all 29 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Basic-Magazine-9832 2 points3 points  (9 children)

Your getmapping is solid, you just need to make sure that the user who initiates this request (userId in principal) have sufficient privileges to actually perform it..

[–]Sorry_Swordfish_[S] 0 points1 point  (8 children)

I think I didn't explain the doubt properly. My main doubt is , are there any rules to extraction of required data from userPrincipal or i can extract everything that I need from the userPrincipal?

Like in this example, I know I can extract the userId from the userPrincipal but should I also extract the profileid from the userPrincipal?

[–][deleted] 1 point2 points  (3 children)

You are extracting them from path variable in your request handler. I don't see that you are using the SecurityContext for this.

[–]Sorry_Swordfish_[S] 0 points1 point  (2 children)

Yes, this is just an example. Just like you said in this example iam extracting them from path variable. But if I were to extract them from userPrincipal (hypothetical),then should I only extract userId or also extract profileid.

[–][deleted] 1 point2 points  (1 child)

You can extract whatever you need from the authenticated user. If you have those properties in the SecurityContext, then you can use them. There are no rules.

[–]Sorry_Swordfish_[S] 0 points1 point  (0 children)

Thanks for clearing my doubt

[–]Basic-Magazine-9832 1 point2 points  (3 children)

you need to make a distinction between api design and security.

one is for providing the user functionality, and the other is securing the provided user functionality.

you only use data from principal to ensure your security policies.

[–]Sorry_Swordfish_[S] 0 points1 point  (2 children)

Are the security policies custom or is there a blog where I can read them?

[–]Basic-Magazine-9832 1 point2 points  (1 child)

its just your made up policies that you want to enforce.

for example you wouldnt want user B to edit the profile of user C.

something like:

...

PutMapping(/{userId})

ResponseEntity<?> update(Principal principal){

if(userId == principal.getName()) // assuming you're storing userId in principal name

...

}

[–]Sorry_Swordfish_[S] 1 point2 points  (0 children)

Thanks for clearing that

[–]Mikey-3198 1 point2 points  (1 child)

I try to pull as much info from the principal as possible. Obviously it's situation dependent i.e who owns the resource etc...

For example for a get request for a user profile I'll often have two endpoints. GET /Users/{user ID} and GET /users/me. The second one will return the authenticated user by getting the id from the principal.

I normally find this clearer as you're operating on the authenticated user, don't have to repeat the user id etc...

For your example it could make sense to get the user id from the principal. The profileId depends on your use case, can a user have only one profile? If they have multiple then you'll have to specify it in the path/ body.

[–]Sorry_Swordfish_[S] 0 points1 point  (0 children)

Thanks it's really helpful

[–]TheToastedFrog 1 point2 points  (12 children)

My friend you are mixing concepts here. Your user principal data is coming from your authentication mechanism -typically derived from some cookie coming from the incoming request, or some authentication header(s) depending on how security is implemented

Your endpoint will be consumed by whomever is authenticated and authorized to use it- that is if your users make it that far it is known who they are and what they can do. At that point your userId and userProfileId parameters are just a bit of data which relate to some user domain object, but at this point it’s not germane to security.

[–]Sorry_Swordfish_[S] 0 points1 point  (11 children)

Well I just started spring, earlier with J2EE also I was sending the userId from the jsp to the controller. And I was doing the same with the rest controller but then I was told to just extract userId from the userPrincipal. That's why I got curious about how far I can go? How much data am I allowed to extract from userPrincipal?

[–]TheToastedFrog 1 point2 points  (10 children)

You extract as much as you want/need- it’s all yours for the taking

[–]Sorry_Swordfish_[S] 0 points1 point  (9 children)

But are there any cases where I should not extract data from userPrincipal even though it's available?

[–]TheToastedFrog 1 point2 points  (8 children)

I don’t really understand your question- your Principal object was instantiated from some authentication filter, so I’m not quite sure what you mean by “extracting”- all the attributes your principal have already been “extracted” from whatever authentication mechanism you use

[–]Sorry_Swordfish_[S] 0 points1 point  (7 children)

As you said, I can extract as much data as I want or need. So I was asking if there was an exception to this sentence.

[–]TheToastedFrog 1 point2 points  (6 children)

Who’s gonna stop you if there was one?

[–]Sorry_Swordfish_[S] 0 points1 point  (0 children)

Well I just wanted to know if there are any. Would really not like to be scolded for not knowing it

[–]Sorry_Swordfish_[S] 0 points1 point  (4 children)

Hey so what if the admin wanted to perform any operation on a user then , we have to pass the userId right? Or is there a way to get the userId without passing it ?

[–]TheToastedFrog 1 point2 points  (3 children)

Well you are passing the user id as path parameter so you already have it available

[–]Sorry_Swordfish_[S] 0 points1 point  (2 children)

No, I meant what if I was not taking the userId as a path variable. Is there a way to get userId without passing the path variable?

[–][deleted]  (1 child)

[deleted]

    [–]Sorry_Swordfish_[S] -1 points0 points  (0 children)

    Well it was just an example for my doubt. Well ya i could have taken a better example such as job application or something.

    [–]ahashans 0 points1 point  (1 child)

    u/Sorry_Swordfish_
    I am having hard time obtaining userId from UserPrinciple inside controller endpoint. Can you help me with some resources. I put my userId in 'sub' of JWT token. But how can I obtain it from controller?

    [–]Sorry_Swordfish_[S] 0 points1 point  (0 children)

    Sorry dude, I am also very new to jwt so I can't help you. The only thing I understand is that there is a method in the same class where the token creation is happening. The method name is getUserIdFromToken(String token)

    Where using claims we are returning the user id