search

katharsis-project / katharsis-framework

Katharsis adds powerful layer for RESTful endpoints providing implementenation of JSON:API standard
http://katharsis.io
Apache License 2.0
135 stars 65 forks source link

When use Katharsis springboot integrity, method security doesn't work. #413

Closed jianglibo closed 7 years ago

jianglibo commented 7 years ago

I count this problem, and try to solve it by myself, but failed. below is code. spring-data repo.

    //cannot delete yourself.
    @PreAuthorize("hasRole('ADMINISTRATOR') and (#e.id != principal.id)")
    public void delete(@P("e") BootUser entity);

When I invoke method from spring controller, It works. when inject spring-data repo into Katharsis repo, the method security just ignored.

public abstract class DtoRepositoryBase<T extends Dto<T, E>, L extends ResourceListBase<T, DtoListMeta, DtoListLinks>, E extends BaseEntity>
        extends ResourceRepositoryBase<T, Long> 
    //MethodSecurityMetadataSourceAdvisor
    @Override
    public void delete(Long id) {
        repository.delete(id); // repository is spring-data repository.
}

I tried not to use KatharsisConfigurationV3 which use filter, instead embeded Katharsis in spring controller. Still not work.

@Controller
public class KatharsisController {

    @Autowired
    private KatharsisProcessor processor; // I copy code logic from KatharsisFilterV2

    @RequestMapping(value="/jsonapi/**")
    public void process(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
        try {
            processor.process(request, response);
        } catch (Exception e) {
            e.printStackTrace();
            throw(e);
        }
    }
}

I'm not sure it is a spring security problem or Katharsis problem.

jianglibo commented 7 years ago

I finally solved the problem. it's not Katharsis problem. Can I delete this post?

masterspambot commented 7 years ago

Just close it 😉

On Tue, 11 Apr 2017, 09:43 libo, notifications@github.com wrote:

I finally solved the problem. it's not Katharsis problem. Can I delete this post?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/katharsis-project/katharsis-framework/issues/413#issuecomment-293177851, or mute the thread https://github.com/notifications/unsubscribe-auth/AAjeAaNrhXTAkXE72uQWOAVr--ZYaG2yks5ruy8kgaJpZM4M5sTt .

jianglibo commented 7 years ago

The answer may help others. So I wrote it down here. then close it. spring-data repository uses many aop and proxy technologies. If you inherit base repository interface multiple levels. Take care of intermedia interface, you must override super interface with accurate type. this is the problem.

// this is intermedia interface. I missed to overriding void delete(Long id);
@NoRepositoryBean
public interface RepositoryBase<T> extends JpaRepository<T, Long>, JpaSpecificationExecutor<T> {

    List<T> findAll(QuerySpec querySpec);

    long count(QuerySpec querySpec);
    // it's important
    void delete(Long id);
}

public interface BootUserRepository extends RepositoryBase<BootUser> {
    @PreAuthorize("hasRole('ADMINISTRATOR') and (#e.id != principal.id)")
    public void delete(@P("e") BootUser entity);
} 

public class UserDtoRepositoryImpl extends DtoRepositoryBase<UserDto, UserDtoList, BootUser> implements UserDtoRepository {
}

public abstract class DtoRepositoryBase<T extends Dto<T, E>, L extends ResourceListBase<T, DtoListMeta, DtoListLinks>, E extends BaseEntity>
        extends ResourceRepositoryBase<T, Long> {
    private final RepositoryBase<E> repository; // this  is a generic spring-data repository. because it's generic, so finnaly call is repository.delete(Serializable id) not repository.delete(Long id), repository.delete(Serializable id) is not protected by method security. That's the problem!
    @Override
    public void delete(Long id) {
        repository.delete(id);
    }