I have a problem that each user can retrieve other users data from URL.
For instance, I have a rest api like this:
#GetMapping("/getFindByPersonId/{perId}")
#Timed
public List<ComboVahedAmoozeshi> getFindBySkhsIdCombo(#PathVariable Long perId){
return comboVahedAmoozeshiRepository.getFindBySkhsIdCombo(perId);
}
After authorization, each user can change id and get other users data like the image below:
Is there any suggestion to restrict each user to don`t have access to call the method? Or Jhipster have any options to use UUId to hide id?
Thanks from #atomferede for the right answer. I have to add jhi_user_id in other entities and used #postfilter annotation to limit user's access to data.
Although, maybe it`s a good idea to have this option in jhipster generator to enhance the security level and faster implementation.
I have a multi-tenant application. It's a school management system.
The application is configured to use Schema-Per-Tenant approach. But this is limited to only one schema access per request. I want to use three different schemas per request.
Each user has two schemas and an application wide common schema. Totally 3. I want to enable my app to switch between all three schemas under one rest call.
For example, if the request is to add a new Student, the student must be added to SCHEMA_A, an auto-generated user account for the student must be added to the COMMON_SCHEMA and the studentId must be added to the class in SCHEMA_B.
At present I use
entityManager.createNativeQuery("USE SCHEMA_A").executeUpdate();
add(student);
entityManager.createNativeQuery("USE COMMON_SCHEMA").executeUpdate();
add(generateUserForStudent(student));
entityManager.createNativeQuery("USE SCHEMA_B").executeUpdate();
addStudentToClass(student);
it works.
But I wonder if it is a valid approach.
I also am not sure if it will cause conflicts when multiple users are logged in at the same time.
Can someone guide me on this?
I've been trying to integrate my application with facebook for a very long time, but I can't find any good example how to do this without storing user connections. I know that there is project called spring-social and I can integrate it by implementing SocialConfigurer methods , but it requires UsersConnectionRepository, which is a bad idea.
I also don't want to redirect my requests since I already have facebook access id ( it's passed from other application ). I simply want to log in and create user in my db ( if didn't exist before )
How can I do this ?
Ideally I would like to have something like this :
facebookService.getUserDetails(facebookAccessId)
facebookService.getPhotos(facebookAccessId, ... )
No sessions etc
So you just want to create a new user in your DB if it does not exist right? And no open connection? Then you can use JPA (When you are working with Java) or Entity-Framework (.NET).
In JPA you can work in combination with objectdb. http://www.objectdb.com/
It's as simple as it sounds. (You can handle all with JPQL (SQL for JPA))
When you are also working with Maven you can implement JPA & Objectdb with this code: http://m2.objectdb.com/
I want to get list of all roles in netsuite.
I am using wsdl2java to generate client port and service from netsuite wsdl.
I can assign Access Role to Employee in Netsuite using UI. I can view the existing Role to the employee on UI.
I can search employees using saved searches but how can I get the Roles using saved searches.
Same question is asked at :
Get list of all roles in Netsuite
but answer for this is given specific to PHP.
How can I achieve the same using wsdl2java classes ?
In a JPA app I have a scenario in which the app is to
list all accounts the given user is authorized to withdraw from
I have the Account entity and a many-to-many table that lists what authorizations each user has on each account – to implement the above scenario, the app currently just inner-joins the two tables – which is quite quick.
Now, I was planning to add an explicit authorization layer (based on apache shiro / spring security / other) to insulate authorization-related logic from the rest of the code, but...
There are some 10k Accounts in the database and the "average" user is granted "deposit" on all of them, "view" on one half of them and "withraw" on just a few.
Does any security framework allow to implement this scenario efficiently?
Ie: is any of them able to "decorate" a JPA query of the type "select a from Account a" (or the equivalent SQL) and thus get the list of accounts without loading all user grants from the database, and by all means, without having to retrieve all accounts?)
Have a look at Apache Shiro.
It allows you to pull in the User authorization once and cache it for the duration of the session. In addition, if all users can VIEW all ACCOUNTS then you wouldn't need to explicitly define this which would significantly reduce the overhead.
If your solution requires realtime access handlers Shiro has a way to reset the Permissions dynamically during runtime too.
Shiro allows you to implement a typical RBAC and define permissions like this:
domain:action:instance
So in your case permissions might look like this for a user:
account:deposit:* // deposit all accounts
account:view:1111
account:view:2222
account:view:3333 // view on these accounts
account:withdraw:5555
account:withdraw:6666 // withdraw on these accounts
In code you can then do something like this:
if (SecurityUtils.getSubject().isPermitted("account:withdraw:"+account.getAccountNumber() ) {
// handle withdraw
}
Shiro also has annotation driven permissions for additional abstraction.
EDIT
The Shiro permissions is the end result, not where you start. I used a set of tables representing mappings of the user-to-role and role-to-permission along with other mappings to instance. After AuthN its usually a simple set of queries indexed by the User PK to build up the data structures needed to render the permissions.
I have a hope that this is one of the possibilities to implement your requirement with Spring-Security.
Write custom org.springframework.security.acls.Permission like
ViewAccount,DepositToAccount,WithDrawFromAccount
Write custom
org.springframework.security.access.PermissionEvaluator Override
hasPermission(Authentication userAuthentication,Object
accountObject,Object oneOfThePermission) to check if the user has
the defined permission on the accountObject
Get reference to JPA
EntityManager in your custom evaluator and cross check/verify in DB
with user_id,permission_id,account_id
If the user is 'root' you can
staight away return true for hasPermission without verifying with
DB.
Annotate your service calls with
#PreAuthorize("isAuthenticated() and hasPermission(#accountArgument,
'respectivePermission')")
Refer link for custom implementations of Permission & PermissionEvaluator
If you are using EclipseLink there are a few features for this,
one is the #AdditionalCriteria annotation that allow a filter to be applied to all queries for a class,
http://www.eclipse.org/eclipselink/documentation/2.4/jpa/extensions/a_additionalcriteria.htm#additionalcriteria
another is EclipseLink's support for Oracle VPD (row level security in the database),
http://wiki.eclipse.org/EclipseLink/Examples/JPA/Auditing
and finally EclipseLink supports SessionEvents that can allow filter to be appended to any query execution,
http://www.eclipse.org/eclipselink/api/2.4/org/eclipse/persistence/sessions/SessionEventAdapter.html#preExecuteQuery%28org.eclipse.persistence.sessions.SessionEvent%29