I am new to spring and i'm trying to learn be developing a simple application.
This is the schema of the database: http://ift.tt/1BAcLk2
It is very simple, each user must start by logging in, and once they do it, a list of the teams in which are administrators is displayed. That information is stored in the table team_members
INSERT INTO team_members (user_id, team_id, role) VALUES ('1', '1', 'admin');
INSERT INTO team_members (user_id, team_id, role) VALUES ('1', '2', 'admin');
INSERT INTO team_members (user_id, team_id, role) VALUES ('2', '2', 'player');
INSERT INTO team_members (user_id, team_id, role) VALUES ('2', '3', 'admin');
My problem arises when a user tries to edit or access the page to edit of one of the teams. This is my controller to do it:
@RequestMapping(value="teams/{id}/edit", method=RequestMethod.GET)
public ModelAndView editTeamPage(@PathVariable Integer id) {
ModelAndView modelAndView = new ModelAndView("edit-team-form");
Team team = teamService.getTeam(id);
modelAndView.addObject("team",team);
return modelAndView;
}
To be able to access this page, this user must be authenticated isAuthenticated(), however, I would also like to check if the role of the user in the table team_members is admin.
So my question is, what is the best way to do this? Should I insert an if in the beggining of every controller function that must verify this condition? Is there a cleaner solution for this?
I tried to create
package com.sports.beans;
import org.springframework.stereotype.Component;
@Component("mySecurityService")
public class MySecurityService {
public boolean hasPermission(String key) {
return false;
}
}
and added @PreAuthorize("@mySecurityService.hasPermission('special')") to the controller function but it didn't work.
Aucun commentaire:
Enregistrer un commentaire