Marko Medojević – Software architecture blog

Aspect Oriented Programming for authorization in Spring

Posted on December 7, 2023December 7, 2023 by mmedojevic

Spring AOP, or Aspect-Oriented Programming, is a framework within the Spring Framework that enables modularization of cross-cutting concerns in Java applications. It allows developers to separate concerns like logging, security, and transaction management from the core business logic. AOP achieves this by introducing aspects, which are modules encapsulating cross-cutting concerns, and weaving them into the application at specified points. This helps in achieving better code modularity, reusability, and maintainability by reducing code duplication and promoting a cleaner architecture.

In this article we will show you how to utilize AOP for authorization.

This is a database table which contains products:

ID	Title	Quantity	TenantID
1	Product 1	40	2
2	Product 2	50	2
3	Product 3	20	10

ProductService class contains a method for product deletion:

public void delete(Integer id) {
    productRepository.deleteById(id);
}

public void delete(Integer id) {

productRepository.deleteById(id);

}

This service method is exposed trough REST API call which accepts ID parameter and calls the method which deletes product.

JWT of authenticated user contains its own tenant ID which is 2 in current example. So user should only be allowed to delete product 1 and product 2. Deletion attempt of product 3 should generate 403 forbidden.

We will create an annotation which should be placed before each protected method.

@Target(ElementType.METHOD)
@Retention(RetentionPolicy.RUNTIME)
public @interface ProductPermission {
}

@Target(ElementType.METHOD)

@Retention(RetentionPolicy.RUNTIME)

public @interface ProductPermission {

}

Next class we need is an aspect

@Aspect
@Component
public class ProductPermissionAspect {
    @Autowired
    private ProductRepository productRepository;
    @Autowired
    private AuthService authService;

    @Before("@annotation(com.your.package.aspect.annotation.ProductPermission)")
    public void check(JoinPoint joinPoint) {
        java.lang.Object〚〛 args = joinPoint.getArgs();
        Integer id = (Integer)args〚0〛;
        if(!isOwner(id, authService.getTenantId())) {
            throw new CustomException("Permission denied", HttpStatus.FORBIDDEN);
        }
    }

    private boolean isOwner(Integer id, Integer tenantId) {
        Product product = productRepository.findById(id)
                .orElseThrow(() -&gt; new CustomException("This product doesn't exists!", HttpStatus.NOT_FOUND ));
        return product.getTenantId().intValue() == tenantId.intValue();
    }
}

@Aspect

@Component

public class ProductPermissionAspect {

@Autowired

private ProductRepository productRepository;

@Autowired

private AuthService authService;

@Before("@annotation(com.your.package.aspect.annotation.ProductPermission)")

public void check(JoinPoint joinPoint) {

java.lang.Object〚〛 args = joinPoint.getArgs();

Integer id = (Integer)args〚0〛;

if(!isOwner(id, authService.getTenantId())) {

throw new CustomException("Permission denied", HttpStatus.FORBIDDEN);

}

private boolean isOwner(Integer id, Integer tenantId) {

Product product = productRepository.findById(id)

.orElseThrow(() -> new CustomException("This product doesn't exists!", HttpStatus.NOT_FOUND ));

return product.getTenantId().intValue() == tenantId.intValue();

}

Finally we are going to annotate a protected method from service

@ProductPermission
public void delete(Integer id) {
    productRepository.deleteById(id);
}

@ProductPermission

public void delete(Integer id) {

productRepository.deleteById(id);

}

Order of actions

@ProductPermission annotation triggers ProductPermissionAspect.check method execution before each call of annotated method
ProductPermissionAspect grabs first parameter of a target method call which is product ID
ProductPermissionAspect checks if the product belongs to tenant of an authenticated user
ProductPermissionAspect generates 403 forbidden if the product doesn’t belong to the user

If you want to deep dive into more details:

https://docs.spring.io/spring-framework/reference/core/aop.html

https://www.baeldung.com/spring-aop

MariaDB recursive query

Posted on September 19, 2023 by mmedojevic

Database table org_structure stores an organizational structure nested hierarchy. It starts from the root (CEO) which has parent_id NULL.

id	title	parent_id
1	CEO	NULL
2	Director 1	1
3	Director 2	1
4	Manager 1	2
5	Manager 2	2
6	Manager 3	3
7	Manager 4	3
8	OP 1	4
9	OP 2	4
10	OP 3	5
11	OP 4	5
12	OP 5	6
13	OP 6	6
14	OP 7	7
15	OP 8	7

This is a graphical representation of org_structure database table.

Let us take an example that we want to select “Director 2” and every descendant in the hierarchy. So result will include (Director 2, Manager 3, Manager 4, OP 5 – 8).

MariaDB provides elegant solution for this problem (recursive queries).

with recursive res (id, title) as (
  select id, title 
  from org_structure
  where id = 3
  union all
  select os.id, os.title 
  from org_structure os
  inner join res
  on os.parent_id = res.id
)
select * from res;

with recursive res (id, title) as (

select id, title

from org_structure

where id = 3

union all

select os.id, os.title

from org_structure os

inner join res

on os.parent_id = res.id

)

select * from res;

Result:

3 Director 2
6 Manager 3
7 Manager 4
12 OP 5
13 OP 6
14 OP 7
15 OP 8

Detailed explanation can be found on following link:
https://mariadb.com/kb/en/recursive-common-table-expressions-overview/

Spring boot dependency injection using @ConditionalOnProperty annotation

Posted on September 16, 2023 by mmedojevic

Suppose that you have a webshop with a credit card payment option. Credit card payments work fine in a production environment. There is a new requirement to implement a sandbox environment for the webshop. Sandbox environment doesn’t charge your credit card. It always returns a successful response.

Each checkout implementation is based on the following CheckoutService interface:

public interface CheckoutService {
    public boolean checkout(Integer orderId, BigDecimal amount, String creditCardNumber);
}

public interface CheckoutService {

public boolean checkout(Integer orderId, BigDecimal amount, String creditCardNumber);

}

The implementation of CheckoutService an interface for the production environment is BankCheckoutService

@Service
public class BankCheckoutService implements CheckoutService {
    @Override
    public boolean checkout(Integer orderId, BigDecimal amount, String creditCardNumber) {
        System.out.println("charge credit card using real payment gateway");
        return true;
    }
}

@Service

public class BankCheckoutService implements CheckoutService {

@Override

public boolean checkout(Integer orderId, BigDecimal amount, String creditCardNumber) {

System.out.println("charge credit card using real payment gateway");

return true;

}

CheckoutController gets instance of CheckoutService using @Autowired annotation (dependency injection).

@RestController
public class CheckoutController {
    private final CheckoutService checkoutService;

    @Autowired
    public CheckoutController(CheckoutService checkoutService) {
        this.checkoutService = checkoutService;
    }

    @GetMapping("/checkout")
    public ResponseEntity&lt;Boolean&gt; checkout() {
        Integer orderId = 12377;
        BigDecimal amount = new BigDecimal(20000.50);
        String creditCardNumber = "4111111111111111";
        boolean success = checkoutService.checkout(orderId, amount, creditCardNumber);
        return ResponseEntity.ok(success);
    }
}

@RestController

public class CheckoutController {

private final CheckoutService checkoutService;

@Autowired

public CheckoutController(CheckoutService checkoutService) {

this.checkoutService = checkoutService;

}

@GetMapping("/checkout")

public ResponseEntity<Boolean> checkout() {

Integer orderId = 12377;

BigDecimal amount = new BigDecimal(20000.50);

String creditCardNumber = "4111111111111111";

boolean success = checkoutService.checkout(orderId, amount, creditCardNumber);

return ResponseEntity.ok(success);

}

Let us create a new implementation of CheckoutService interface for the sandbox environment:

@Service
public class SandboxCheckoutService implements CheckoutService {
    @Override
    public boolean checkout(Integer orderId, BigDecimal amount, String creditCardNumber) {
        System.out.println("don't charge credit card, always return successful response");
        return true;
    }
}

@Service

public class SandboxCheckoutService implements CheckoutService {

@Override

public boolean checkout(Integer orderId, BigDecimal amount, String creditCardNumber) {

System.out.println("don't charge credit card, always return successful response");

return true;

}

It will work fine if we replace a constructor of CheckoutController to get SandboxCheckoutService bean:

@Autowired
public CheckoutController(SandboxCheckoutService checkoutService) 
    this.checkoutService = checkoutService;   
}

@Autowired

public CheckoutController(SandboxCheckoutService checkoutService)

this.checkoutService = checkoutService;

}

However, we want to instantiate either BankCheckoutService or SandboxCheckoutService based on the variable in the application properties file. SandboxCheckoutService should be instantiated if application properties contains the following content:

sandbox=true

1	sandbox=true

If sandbox the variable is false BankCheckoutService will be instantiated.

Spring Boot already has a solution. @ConditionalOnProperty annotation provides us the possibility to conditionally instantiate bean based on property value from application.properties file.

BankCheckoutService:

@Service
@ConditionalOnProperty(name = "sandbox", havingValue = "false")
public class BankCheckoutService implements CheckoutService {
    @Override
    public boolean checkout(Integer orderId, BigDecimal amount, String creditCardNumber) {
        System.out.println("charge credit card using real payment gateway");
        return true;
    }
}

@Service

@ConditionalOnProperty(name = "sandbox", havingValue = "false")

public class BankCheckoutService implements CheckoutService {

@Override

public boolean checkout(Integer orderId, BigDecimal amount, String creditCardNumber) {

System.out.println("charge credit card using real payment gateway");

return true;

}

SandboxCheckoutService

@Service
@ConditionalOnProperty(name = "sandbox", havingValue = "true")
public class SandboxCheckoutService implements CheckoutService {
    @Override
    public boolean checkout(Integer orderId, BigDecimal amount, String creditCardNumber) {
        System.out.println("don't charge credit card, always return successful response");
        return true;
    }
}

@Service

@ConditionalOnProperty(name = "sandbox", havingValue = "true")

public class SandboxCheckoutService implements CheckoutService {

@Override

public boolean checkout(Integer orderId, BigDecimal amount, String creditCardNumber) {

System.out.println("don't charge credit card, always return successful response");

return true;

}

The controller doesn’t have to be changed since it expects CheckoutService interface which is implemented in both BankCheckoutService and SandboxCheckoutService. Controller depends on abstraction not implementation as it is specified in SOLID principle.

We can now switch between BankCheckoutService and SandboxCheckoutService by changing the sandbox variable in the application.properties file.