Distributed security policies

src/main/java/es/uv/garcosda/endpoints/BlogRestController.java

@@ -8,6 +8,8 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.data.domain.Page;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.prepost.PostAuthorize;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.DeleteMapping;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
@@ -30,6 +32,7 @@ public class BlogRestController {
 	@Autowired private BlogService blogService;
 	
 	@GetMapping("posts")
+	@PreAuthorize("permitAll")
 	public PostsResponseDTO findPosts(@RequestBody PostsRequestDTO request) {
 		LOGGER.debug("View all posts");
 		Page<Post> pageData = blogService.findPosts(request);
@@ -38,6 +41,8 @@ public class BlogRestController {
 	}
 	
 	@GetMapping("posts/{id}")
+	@PreAuthorize("isAuthenticated() and #postId < 10")
+	@PostAuthorize("returnObject.isPresent() and returnObject.get().id >= 1")
 	public Optional<Post> findPostById(@PathVariable("id") Integer id) {
 		LOGGER.debug("View Post id: "+id);
 		Optional<Post> post = blogService.findPostById(id);
@@ -45,6 +50,7 @@ public class BlogRestController {
 	}
 	
 	@PostMapping("posts")
+	@PreAuthorize("hasRole('ADMIN') OR hasRole('USER')")
 	public ResponseEntity<Post> createPost(@RequestBody Post post) {
 		LOGGER.debug("Create post");
 		Post createdPost = blogService.createPost(post);
@@ -52,6 +58,7 @@ public class BlogRestController {
 	}
 			
 	@DeleteMapping("posts/{id}")
+	@PreAuthorize("hasRole('ADMIN')")
 	public void deletePostById(@PathVariable("id") Integer id) {
 		LOGGER.debug("Delete Post id: "+id);
 		blogService.deletePost(id);