How can Spring Security keep user A out of user B's data?

I know that Spring Security has a lot of role-based authorization capability. But what if I have two ordinary users accessing data. How do I keep User A from seeing records belonging to User B? For example, keeping User A from seeing the orders created by all other users?

Please note that this is NOT role-based authorization. User A and User B, etc., are all ordinary users, differing only in their identities.

In an existing Spring application I'm currently getting the job done with a filter in each DAO, ensuring that "... and user_id = $1 ..." is part of the queries. This also reduces the volume of fetched data, lowering database access costs.

In the future I will be breaking up my application into microservices. It seems to me that each microservice request must also have the UserDetails information. This sounds like an anti-pattern.

An API gateway would merely be a consumer of the approaches that I previously mentioned. So, is passing the UserDetails information to each microservice my best approach?

I hope the answer is not "create a role for each ordinary user, like "ROLE_USER_A", "ROLE_USER_B", etc.

Thanks,

Jerome.

springspring-securityauthorizationjwt

Answers

answered 7 days ago mad_fox #1

In an existing Spring application I'm currently getting the job done with a filter in each DAO, ensuring that "... and user_id = $1 ..." is part of the queries. This also reduces the volume of fetched data, lowering database access costs.

This is the correct approach

In the future I will be breaking up my application into microservices. It seems

to me that each microservice request must also have the UserDetails information. This sounds like an anti-pattern.

There are several approaches you an use here. You could use spring security oauth, and separate the authentication server out into it's own component. Then the credentials will be stored in a central location. This will save you from having to pass the credentials around.

Another approach would be using perimeter security. Basically your gateway service would authenticate each request and then pass the user details to each component.

There are other approaches, but these two are pretty common.

comments powered by Disqus