You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When creating an entity that contains a linked resource whose repository's find one method is restricted, SDR throws an HttpMessageNotReadable exception during deserialization of the linked resource (so it can't be changed using @ControllerAdvice exception handlers, resulting in the end-user receiving a 400 bad request response on a well-formed and valid request instead of the expected 403 forbidden status one would receive if they failed the global method security on any other kind of request. The following example code demonstrates the behavior by performing a POST to /parents with the body { "id":"1" } and then a POST to /children with the body { "id": "child1", "parent": "/parents/1" }.
Security Configuration: in-memory user user with password password and basic auth configured
Authorities utility class referenced in parent repository:
@ComponentpublicclassAuthoritiesUtil {
publicbooleancanViewParent(Optional<Parent> parent) {
returnfalse; //insert logic to allow this in some cases
}
}
In this case, I would expect to receive a 403 forbidden status instead of a 400 bad request with the message JSON parse error: Access Denied because the request is well-formatted and the linked object exists, but the user is forbidden from using it. Please let me know if you have any questions or concerns. Thank you.
The text was updated successfully, but these errors were encountered:
When creating an entity that contains a linked resource whose repository's find one method is restricted, SDR throws an
HttpMessageNotReadable
exception during deserialization of the linked resource (so it can't be changed using@ControllerAdvice
exception handlers, resulting in the end-user receiving a 400 bad request response on a well-formed and valid request instead of the expected 403 forbidden status one would receive if they failed the global method security on any other kind of request. The following example code demonstrates the behavior by performing a POST to/parents
with the body{ "id":"1" }
and then a POST to/children
with the body{ "id": "child1", "parent": "/parents/1" }
.Security Configuration: in-memory user
user
with passwordpassword
and basic auth configuredParent domain object
Parent repository with method security
Child domain object
Child repository with method security:
Authorities utility class referenced in parent repository:
Application class
POM
In this case, I would expect to receive a 403 forbidden status instead of a 400 bad request with the message
JSON parse error: Access Denied
because the request is well-formatted and the linked object exists, but the user is forbidden from using it. Please let me know if you have any questions or concerns. Thank you.The text was updated successfully, but these errors were encountered: