Provide ability to filter ALPS links through spring security

[cguckes]

I'd love to have the ability to remove certain ALPS entries like "CREATE" and "DELETE" if the user lacks the privileges to call these functions. I'm not sure though, if this is in accordance with the idea of ALPS itself. This allows me to generate buttons in the frontend depending on the access rights of the logged-in user. I can implement this myself, if you give me a nudge in the right direction, don't quite know where that would fit in your design.

[gregturn]

Actually, I'm interested in that phenomenon across ALL our mediatypes. Given we have HAL, HAL+Forms, Collection+JSON, Uber, SIREN, XHTML, ALPS, and JSON Schema, I am researching a comprehensive way to query Spring Security and ask, "is this link valid?"

That would feed the ability to conditionalize links to support the "is the link there or not?" concept as shown in @olivergierke 's article => http://olivergierke.de/2016/04/benefits-of-hypermedia/.

I briefly chatted with @rwinch maybe two years ago about doing this. He brainstormed a way to "make the call" using a proxy, and capturing PASS/FAIL from a security perspective. But I also need @olivergierke 's agreement on this approach.

As part and parcel of this, I would like to pull any details of ALPS found in Spring Data REST into Spring HATEOAS, so Spring HATEOAS users can get maximum benefit. Same goes for JSON Schema, which I believe is completely implemented in Spring Data REST.

Nevertheless, this whole effort will probably not be undertaken until we can finish reviewing and merging the Affordances API, a big addition to Spring HATEOAS.

[cguckes]

As I said, I'd be happy to contribute, once the best way to do this is clear. That proxy idea seems a bit "hacky" for my taste... It would be nicer to extend spring security to contain functions a la "would this call on this object pass pre and post conditions". I'm sure there are more uses for such a functionality, or am I misinterpreting the proxy idea?

[osvaldopina]

Why not use Spel expressions?

[gregturn]

Do you mean extract the Security SpEL expression and evaluate it? We'd have to ensure we covered all combinations. It's why I prefer invoking a Spring Security API instead. Since this sounds outside the box, I want to work with Rob or Joe to find best approach. Might build a new API.

[osvaldopina]

something like this: linkTo(method, 2L).withSelfRel().when("hasRole('ROLE_ADMIN)")

[gregturn]

I see.

I'm talking about this:

@RestController
class SampleController {
    @PreAuthorize("hasRole('ADMIN')")
    @GetMapping("/foo")
    Foo findFoo() {
        // find a Foo
    }
}

Secure your controller. And then have a link to that method conditional based on current user's SecurityContext. Developer shouldn't need anything special to have links honor security.

Naturally this should ALSO support the old @Secured annotation as well as JSR-250 annotations.

[osvaldopina]

It would be really nice to get @PreAuthorize expression to do a conditional link rendering.

[rolandKulcsar]

I love the idea @gregturn!

[gilinykh]

@gregturn is there any timeline for this feature? Spring Security provides this interface for programmatic access rights evaluation: https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/access/WebInvocationPrivilegeEvaluator.html