This workshop will be retired on May 1, 2025.

Heads up! To view this whole video, sign in with your Courses account or enroll in your free 7-day trial. Sign In Enroll

Build a REST API in Spring

Preview

Start a free Courses trial
to watch this video

Sign up for Treehouse

Authorizing Deletions

6:56 with Craig Dennis

Let's use Spring Expression Language to restrict deletions of reviews.

Mind Blown

Learn More

Related Discussions

Have questions about this video? Start a discussion with the community and Treehouse staff.

Sign up

    Related Discussions

    Have questions about this video? Start a discussion with the community and Treehouse staff.

    Sign up

    Okay, so really we should secure everything. 0:00
    But I wanna give you a taste first of how to do that. 0:03
    So remember that our repositories expose all the HTTP verbs by default. 0:06
    Our security that we just set up says that if you're logged in, 0:11
    you can do whatever you want to any resource. 0:14
    That's probably not a good idea. 0:16
    Let's solve the delete example of reviews really quick, and 0:19
    then we'll swing back later and get the rest of them secured. 0:21
    Okay, so remember our review repository here is a paging and 0:25
    sorting repository, and it overrides the CrudRepository. 0:32
    So let's go ahead and look at some methods that are coming from the CrudRepository. 0:37
    So here they are, so there are these two. 0:42
    Let's go ahead and add these to this delete ID and delete entity. 0:44
    We're gonna override both of these. 0:47
    So, the first thing that we want to do is we want to grab one with the ID 0:50
    which is this long one here. 0:55
    And we're gonna mark it with the PreAuthorize annotation. 0:57
    And this PreAuthorize annotation takes an element that explains the security 1:02
    required in a Spring Security flavor of the Spring Expression Language or SpEL. 1:08
    So it's pretty handy, and 1:13
    it can be a wee bit foreign looking if this is your first time seeing it. 1:15
    So, remember to check the teacher's notes, 1:18
    if you start doing that mind blown animated gif, memey thing, right? 1:20
    So, what we wanna do here is allow for deletes, right? 1:25
    If the reviewer is the current authenticated user, 1:28
    he should be able to delete it or she should be able to delete it. 1:31
    So that seems pretty straightforward, right? 1:34
    So we first need to get access to this repository. 1:36
    Now since these repos are available for injection, we can do this. 1:40
    We can use @reviewRepository, and 1:44
    that's gonna get whatever is currently wired, just like we would with auto wired. 1:46
    And then we're gonna use the method findOne which is on this, right, so 1:51
    we're gonna say findOne. 1:55
    And what we want to do is we wanna use whatever this long value that was 1:56
    passed in. 2:00
    I'm gonna go ahead I'm gonna just name this to be id. 2:00
    And we wanna programmatically access what this is in our statement here. 2:04
    So what we need to do is we need to first expose that. 2:10
    So we're gonna say @Param, which is param, 2:14
    lets you do a query parameter there, and we're gonna mark that as id. 2:17
    And now we can access that in our statement here. 2:23
    So we're gonna say find one, and programmatically, 2:26
    to access that you do #id, okay, and now we should have access to review. 2:30
    So let's get ahold of the reviewer, right. 2:36
    And that's really calling getReviewer, right. 2:40
    And from here we wanna call the username or getUsername and what we want 2:43
    to do is we want to check if it's equal to whatever we have from authentication. 2:49
    And that's an object that's just passed there, .name. 2:53
    You know what, though? 2:57
    What happens if this is not found? 2:58
    We're gonna get that dreaded null pointer exception, aren't we? 3:02
    Now thankfully, there's a handy way to express that concern. 3:05
    if you follow an object with a question mark, it will make it optional and 3:09
    it will stop any sort of chaining, right. 3:14
    So that's optional, so it won't go into the next, right. 3:16
    So we know what happens if we get a review back but 3:21
    the reviewer is not there, we'd better make that optional, too. 3:24
    Okay, so the delete entity version is pretty similar. 3:28
    You just already have the entity, right? 3:31
    So, this guy here is very similar to this one. 3:33
    You just already have this. 3:36
    So, let's do this. 3:37
    Why don't you give it a go? 3:38
    Why don't you try that, and see if you can do it? 3:39
    Pause me, and then un-pause me, when you're done. 3:41
    Okay, wanna see how I did it? 3:43
    All right, so what I did, I said, @PreAuthorize. 3:46
    And I added, for this review, I added a new Param, and I called it review, okay? 3:50
    So I said, @review.reviewer, and 3:57
    then I made sure that there was a username. 4:02
    And then I checked to see if it was equal to the authentication.name. 4:08
    Okay, so let's see if it's working. 4:14
    Let's go ahead and we will come and reboot the server. 4:16
    And if we come over here, we should still be logged in as Jacob, 4:21
    and let's go take a look at the reviews. 4:26
    So here, this is Jacob's here, so his review is review number two. 4:35
    Here's a review from Mike Norman. 4:39
    So his rating was 2, he wanted more Java 9. 4:41
    Okay so let's go ahead and let's look at that review, and 4:45
    let's go ahead and let's log back in as Jacob here. 4:52
    And let's make Jacob try to delete that review. 4:56
    Now if everything's good, so I switched this delete and 5:01
    I have the header of Jacob logs in. 5:04
    If everything is good that we did, he should get blocked, Jacob should not now 5:06
    be able to do that, even though he was able to just before this. 5:10
    Awesome, access is denied, 403 forbidden. 5:13
    Cool, so let's just go ahead and verify that Jacob can delete his own, 5:17
    remember he was at 2. 5:21
    So let's go ahead inside this. 5:22
    Boom, and we got 204 No Content. 5:24
    So Jacob was allowed to delete his own, and let's just make sure that it's gone. 5:26
    Bam, so yeah, 404 not found on review number two. 5:31
    Awesome, we did it. 5:35
    So one thing I thought about here right now is that the reviewer, and 5:36
    only the reviewer, can delete the review. 5:39
    Now, we all know the web isn't the nicest of places, right? 5:42
    So we probably wanna make sure that if an administrator on the site saw a bad review 5:46
    from a bad reviewer, that they could delete it immediately, right? 5:49
    Now just because we use the name Role Admin doesn't mean it 5:53
    does anything at all, so why don't we make it do something? 5:56
    So one thing that we can do is we can use 6:00
    the role annotation, this hasRole. 6:05
    hasRole, and then ROLE_ADMIN or that, we'll do it for 6:09
    here too, hasRole, ROLE_ADMIN or, first. 6:14
    Cool, now if I see something, since I have the admin role, 6:19
    I can swing in and delete the review from the offensive person. 6:24
    Now, there are some more handy expressions that Spring security introduces that you 6:30
    probably want to check out. 6:34
    I was thinking about something that we 6:35
    could do that I know our clients would like. 6:37
    How about instead of manually adding a reviewer to the reviews, 6:39
    why not just set the currently logged in user? 6:43
    Since we know they're authenticated, 6:45
    and we know who is making the post, it should be relatively easy, right? 6:47
    I mean, I've been meaning to show you about events anyway. 6:51
    So let's take a quick break and then I'll dive right into that. 6:54

    You need to sign up for Treehouse in order to download course files.

    Sign up

      You need to sign up for Treehouse in order to set up Workspace

      Sign up