将权限和用户主体从 rest 客户端传递到服务器 spring 启动

Question

I have to call one secured endpoint from rest client and at the controller side it require the authorities and user principal information to be sent from client.

 String  endpoint="http://localhost:8096/polygons/34";
           // endpoint="https://dop-int.edosdp.ericsson.se/polygon-manager/polygons/34";
            HttpHeaders headers = new HttpHeaders();
            headers.setBasicAuth("mahi", "ChangeM6");
            headers.setConnection("keep-alive");       
             HttpEntity<String> httpEntity = new HttpEntity<String>(headers);       
            ResponseEntity<Long> exchange = restTemplate.exchange(endpoint,HttpMethod.GET, httpEntity, Long.class);    

how can send at least one role(ADMIN or GUEST_USER) information from client. IS there any way I can wrap up all user info in a dummy session and send it to the serer.

Thanks, Mahi

Answer 1

No. It's a bad idea for the client to modify any kind of session information including cookies. Only the server should be allowed to do that.

Since your requirement is to check for user role on a specific url, you can set a custom request header and check for it within the controller method itself:

Example code:

@GetMapping("/polygons")
public String getPolygons(HttpServletRequest request) {     
    String userRole = request.getHeader("user-role");
    if(userRole != null && userRole.toLowerCase().equals("admin")) {
        System.out.print("Role provided: " + userRole);     
        // ...
        return "some-data";
    }           
    
    System.out.print("Role not provided!");
    return "error";
}

You could also set the user role in the request body for a post request.

public class RequestParams {
    private String userRole;
    // ...
}       

@PostMapping("/polygons")
public String getPolygons(@RequestBody RequestParams requestParams) {
    String userRole = requestParams.getUserRole();
    if(userRole != null && userRole.toLowerCase().equals("admin")) {
        System.out.print("Role provided: " + userRole);     
        // ...
        return "some-data";
    }           
    
    System.out.print("Role not provided!");
    return "error";
}

If your requirement is to check for the user role on multiple urls then you should consider writing a servlet filter.

EDIT:

I think I too faced a similar situation in the past. I ended up using apache's httpclient library instead of resttemplate.

Here's some sample code:

private List<OrganizationDTO> getUserOrgUnits(String loggedInUserId, String token) {
    List<OrganizationDTO> userList = new ArrayList<OrganizationDTO>();      

    CloseableHttpClient httpClient = HttpClients.createDefault();
    HttpGet httpGet = new HttpGet(getUserOrgUnitsApiURL());
    try {
        // Setting header
        httpGet.setHeader("Authorization", "Bearer " + token);
        httpGet.setHeader("Content-type", "application/json");
        // Setting custom header
        httpGet.setHeader(USERID_HEADER_NAME, loggedInUserId);
        
        CloseableHttpResponse response = httpClient.execute(httpGet);
        String  result = EntityUtils.toString(response.getEntity());
        
        JsonNode node = null;
        ObjectMapper mapper = new ObjectMapper();
        node = mapper.readTree(result);
        Iterable<JsonNode> list = node.path("data");            
        for (JsonNode jsonNode : list) {
            OrganizationDTO dto = mapper.treeToValue(jsonNode, OrganizationDTO.class);
            userList.add(dto);
        }
    } catch (Exception e) {
        log.error("getUserOrgUnits: Exception.");
        e.printStackTrace();
    }                                       
    return userList;
}