Hi Wmpark,

In order to handle this, you need to do some advanced authorization. Fortunately, you can use spring security's method security and SPEL to achieve this.

First, you should modify your (if not already) to return the allowed managers (or manager IDs). Then in your controller method (say GET /projects) , you can do something like this.

@GetMapping("projects") @PostFilter("filterObject.managers.contains(authentication.subject)")

public List<Project> getProjects() {

// Your logic

}

Here filterObject refers to an individual project. authentication refers to the JwtAuthenticationToken inbuilt class in Spring Boot. This assume the subject claim in your JWT is the user's ID.

I'm planning to write on this as well. Couldn't do it yet.