I’m using Spring Security which works great to make sure that a user has

Question

0

Asked: May 29, 20262026-05-29T08:23:41+00:00 2026-05-29T08:23:41+00:00

I’m using Spring Security which works great to make sure that a user has

0

I’m using Spring Security which works great to make sure that a user has a certain role before accessing a resource. But now I need to verify something a little different:

`/product/edit/{productId}`

What is the best way to verify that the logged in user “owns” productId? My business mappings handle the relationship (a user has a list of products). I need to verify this product belongs to the user and hence, they can edit it.

I know how to gain access to productId and the logged in user in both the controller and an interceptor. I don’t believe this logic belongs in the controller at all. The interceptor seems better but I wondered if Spring Security had an “accepted” way of handling this situation.

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-29T08:23:42+00:00

Editorial Team

2026-05-29T08:23:42+00:00Added an answer on May 29, 2026 at 8:23 am

Yes, in Spring you can implement this by implementing Access Control Lists. ACL declaration specifies permissions for individual objects per user. Once you have everything setup like acl entries in your database and logic, you can use SpEL and @PostFilter annotation to control the list of objects returned to a user.

Spring Security Documentation

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I’m using Spring Security which works great to make sure that a user has

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply