430. Multitenancy Security - dkkahm/study-springfamework5 GitHub Wiki

@PreAuthorize

@Retention(RetentionPolicy.RUNTIME)
@PreAuthorize("hasAuthority('order.pickup') OR " +
        "hasAuthority('customer.order.pickup') " +
        " AND @beerOrderAuthenticationManager.customerIdMatches(authentication, #customerId )")
public @interface BeerOrderPickupPermission {
}

• BeerOrderAuthenticationManager

@Slf4j
@Component
public class BeerOrderAuthenticationManger {

    public boolean customerIdMatches(Authentication authentication, UUID customerId){
        User authenticatedUser = (User) authentication.getPrincipal();

        log.debug("Auth User Customer Id: " + authenticatedUser.getCustomer().getId() + " Customer Id:" + customerId);

        return authenticatedUser.getCustomer().getId().equals(customerId);
    }

}

@Query

public interface BeerOrderRepository  extends JpaRepository<BeerOrder, UUID> {

    ....

    @Query("select o from BeerOrder o where o.id =?1 and " +
            "(true = :#{hasAuthority('order.read')} or o.customer.id = ?#{principal?.customer?.id})")
    BeerOrder findOrderByIdSecure(UUID orderId);