I'm looking for a Spring Security "best practice" in getting user customizations for a logged-in user.
In my program I need to edit queries according to user identity. For example, "show me all orders, but filter the results to just those with my own ID". I'd also like to have the user injected for me.
One pattern offered to me on advice pages is:
@Query("select o from Orders o where o.username = ?#{principal.username}")
List<Orders> findAllOrders();
(I'm not sure how the code resolves "principal"...)
I suppose that I could edit this to:
@Query("select o from Orders o where o.username = ?#{principal.localUser.id}
and o.flavor = ?#{principal.localUser.flavor}")
List<Orders> findAllFavoriteFlavorOrders();
if I had a way of adding an instance of LocalUser to Principal. To make this happen I'd need to extend the Principal class and do the instance adding during the login logic.
Is there a better way? During the login process could I also store a User object globally, so that this would work:
@Query("select o from Orders o where o.username = ?#{localUser.id}
and o.flavor = ?#{localUser.flavor}")
List<Orders> findAllFavoriteFlavorOrders();
This link stackoverflow question about UserDetailsService describes one way of managing this.
This link another stackoverflow question about UserDetailsService describes something else.
Are either of these still "state of the art"?
Thanks in advance, Jerome.
