oauth token. The client should only be able to see and perform HTTP operations on their account, and not any other user.

By default, once you have access to the HATEOAS endpoint, you can see all data. Is there anyway to limit this, without too much heavy lifting?

1

There are 1 answers

2
George On BEST ANSWER

You can use @PreAuthorize to perform authorization checks before an operation and @PostFilter to filter the returned data.

Some examples:

@PreAuthorize("#contact.name == authentication.name")
public void doSomething(Contact contact);

@PostFilter ("filterObject.owner == authentication.name")
public List<Book> getBooks();