mardi 22 mars 2016

Spring & Security: limit uploads to authenticated users

I'm facing a security problem regarding file uploads. How do I limit file uploads to specific user roles? I'm using @PreAuthorize("hasRole('USER')"), but it is uploading the file first and then checking the role. You can especially see this when file upload size is exceeded. User will get an upload size exceeded exception instead of redirecting to the login-form.

This is how my controller looks like:

@Controller
@PreAuthorize("hasRole('USER')")
@Secured("ROLE_USER") // added this just to see if it makes a difference, it doesn't
@RequestMapping(value = "/self/upload", produces = "application/json")
public class JsonUserSelfUpload {

...

@RequestMapping(value = "", method = RequestMethod.POST, consumes="multipart/form-data")
public ModelAndView fileUpload(
        @RequestParam(value = "file", required = true) MultipartFile inputFile,
        @RequestParam(value = "param1", defaultValue = "") String type,
        HttpServletResponse response
        ) throws Exception {

    ...
    }

}

Anyone know how to secure file uploads to specific roles?

Edit, to be more specific: I want to reject uploads if user is not authenticated. By reject I mean, close connection before the upload actually finishes. Not sure if spring is capable in doing this or I'd need a filter to reject uploads (multipart).



Spring & Security: limit uploads to authenticated users

Aucun commentaire:

Enregistrer un commentaire