Files
spring-security-samples/servlet/spring-boot/java/data/README.adoc
Josh Cummings 9700368ca3 Simplify AuthorizeReturnObject Usage
While the proxy factory feature is cool, it's not needed for
this sample. We can point folks to the documentation to understand
when something like that is needed.
2024-08-23 16:57:31 -06:00

53 lines
1.4 KiB
Plaintext

= Spring Data Sample
After running this sample like so:
.Java
[source,java,role="primary"]
----
./gradlew :bootRun
----
Then you can query for messages using `luke/password` and `rob/password`.
Because the domain objects are secured, you will see a subset of fields with `luke`.
For example, querying `/` with `luke`, you'll see:
```json
...
{
"created": "2014-07-12T16:00:00Z",
"id": 112,
"summary": "Is this secure?",
"text": "This message is for Luke",
"to": {
"email": "luke@example.com",
"id": "luke",
"password": "password"
}
}
...
```
However, with `rob`, you'll also see `firstName` and `lastName` like so:
```json
...
{
"created": "2014-07-12T04:00:00Z",
"id": 102,
"summary": "Is this secure?",
"text": "This message is for Rob",
"to": {
"email": "rob@example.com",
"firstName": "Rob",
"id": "rob",
"lastName": "Winch",
"password": "password"
}
}
...
```
Read more about the https://docs.spring.io/spring-security/reference/servlet/authorization/method-security.html#authorize-object[`@AuthorizeReturnObject`] and https://docs.spring.io/spring-security/reference/servlet/authorization/method-security.html#fallback-values-authorization-denied[]`@DeniedHandler`] in the Spring Security Reference.