Announcement Announcement Module
Collapse
No announcement yet.
How to secure just some of the scaffolded controller methods Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to secure just some of the scaffolded controller methods

    Hi, this is my problem :
    1. suppose we have a RooScaffoldController
    2. suppose we have ROLE_USER and ROLE_ADMIN users

    what I'd like to do is having ROLE_USER access create, createForm, show, update, updateForm methods, but not delete and list, that should be only accessible to ROLE_ADMIN.

    I was able to do it for delete method by adding

    <intercept-url pattern="/dogs/*" access="hasRole('ROLE_ADMIN')" method="DELETE" />

    in applicationContext-security.

    But list,create and update share the same GET method request, so how to discriminate a createForm from a list for example?

    In addition to that, why do I have to state pattern="/dogs/*" if the url I call is in the form dogs?form?

    Can someone help me pls?

  • #2
    For now what I could do is this :

    Code:
    <http auto-config="true" use-expressions="true" path-type="regex">
        	<form-login login-processing-url="/resources/j_spring_security_check" login-page="/login" authentication-failure-url="/login?login_error=t"/>
            <logout logout-url="/resources/j_spring_security_logout"/>
            <!-- Configure these elements to secure URIs in your application -->
        	<intercept-url pattern="/dogs\?form" access="permitAll"/> //matches create
        	<intercept-url pattern="/dogs.+?form" access="hasRole('ROLE_USER')"/> //matches edit
        	<intercept-url pattern="/dogs\?page.+" access="hasRole('ROLE_ADMIN')"/> //matches list
            <intercept-url pattern="/dogs/*" access="hasRole('ROLE_ADMIN')" method="DELETE" /> //matches delete
        </http>
    But it's a solution I don't really like. Is it the only way to do it?

    I even tried to use global-method-security, pushing methods from aj to java class and using @secured annotation, but I was not able to let it manage login form like it does with the actual configuration.
    Now if the user has to login, the app automatically displays the login form. With global-method-security if the user has to login the app just redirects to a page that says invalid access or something like that. How could I solve this?

    Comment


    • #3
      It's not a simple solution, but you can secure your controller methods with Spring Security annotations:
      1. Add <global-method-security pre-post-annotations="enabled" mode="aspectj"/> to applicationContext-security.xml
      2. Modify your pom as noted here: http://forum.springsource.org/showpo...7&postcount=12
      3. You will have to create your own security aspect to inject @PreAuthorize or @Secured annotations (since the methods you are tring to secure exist in Roo-managed .aj files):

        Code:
        public aspect SecurityAspectBean
        {
        ..
        declare @method : public * Dog.remove() : @PreAuthorize("hasRole('ROLE_ADMIN')");
        }
      4. I think you need spring security 3.0.5 or greater.
      5. You may get an error something like "cannot use spring security X.x schema with spring security version Y.y". If so, change the schema location defined at the top of applicationContext-security.xml. For Spring Security 3.0.5, use:

        http://www.springframework.org/schem...rity-3.0.4.xsd

        For a 3.1 build of spring security, you can probably use:

        http://www.springframework.org/schem...curity-3.1.xsd

        NOTE: STS may still display the schema warning and an error marker in applicationContext-security.xml, but should not throw a compile error.

      Comment


      • #4
        Thanks man I'll try this and let you know, thanks again

        Comment


        • #5
          acof, is it possible your intercept urls were not set up correctly at the time you were testing the annotations? I'd be surprised if the "@Secured" interceptor stepped in front of the general auth interceptor.

          Comment


          • #6
            Originally posted by mikej View Post
            acof, is it possible your intercept urls were not set up correctly at the time you were testing the annotations? I'd be surprised if the "@Secured" interceptor stepped in front of the general auth interceptor.
            What do you mean? When I used @Secured I removed all intercept urls from my configuration file. And when login was needed (since @Secured worked) I was not redirected to login page, but to an exception page with an access denied message.

            Comment


            • #7
              You should use both. @PreAuthorize and @Secured simply allow or deny access to annotated methods, they won't prompt for a login. That's the job of the intercept urls in the Spring Security configuration.

              Use the Spring Security config to define access requirements for broad swaths of your website such as /, /public, /user, /admin, etc.

              Then annotate your admin-only service method with @PreAuthorize or @Secured to prevent a normal logged-in user from accessing the method.

              Comment


              • #8
                Originally posted by mikej View Post
                You should use both. @PreAuthorize and @Secured simply allow or deny access to annotated methods, they won't prompt for a login. That's the job of the intercept urls in the Spring Security configuration.

                Use the Spring Security config to define access requirements for broad swaths of your website such as /, /public, /user, /admin, etc.

                Then annotate your admin-only service method with @PreAuthorize or @Secured to prevent a normal logged-in user from accessing the method.
                Ok, now I get it, I'll try to use your setup asap, thanks

                Comment


                • #9
                  One more thing, I'm desperately trying to understand where, when and how a url in the form of dogs?form gets directed to the controller method createForm of DogsController... I don't find any configuration file that sets url rewriting for the application.

                  Comment


                  • #10
                    The request mappings are defined by the @RequestMapping annotations.

                    Comment


                    • #11
                      Yeh I got that too, I finally figured it out

                      Comment


                      • #12
                        I tried to enable pre-post by mode=aspectj, but it seems affect my Roo aj finders. I got findAll method is not found and raise Exception while initializing application.

                        Any idea ?

                        Comment

                        Working...
                        X