How to do it...

Let us simulate Spring Security's authorization process by using AOP concepts:

  1. Although authorization can be implemented using the Spring Security framework, this recipe will provide us with another solution using AOP concepts. Inside the package org.packt.aop.transaction.controller, create an EmployeeController which will delete a record given an empId detail:
@Controller 
public class EmployeeController { 
   
  @Autowired 
  private EmployeeService employeeServiceImpl; 
   
  @RequestMapping("/deldept.html/{deptId}") 
  public String deleteRecord(Model model, 
    @PathVariable("deptId") Integer deptId){ 
     
    employeeServiceImpl.delEmployee(deptId); 
    model.addAttribute("emps", 
        employeeServiceImpl.readEmployees()); 
    return "menu"; 
  } 
}
  1. Modify the view page /menu_emps.html to include the DELETE transaction for every record, as shown in the following screenshot:
  2. Now, create an @Aspect class that will intercept the deleteRecord() request handler of EmployeeController to filter the user permissions of the currently logged in user. Once the user clicks DELETE, the advice method will be triggered to allow the deletion only if the user has ROLE_HR; otherwise, a redirection to /banned.html will occur:
@Component 
@Aspect 
public class DeleteAuthorizeAspect { 
   
   private Logger logger = 
      Logger.getLogger(DeleteAuthorizeAspect.class); 
 
  @Autowired 
  private LoginService loginServiceImpl; 
   
  @Pointcut("within(@org.springframework.stereotype 
  .Controller *))") 
  public void classPointcut() {  } 
   
  @Pointcut("execution(*    
  org.packt.aop.transaction.controller 
  .EmployeeController.deleteRecord(..))") 
  public void delPointcut() {  } 
   
  @Around("classPointcut() && delPointcut()  
  && @annotation(mapping)") 
  public String delEmployee(ProceedingJoinPoint joinPoint, 
     RequestMapping mapping) throws Throwable{ 
 
    HttpServletRequest req = ((ServletRequestAttributes) 
    RequestContextHolder.getRequestAttributes()) 
      .getRequest(); 
    logger.info("executing " + 
      joinPoint.getSignature().getName()); 
    int userId = (Integer)req.getSession() 
      .getAttribute("userId"); 
    System.out.println("userId" + userId); 
       
    List<RolePermission> permission = 
      loginServiceImpl.getPermissionSets(userId); 
    if(isAuthroize(permission)){ 
    logger.info("user " + userId  
      + " is authorized to delete"); 
    joinPoint.proceed(); 
      return "menu"; 
    }else{ 
     logger.info("user " + userId + " is NOT authorized to 
        delete"); 
     return "banned"; 
    } 
  } 
 
  private boolean isAuthroize(List<RolePermission>   
      permission){ 
     
    Set<String> userRoles = new HashSet<>(); 
    Set<String> userPerms = new HashSet<>(); 
    // refer to sources 
 
    if(userRoles.contains("ROLE_HR")){ 
       return true;   
    } 
    return false; 
  } 
}
  1. Save all files. Then clean, build, and deploy the project.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.191.144.65