#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2009
    Posts
    7
    Rep Power
    0

    Security between users in Spring


    I have made an app that has user accounts.
    I have implemented Spring Security to authenticate and limit access to resources such as admin pages.

    What I'm wondering is what is standard practice to limit access to pages like "user profile" that all regular users have access to but for each user, their id as a URL parameter determines which profile they view. How do I allow User A to view their profile while keeping user B from putting User A's id in the url and seeing their profile?

    Do you just put the logic right in the controller? And if the id doesn't belong to the authenticated user, then you redirect them away from the page? Or is there something built into Spring Security that can handle this granular security for me?
  2. #2
  3. Feelin' Groovy
    Devshed Supreme Being (6500+ posts)

    Join Date
    Aug 2001
    Location
    WDSMIA
    Posts
    10,135
    Rep Power
    5054
    One solution is to not use a URL parameter to identify the appropriate user profile at all. Use the principal (i.e., the authenticated user) that is supplied by Spring Security. Just have the controller bring up the appropriate domain object (e.g., AccountProfile or whatever) for the principal. Spring Security can also be configured to require authentication before accessing the profile page.

    That would be the simplest, most pragmatic way, I believe.

    ~
    Yawmark
    class Sig{public static void main(String...args){\u0066or(int
    \u0020$:"v\"ʲ\"vΤ\"".to\u0043h\u0061rArray()
    )System./*goto/*$/%\u0126//^\u002A\u002Fout.print((char)(($>>
    +(~'"'&'#'))+('<'>>('\\'/'.')/\u002Array.const(~1)\*\u002F)));}}
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2009
    Posts
    7
    Rep Power
    0
    Makes sense. I can implement a user profile page that way. I'm still wondering about other pages that are owned by a single user- such as a content page. For example, a photo album. The photo album has an id, so the user would click the /album.htm?id=123 link. This is more the scenario I was wondering about.

    Thanks-


    Originally Posted by Yawmark
    One solution is to not use a URL parameter to identify the appropriate user profile at all. Use the principal (i.e., the authenticated user) that is supplied by Spring Security. Just have the controller bring up the appropriate domain object (e.g., AccountProfile or whatever) for the principal. Spring Security can also be configured to require authentication before accessing the profile page.

    That would be the simplest, most pragmatic way, I believe.

    ~
  6. #4
  7. Feelin' Groovy
    Devshed Supreme Being (6500+ posts)

    Join Date
    Aug 2001
    Location
    WDSMIA
    Posts
    10,135
    Rep Power
    5054
    The photo album has an id, so the user would click the /album.htm?id=123 link. This is more the scenario I was wondering about.
    Same idea. If it's only ever just a single user who can "own" an album, store that information with/in the album and check the principal against it. If you want to maintain a list of viewers, use a many-to-many relationship of albums<->accounts and authenticate the principal against that information.

    ~
    Yawmark
    class Sig{public static void main(String...args){\u0066or(int
    \u0020$:"v\"ʲ\"vΤ\"".to\u0043h\u0061rArray()
    )System./*goto/*$/%\u0126//^\u002A\u002Fout.print((char)(($>>
    +(~'"'&'#'))+('<'>>('\\'/'.')/\u002Array.const(~1)\*\u002F)));}}

IMN logo majestic logo threadwatch logo seochat tools logo