Spring security- Sessions?

Navigation
1

I have a project created with Spring Security and Spring MVC, and I have a url in the following way: 

universidad/acceso/infoNotas?idEstudiante=20

It turns out that when defining access to the URL, it is defined for the role of teacher in the following way: 

.antMatchers("/acceso/**").access("hasRole('ROLE_DOCENTE')")

But each teacher has a list of courses to which he can access and should only see the students' grades for the courses he or she dictates; If I copy the URL from the work area of any teacher so this teacher is not linked to the course to which the student belongs whose idEstudiante is referenced in the URL, you can see your notes, I have the question of how to solve this problem security and I wonder if it has to do with handling sessions and if someone has a clue as to how it should proceed. Thank you very much

    
asked by Angelica Luna 12.02.2018 в 03:13
source

1 answer

2

Assuming that, as you have Spring Security, you have had to

  • Implement org.springframework.security.core.userdetails.UserDetailsService .
  • Implement, therefore, org.springframework.security.core.userdetails.UserDetails

    • then you have a bean that has the information you want from the user with an open session.

    From here you have two simple options (possibly there are more, but they are the ones that I used at some point and they are simple):

    Option A : Make all your controllers extend from a parent class that has a method to obtain the user: 

    @Controller
public abstract class BaseController {
    protected MiUser getLoggedUser() {
        return (MiUser) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
    }
}

    This way in any controller you can get the user and filter your searches.

    Option B : Add in each method of the controllers the parameter to be injected by Spring: 

    public ResponseEntity<List<Alumnos>> getAlumnos(@AuthenticationPrincipal MiUser principal) {
    ...
}

    In this way you can have a teacher only see the students that correspond to him, or that he can only see the details of a student if he is associated with that teacher in some way.

        
    answered by 12.02.2018 в 10:46
    Split into special characters like '\' in java [duplicate] Error loading image from path with BufferedInputStream