Uso de permisos en el servidor
Introducción
En este ejercicio proveeremos de una capa de permisos al backend, permitiendo que los métodos que elijamos solo puedan ser ejecutados por determinados roles de usuario. En este ejercicio, crearemos un nuevo usuario que esté asociado a un nuevo rol, pero que no pueda ejecutar ninguna de las peticiones asociadas al servicio de Offers.
Añadir nuevo perfil y usuario
Añadiremos los siguientes elementos a la BD:
Código SQL
-- Añadimos un nuevo usuario
INSERT INTO TUSER VALUES('candidate','candidate','candidate','candidate',NULL,'99999999R',NULL,'2020-07-03 11:50:40.665000',NULL)
-- Añadimos un nuevo rol de usuario
INSERT INTO TROLE VALUES(1,'candidate','<?xml version="1.0" encoding="UTF-8"?><security></security>')
-- Indicamos la relación entre el nuevo usuario y el nuevo rol
INSERT INTO TUSER_ROLE VALUES(1,1,'candidate')Modificar el servicio para añadir seguridad
En el módulo boot añadiremos la anotación @EnableAspectJAutoProxy(proxyTargetClass = false) a la clase ServerApplicaction.java y añadiremos a cada método del servicio la anotación @Secured({ PermissionsProviderSecured.SECURED })
ServerApplication.java
package com.ontimize.hr;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.context.annotation.EnableAspectJAutoProxy;
@EnableAspectJAutoProxy(proxyTargetClass = false)
@SpringBootApplication
public class ServerApplication {
public static void main(String[] args) {
SpringApplication.run(ServerApplication.class, args);
}
}OfferService.java
package com.ontimize.hr.model.core.service;
import java.util.List;
import java.util.Map;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Lazy;
import org.springframework.security.access.annotation.Secured;
import org.springframework.stereotype.Service;
import com.ontimize.hr.api.core.service.IOfferService;
import com.ontimize.hr.model.core.dao.OfferCandidateStatusDao;
import com.ontimize.hr.model.core.dao.OfferCandidatesDao;
import com.ontimize.hr.model.core.dao.OfferDao;
import com.ontimize.hr.model.core.dao.OfferStatusDao;
import com.ontimize.jee.common.dto.EntityResult;
import com.ontimize.jee.common.exceptions.OntimizeJEERuntimeException;
import com.ontimize.jee.common.security.PermissionsProviderSecured;
import com.ontimize.jee.server.dao.DefaultOntimizeDaoHelper;
@Service("OfferService")
@Lazy
public class OfferService implements IOfferService {
@Autowired
private OfferDao offerDao;
@Autowired
private OfferStatusDao offerStatusDao;
@Autowired
private OfferCandidatesDao offerCandidatesDao;
@Autowired
private OfferCandidateStatusDao offerCandidateStatusDao;
@Autowired
private DefaultOntimizeDaoHelper daoHelper;
@Override
@Secured({PermissionsProviderSecured.SECURED})
public EntityResult offerQuery(Map<String, Object> keyMap, List<String> attrList)
throws OntimizeJEERuntimeException {
return this.daoHelper.query(this.offerDao, keyMap, attrList);
}
@Override
@Secured({PermissionsProviderSecured.SECURED})
public EntityResult offerInsert(Map<String, Object> attrMap) throws OntimizeJEERuntimeException {
return this.daoHelper.insert(this.offerDao, attrMap);
}
@Override
@Secured({PermissionsProviderSecured.SECURED})
public EntityResult offerUpdate(Map<String, Object> attrMap, Map<String, Object> keyMap)
throws OntimizeJEERuntimeException {
return this.daoHelper.update(this.offerDao, attrMap, keyMap);
}
@Override
@Secured({PermissionsProviderSecured.SECURED})
public EntityResult offerDelete(Map<String, Object> keyMap) throws OntimizeJEERuntimeException {
return this.daoHelper.delete(this.offerDao, keyMap);
}
@Override
@Secured({PermissionsProviderSecured.SECURED})
public EntityResult offerStatusQuery(Map<String, Object> keyMap, List<String> attrList)
throws OntimizeJEERuntimeException {
return this.daoHelper.query(this.offerStatusDao, keyMap, attrList);
}
@Override
@Secured({PermissionsProviderSecured.SECURED})
public EntityResult offerStatusInsert(Map<String, Object> attrMap) throws OntimizeJEERuntimeException {
return this.daoHelper.insert(this.offerStatusDao, attrMap);
}
@Override
@Secured({PermissionsProviderSecured.SECURED})
public EntityResult offerStatusUpdate(Map<String, Object> attrMap, Map<String, Object> keyMap)
throws OntimizeJEERuntimeException {
return this.daoHelper.update(this.offerStatusDao, attrMap, keyMap);
}
@Override
@Secured({PermissionsProviderSecured.SECURED})
public EntityResult offerStatusDelete(Map<String, Object> keyMap) throws OntimizeJEERuntimeException {
return this.daoHelper.delete(this.offerStatusDao, keyMap);
}
@Override
@Secured({PermissionsProviderSecured.SECURED})
public EntityResult offerCandidateQuery(Map<String, Object> keyMap, List<String> attrList)
throws OntimizeJEERuntimeException {
return this.daoHelper.query(this.offerCandidatesDao, keyMap, attrList);
}
@Override
@Secured({PermissionsProviderSecured.SECURED})
public EntityResult offerCandidateDetailsQuery(Map<String, Object> keyMap, List<String> attrList)
throws OntimizeJEERuntimeException {
return this.daoHelper.query(this.offerCandidatesDao, keyMap, attrList, OfferCandidatesDao.QUERY_OFFER_DETAILS);
}
@Override
@Secured({PermissionsProviderSecured.SECURED})
public EntityResult offerCandidateInsert(Map<String, Object> attrMap) throws OntimizeJEERuntimeException {
return this.daoHelper.insert(this.offerCandidatesDao, attrMap);
}
@Override
@Secured({PermissionsProviderSecured.SECURED})
public EntityResult offerCandidateUpdate(Map<String, Object> attrMap, Map<String, Object> keyMap)
throws OntimizeJEERuntimeException {
return this.daoHelper.update(this.offerCandidatesDao, attrMap, keyMap);
}
@Override
@Secured({PermissionsProviderSecured.SECURED})
public EntityResult offerCandidateDelete(Map<String, Object> keyMap) throws OntimizeJEERuntimeException {
return this.daoHelper.delete(this.offerCandidatesDao, keyMap);
}
@Override
@Secured({PermissionsProviderSecured.SECURED})
public EntityResult offerCandidateStatusQuery(Map<String, Object> keyMap, List<String> attrList)
throws OntimizeJEERuntimeException {
return this.daoHelper.query(this.offerCandidateStatusDao, keyMap, attrList);
}
@Override
@Secured({PermissionsProviderSecured.SECURED})
public EntityResult offerCandidateStatusInsert(Map<String, Object> attrMap) throws OntimizeJEERuntimeException {
return this.daoHelper.insert(this.offerCandidateStatusDao, attrMap);
}
@Override
@Secured({PermissionsProviderSecured.SECURED})
public EntityResult offerCandidateStatusUpdate(Map<String, Object> attrMap, Map<String, Object> keyMap)
throws OntimizeJEERuntimeException {
return this.daoHelper.update(this.offerCandidateStatusDao, attrMap, keyMap);
}
@Override
@Secured({PermissionsProviderSecured.SECURED})
public EntityResult offerCandidateStatusDelete(Map<String, Object> keyMap) throws OntimizeJEERuntimeException {
return this.daoHelper.delete(this.offerCandidateStatusDao, keyMap);
}
}- hr
- hr-api
- src
- main
- java
- com
- ontimize
- hr
- api
- core
- service
- ICandidateService.java
- IMasterService.java
- IOfferService.java
- IUserService.java
- service
- core
- api
- hr
- ontimize
- com
- java
- main
- pom.xml
- src
- hr-boot
- src
- main
- java
- com
- ontimize
- hr
- ServerApplication.java
- hr
- ontimize
- com
- resources
- application.yml
- java
- main
- pom.xml
- src
- hr-model
- src
- main
- db
- templateDB.script
- templateDB.txt
- java
- com
- ontimize
- hr
- model
- core
- dao
- CandidateDao.java
- EducationDao.java
- ExperienceLevelDao.java
- OfferCandidatesDao.java
- OfferCandidateStatusDao.java
- OfferDao.java
- OfferStatusDao.java
- OriginDao.java
- ProfileDao.java
- StatusDao.java
- UserDao.java
- UserRoleDao.java
- service
- CandidateService.java
- MasterService.java
- OfferService.java
- UserService.java
- dao
- core
- model
- hr
- ontimize
- com
- resources
- dao
- CandidateDao.xml
- EducationDao.xml
- ExperienceLevelDao.xml
- OfferCandidatesDao.xml
- OfferCandidateStatusDao.xml
- OfferDao.xml
- OfferStatusDao.xml
- OriginDao.xml
- placeholders.properties
- ProfileDao.xml
- RoleDao.xml
- RoleServerPermissionDao.xml
- ServerPermissionDao.xml
- StatusDao.xml
- UserDao.xml
- UserRoleDao.xml
- dao
- db
- main
- pom.xml
- src
- hr-ws
- src
- main
- java
- com
- ontimize
- hr
- ws
- core
- rest
- CandidateRestController.java
- MainRestController.java
- MasterRestController.java
- OfferRestController.java
- TestRestController.java
- UserRestController.java
- rest
- core
- ws
- hr
- ontimize
- com
- java
- main
- pom.xml
- src
- .gitignore
- Archetype_ontimize_boot.postman_collection.json
- pom.xml
- hr-api
Añadir los permisos para los métodos
Una vez anotados los métodos, es necesario añadir el servicio y el método que hemos anotado a la tabla de la BD que almacena dichos elementos y a la tabla que indica los métodos para los cuales el rol tiene permiso.
Código SQL
INSERT INTO TSERVER_PERMISSION (PERMISSION_NAME) VALUES('com.ontimize.hr.api.core.service.IOfferService/offerQuery')
INSERT INTO TSERVER_PERMISSION (PERMISSION_NAME) VALUES('com.ontimize.hr.api.core.service.IOfferService/offerInsert')
INSERT INTO TSERVER_PERMISSION (PERMISSION_NAME) VALUES('com.ontimize.hr.api.core.service.IOfferService/offerUpdate')
INSERT INTO TSERVER_PERMISSION (PERMISSION_NAME) VALUES('com.ontimize.hr.api.core.service.IOfferService/offerDelete')
INSERT INTO TSERVER_PERMISSION (PERMISSION_NAME) VALUES('com.ontimize.hr.api.core.service.IOfferService/offerStatusQuery')
INSERT INTO TSERVER_PERMISSION (PERMISSION_NAME) VALUES('com.ontimize.hr.api.core.service.IOfferService/offerStatusInsert')
INSERT INTO TSERVER_PERMISSION (PERMISSION_NAME) VALUES('com.ontimize.hr.api.core.service.IOfferService/offerStatusUpdate')
INSERT INTO TSERVER_PERMISSION (PERMISSION_NAME) VALUES('com.ontimize.hr.api.core.service.IOfferService/offerStatusDelete')
INSERT INTO TSERVER_PERMISSION (PERMISSION_NAME) VALUES('com.ontimize.hr.api.core.service.IOfferService/offerCandidateQuery')
INSERT INTO TSERVER_PERMISSION (PERMISSION_NAME) VALUES('com.ontimize.hr.api.core.service.IOfferService/offerCandidateDetailsQuery')
INSERT INTO TSERVER_PERMISSION (PERMISSION_NAME) VALUES('com.ontimize.hr.api.core.service.IOfferService/offerCandidateInsert')
INSERT INTO TSERVER_PERMISSION (PERMISSION_NAME) VALUES('com.ontimize.hr.api.core.service.IOfferService/offerCandidateUpdate')
INSERT INTO TSERVER_PERMISSION (PERMISSION_NAME) VALUES('com.ontimize.hr.api.core.service.IOfferService/offerCandidateDelete')
INSERT INTO TSERVER_PERMISSION (PERMISSION_NAME) VALUES('com.ontimize.hr.api.core.service.IOfferService/offerCandidateStatusQuery')
INSERT INTO TSERVER_PERMISSION (PERMISSION_NAME) VALUES('com.ontimize.hr.api.core.service.IOfferService/offerCandidateStatusInsert')
INSERT INTO TSERVER_PERMISSION (PERMISSION_NAME) VALUES('com.ontimize.hr.api.core.service.IOfferService/offerCandidateStatusUpdate')
INSERT INTO TSERVER_PERMISSION (PERMISSION_NAME) VALUES('com.ontimize.hr.api.core.service.IOfferService/offerCandidateStatusDelete')
INSERT INTO TROLE_SERVER_PERMISSION (ID_ROLENAME,ID_SERVER_PERMISSION) VALUES(0,1)
INSERT INTO TROLE_SERVER_PERMISSION (ID_ROLENAME,ID_SERVER_PERMISSION) VALUES(0,2)
INSERT INTO TROLE_SERVER_PERMISSION (ID_ROLENAME,ID_SERVER_PERMISSION) VALUES(0,3)
INSERT INTO TROLE_SERVER_PERMISSION (ID_ROLENAME,ID_SERVER_PERMISSION) VALUES(0,4)
INSERT INTO TROLE_SERVER_PERMISSION (ID_ROLENAME,ID_SERVER_PERMISSION) VALUES(0,5)
INSERT INTO TROLE_SERVER_PERMISSION (ID_ROLENAME,ID_SERVER_PERMISSION) VALUES(0,6)
INSERT INTO TROLE_SERVER_PERMISSION (ID_ROLENAME,ID_SERVER_PERMISSION) VALUES(0,7)
INSERT INTO TROLE_SERVER_PERMISSION (ID_ROLENAME,ID_SERVER_PERMISSION) VALUES(0,8)
INSERT INTO TROLE_SERVER_PERMISSION (ID_ROLENAME,ID_SERVER_PERMISSION) VALUES(0,9)
INSERT INTO TROLE_SERVER_PERMISSION (ID_ROLENAME,ID_SERVER_PERMISSION) VALUES(0,10)
INSERT INTO TROLE_SERVER_PERMISSION (ID_ROLENAME,ID_SERVER_PERMISSION) VALUES(0,11)
INSERT INTO TROLE_SERVER_PERMISSION (ID_ROLENAME,ID_SERVER_PERMISSION) VALUES(0,12)
INSERT INTO TROLE_SERVER_PERMISSION (ID_ROLENAME,ID_SERVER_PERMISSION) VALUES(0,13)
INSERT INTO TROLE_SERVER_PERMISSION (ID_ROLENAME,ID_SERVER_PERMISSION) VALUES(0,14)
INSERT INTO TROLE_SERVER_PERMISSION (ID_ROLENAME,ID_SERVER_PERMISSION) VALUES(0,15)
INSERT INTO TROLE_SERVER_PERMISSION (ID_ROLENAME,ID_SERVER_PERMISSION) VALUES(0,16)
INSERT INTO TROLE_SERVER_PERMISSION (ID_ROLENAME,ID_SERVER_PERMISSION) VALUES(0,17)Si tratamos de realizar mediante Postman peticiones en el servicio de OfferService cambiando la autenticación por el usuario candidate y contraseña candidate, dará un error, ya que el usuario candidate no pertenece al rol admin que es el único rol que tiene permisos para realizar esas consultas.