1 00:00:00,790 --> 00:00:03,588 Okay, so really we should secure everything. 2 00:00:03,588 --> 00:00:06,180 But I wanna give you a taste first of how to do that. 3 00:00:06,180 --> 00:00:11,910 So remember that our repositories expose all the HTTP verbs by default. 4 00:00:11,910 --> 00:00:14,530 Our security that we just set up says that if you're logged in, 5 00:00:14,530 --> 00:00:16,700 you can do whatever you want to any resource. 6 00:00:16,700 --> 00:00:19,020 That's probably not a good idea. 7 00:00:19,020 --> 00:00:21,725 Let's solve the delete example of reviews really quick, and 8 00:00:21,725 --> 00:00:23,850 then we'll swing back later and get the rest of them secured. 9 00:00:25,320 --> 00:00:32,010 Okay, so remember our review repository here is a paging and 10 00:00:32,010 --> 00:00:37,480 sorting repository, and it overrides the CrudRepository. 11 00:00:37,480 --> 00:00:42,110 So let's go ahead and look at some methods that are coming from the CrudRepository. 12 00:00:42,110 --> 00:00:44,130 So here they are, so there are these two. 13 00:00:44,130 --> 00:00:47,070 Let's go ahead and add these to this delete ID and delete entity. 14 00:00:47,070 --> 00:00:48,630 We're gonna override both of these. 15 00:00:50,530 --> 00:00:55,458 So, the first thing that we want to do is we want to grab one with the ID 16 00:00:55,458 --> 00:00:57,538 which is this long one here. 17 00:00:57,538 --> 00:01:02,630 And we're gonna mark it with the PreAuthorize annotation. 18 00:01:02,630 --> 00:01:08,042 And this PreAuthorize annotation takes an element that explains the security 19 00:01:08,042 --> 00:01:13,624 required in a Spring Security flavor of the Spring Expression Language or SpEL. 20 00:01:13,624 --> 00:01:15,041 So it's pretty handy, and 21 00:01:15,041 --> 00:01:18,690 it can be a wee bit foreign looking if this is your first time seeing it. 22 00:01:18,690 --> 00:01:20,200 So, remember to check the teacher's notes, 23 00:01:20,200 --> 00:01:25,130 if you start doing that mind blown animated gif, memey thing, right? 24 00:01:25,130 --> 00:01:28,120 So, what we wanna do here is allow for deletes, right? 25 00:01:28,120 --> 00:01:31,440 If the reviewer is the current authenticated user, 26 00:01:31,440 --> 00:01:34,300 he should be able to delete it or she should be able to delete it. 27 00:01:34,300 --> 00:01:36,030 So that seems pretty straightforward, right? 28 00:01:36,030 --> 00:01:40,020 So we first need to get access to this repository. 29 00:01:40,020 --> 00:01:44,108 Now since these repos are available for injection, we can do this. 30 00:01:44,108 --> 00:01:46,270 We can use @reviewRepository, and 31 00:01:46,270 --> 00:01:51,231 that's gonna get whatever is currently wired, just like we would with auto wired. 32 00:01:51,231 --> 00:01:55,213 And then we're gonna use the method findOne which is on this, right, so 33 00:01:55,213 --> 00:01:56,725 we're gonna say findOne. 34 00:01:56,725 --> 00:02:00,259 And what we want to do is we wanna use whatever this long value that was 35 00:02:00,259 --> 00:02:00,883 passed in. 36 00:02:00,883 --> 00:02:04,625 I'm gonna go ahead I'm gonna just name this to be id. 37 00:02:04,625 --> 00:02:10,150 And we wanna programmatically access what this is in our statement here. 38 00:02:10,150 --> 00:02:14,293 So what we need to do is we need to first expose that. 39 00:02:14,293 --> 00:02:17,586 So we're gonna say @Param, which is param, 40 00:02:17,586 --> 00:02:23,560 lets you do a query parameter there, and we're gonna mark that as id. 41 00:02:23,560 --> 00:02:26,740 And now we can access that in our statement here. 42 00:02:26,740 --> 00:02:30,790 So we're gonna say find one, and programmatically, 43 00:02:30,790 --> 00:02:36,680 to access that you do #id, okay, and now we should have access to review. 44 00:02:36,680 --> 00:02:40,680 So let's get ahold of the reviewer, right. 45 00:02:40,680 --> 00:02:43,650 And that's really calling getReviewer, right. 46 00:02:43,650 --> 00:02:49,230 And from here we wanna call the username or getUsername and what we want 47 00:02:49,230 --> 00:02:53,680 to do is we want to check if it's equal to whatever we have from authentication. 48 00:02:53,680 --> 00:02:57,900 And that's an object that's just passed there, .name. 49 00:02:57,900 --> 00:02:58,790 You know what, though? 50 00:02:58,790 --> 00:03:01,280 What happens if this is not found? 51 00:03:02,400 --> 00:03:05,640 We're gonna get that dreaded null pointer exception, aren't we? 52 00:03:05,640 --> 00:03:09,440 Now thankfully, there's a handy way to express that concern. 53 00:03:09,440 --> 00:03:14,510 if you follow an object with a question mark, it will make it optional and 54 00:03:14,510 --> 00:03:16,330 it will stop any sort of chaining, right. 55 00:03:16,330 --> 00:03:21,420 So that's optional, so it won't go into the next, right. 56 00:03:21,420 --> 00:03:24,830 So we know what happens if we get a review back but 57 00:03:24,830 --> 00:03:26,960 the reviewer is not there, we'd better make that optional, too. 58 00:03:28,330 --> 00:03:31,520 Okay, so the delete entity version is pretty similar. 59 00:03:31,520 --> 00:03:33,830 You just already have the entity, right? 60 00:03:33,830 --> 00:03:36,040 So, this guy here is very similar to this one. 61 00:03:36,040 --> 00:03:37,470 You just already have this. 62 00:03:37,470 --> 00:03:38,560 So, let's do this. 63 00:03:38,560 --> 00:03:39,470 Why don't you give it a go? 64 00:03:39,470 --> 00:03:41,470 Why don't you try that, and see if you can do it? 65 00:03:41,470 --> 00:03:43,940 Pause me, and then un-pause me, when you're done. 66 00:03:43,940 --> 00:03:46,180 Okay, wanna see how I did it? 67 00:03:46,180 --> 00:03:50,270 All right, so what I did, I said, @PreAuthorize. 68 00:03:50,270 --> 00:03:57,279 And I added, for this review, I added a new Param, and I called it review, okay? 69 00:03:57,279 --> 00:04:02,121 So I said, @review.reviewer, and 70 00:04:02,121 --> 00:04:07,580 then I made sure that there was a username. 71 00:04:08,940 --> 00:04:14,380 And then I checked to see if it was equal to the authentication.name. 72 00:04:14,380 --> 00:04:16,050 Okay, so let's see if it's working. 73 00:04:16,050 --> 00:04:18,720 Let's go ahead and we will come and reboot the server. 74 00:04:21,940 --> 00:04:26,823 And if we come over here, we should still be logged in as Jacob, 75 00:04:26,823 --> 00:04:29,970 and let's go take a look at the reviews. 76 00:04:35,489 --> 00:04:39,860 So here, this is Jacob's here, so his review is review number two. 77 00:04:39,860 --> 00:04:41,850 Here's a review from Mike Norman. 78 00:04:41,850 --> 00:04:44,590 So his rating was 2, he wanted more Java 9. 79 00:04:45,810 --> 00:04:51,390 Okay so let's go ahead and let's look at that review, and 80 00:04:52,790 --> 00:04:56,421 let's go ahead and let's log back in as Jacob here. 81 00:04:56,421 --> 00:05:01,560 And let's make Jacob try to delete that review. 82 00:05:01,560 --> 00:05:04,600 Now if everything's good, so I switched this delete and 83 00:05:04,600 --> 00:05:06,267 I have the header of Jacob logs in. 84 00:05:06,267 --> 00:05:10,600 If everything is good that we did, he should get blocked, Jacob should not now 85 00:05:10,600 --> 00:05:13,900 be able to do that, even though he was able to just before this. 86 00:05:13,900 --> 00:05:17,700 Awesome, access is denied, 403 forbidden. 87 00:05:17,700 --> 00:05:21,670 Cool, so let's just go ahead and verify that Jacob can delete his own, 88 00:05:21,670 --> 00:05:22,900 remember he was at 2. 89 00:05:22,900 --> 00:05:23,859 So let's go ahead inside this. 90 00:05:24,960 --> 00:05:26,520 Boom, and we got 204 No Content. 91 00:05:26,520 --> 00:05:29,580 So Jacob was allowed to delete his own, and let's just make sure that it's gone. 92 00:05:31,810 --> 00:05:35,240 Bam, so yeah, 404 not found on review number two. 93 00:05:35,240 --> 00:05:36,267 Awesome, we did it. 94 00:05:36,267 --> 00:05:39,843 So one thing I thought about here right now is that the reviewer, and 95 00:05:39,843 --> 00:05:42,360 only the reviewer, can delete the review. 96 00:05:42,360 --> 00:05:46,090 Now, we all know the web isn't the nicest of places, right? 97 00:05:46,090 --> 00:05:49,750 So we probably wanna make sure that if an administrator on the site saw a bad review 98 00:05:49,750 --> 00:05:53,850 from a bad reviewer, that they could delete it immediately, right? 99 00:05:53,850 --> 00:05:56,720 Now just because we use the name Role Admin doesn't mean it 100 00:05:56,720 --> 00:06:00,470 does anything at all, so why don't we make it do something? 101 00:06:00,470 --> 00:06:05,072 So one thing that we can do is we can use 102 00:06:05,072 --> 00:06:09,832 the role annotation, this hasRole. 103 00:06:09,832 --> 00:06:14,476 hasRole, and then ROLE_ADMIN or that, we'll do it for 104 00:06:14,476 --> 00:06:19,044 here too, hasRole, ROLE_ADMIN or, first. 105 00:06:19,044 --> 00:06:24,279 Cool, now if I see something, since I have the admin role, 106 00:06:24,279 --> 00:06:30,370 I can swing in and delete the review from the offensive person. 107 00:06:30,370 --> 00:06:34,230 Now, there are some more handy expressions that Spring security introduces that you 108 00:06:34,230 --> 00:06:35,990 probably want to check out. 109 00:06:35,990 --> 00:06:37,450 I was thinking about something that we 110 00:06:37,450 --> 00:06:39,660 could do that I know our clients would like. 111 00:06:39,660 --> 00:06:43,770 How about instead of manually adding a reviewer to the reviews, 112 00:06:43,770 --> 00:06:45,950 why not just set the currently logged in user? 113 00:06:45,950 --> 00:06:47,420 Since we know they're authenticated, 114 00:06:47,420 --> 00:06:51,690 and we know who is making the post, it should be relatively easy, right? 115 00:06:51,690 --> 00:06:54,250 I mean, I've been meaning to show you about events anyway. 116 00:06:54,250 --> 00:06:56,660 So let's take a quick break and then I'll dive right into that.