Announcement Announcement Module
Collapse
No announcement yet.
restrict access based on a database Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • restrict access based on a database

    Hello,

    I developed an application using spring security.
    I have secure it with intercept-url.
    But my application has several project, and an user can not acces at all projects, this permition is defined in my database.
    I want know if it's possible to use Spring security for restrict the access without add a ligne in all my controller.

    Thanks.

  • #2
    I kindly suggest you to try to use a PermissionEvaluator (you'll need to enable Spring Security’s ACL module). Here you may find further information. This could resolve your problems at controller level

    In case you're using Spring 3.1 (not sure if it's valid for 3.0), you may try the Accesscontrollist tag this way:
    Code:
    <sec:accesscontrollist hasPermission="admin,viewer" domainObject="${someProject}">
      // display the link giving access to the project
    </sec:accesscontrollist>
    Here is also a discussion about permissions.

    Best,
    Carlos.

    Comment


    • #3
      Thank's to spend your time to share. This is what I (and others, I believe), really need. It's really very informative post. Please keep it up. Looking for more relevant post.

      Comment


      • #4
        thanks for your response.

        When i have read your link, I have see the annotation @PreAuthorize for restrict the acces on the function. In my case i find this solution better as your Accesscontrollist .
        But when I want use it... nothing, this annotation not work. And i want know why. I have put
        Code:
        <global-method-security secured-annotations="enabled" pre-post-annotations="enabled"/>
        In my applicationContext-security.xml. but nothing.
        I have try to move it in my applicationContext.xml and always nothing.
        I dont understand.

        Thanks.
        Last edited by deblockt; May 29th, 2012, 10:36 AM.

        Comment


        • #5
          Hi,

          I think you'll need to provide more info about your application, otherwise we'll in what I call "a guessing scenario".

          Info you might expose:
          - spring version
          - the applicationContext.xml
          - an example where you're using the @PreAuthorization annotation

          It also may help if you can inspect the log with DEBUG level, and see what happens when the annotated method is invoked.

          Check the schema namespace you put in the applicationContext.xml is OK.
          Check the global-method-security is in DispatcherServlet's context (I assume you're working with a web application).

          And also check the documentation in order to verify everything is OK.

          Comment


          • #6
            Hi,

            My version of Spring is : 3.1.0.RELEASE,
            And I use Spring Roo.

            My application Contexe is :
            Code:
            <?xml version="1.0" encoding="UTF-8" standalone="no"?>
            <beans xmlns="http://www.springframework.org/schema/beans" 
            		xmlns:security="http://www.springframework.org/schema/security" 
            	    xmlns:aop="http://www.springframework.org/schema/aop" 
            	    xmlns:context="http://www.springframework.org/schema/context" 
            	    xmlns:jee="http://www.springframework.org/schema/jee" 
            	    xmlns:tx="http://www.springframework.org/schema/tx" 
            	    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
            	    xsi:schemaLocation="http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.1.xsd 
            	    			        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
            	    			        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd
            	    			        http://www.springframework.org/schema/jee http://www.springframework.org/schema/jee/spring-jee-3.1.xsd
            						    http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.1.xsd
            						    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
            				
                <!--
                    This will automatically locate any and all property files you have
                    within your classpath, provided they fall under the META-INF/spring
                    directory. The located property files are parsed and their values can
                    then be used within application context files in the form of
                    ${propertyKey}.
                -->
                <context:property-placeholder location="classpath*:META-INF/spring/*.properties"/>
                <!--
                    Turn on AspectJ @Configurable support. As a result, any time you
                    instantiate an object, Spring will attempt to perform dependency
                    injection on that object. This occurs for instantiation via the "new"
                    keyword, as well as via reflection. This is possible because AspectJ
                    is used to "weave" Roo-based applications at compile time. In effect
                    this feature allows dependency injection of any object at all in your
                    system, which is a very useful feature (without @Configurable you'd
                    only be able to dependency inject objects acquired from Spring or
                    subsequently presented to a specific Spring dependency injection
                    method). Roo applications use this useful feature in a number of
                    areas, such as @PersistenceContext injection into entities.
                -->
                <context:spring-configured/>
                <!--
                    This declaration will cause Spring to locate every @Component,
                    @Repository and @Service in your application. In practical terms this
                    allows you to write a POJO and then simply annotate the new POJO as an
                    @Service and Spring will automatically detect, instantiate and
                    dependency inject your service at startup time. Importantly, you can
                    then also have your new service injected into any other class that
                    requires it simply by declaring a field for your service inside the
                    relying class and Spring will inject it. Note that two exclude filters
                    are declared. The first ensures that Spring doesn't spend time
                    introspecting Roo-specific ITD aspects. The second ensures Roo doesn't
                    instantiate your @Controller classes, as these should be instantiated
                    by a web tier application context. Refer to web.xml for more details
                    about the web tier application context setup services.
                    
                    Furthermore, this turns on @Autowired, @PostConstruct etc support. These 
                    annotations allow you to use common Spring and Java Enterprise Edition 
                    annotations in your classes without needing to do any special configuration. 
                    The most commonly used annotation is @Autowired, which instructs Spring to
                    dependency inject an object into your class.
                -->
                <context:component-scan base-package="com.logica.soa.ui">
                    <context:exclude-filter expression=".*_Roo_.*" type="regex"/>
                    <context:exclude-filter expression="org.springframework.stereotype.Controller" type="annotation"/>
                </context:component-scan>
            
            	<!-- THE GLOBAL SECURITY, COMMENT FOR TEST -->    
            <!--    	<security:global-method-security secured-annotations="enabled" pre-post-annotations="enabled"> -->
            
              	    <bean class="org.apache.commons.dbcp.BasicDataSource" destroy-method="close" id="dataSource">
                    <property name="driverClassName" value="${database.driverClassName}"/>
                    <property name="url" value="${database.url}"/>
                    <property name="username" value="${database.username}"/>
                    <property name="password" value="${database.password}"/>
                    <property name="testOnBorrow" value="true"/>
                    <property name="testOnReturn" value="true"/>
                    <property name="testWhileIdle" value="true"/>
                    <property name="timeBetweenEvictionRunsMillis" value="1800000"/>
                    <property name="numTestsPerEvictionRun" value="3"/>
                    <property name="minEvictableIdleTimeMillis" value="1800000"/>
                    <property name="validationQuery" value="SELECT 1"/>
                </bean>
                <bean class="org.springframework.orm.jpa.JpaTransactionManager" id="transactionManager">
                    <property name="entityManagerFactory" ref="entityManagerFactory"/>
                </bean>
                <tx:annotation-driven mode="aspectj" transaction-manager="transactionManager"/>
                <bean class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean" id="entityManagerFactory">
                    <property name="persistenceUnitName" value="persistenceUnit"/>
                    <property name="dataSource" ref="dataSource"/>
                </bean>
                
            </beans>
            My applicationContext-Security :
            Code:
            <?xml version="1.0" encoding="UTF-8"?>
            <beans:beans xmlns="http://www.springframework.org/schema/security" 
                xmlns:beans="http://www.springframework.org/schema/beans" 
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
                xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
                    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
                <!-- HTTP security configurations -->
                <http auto-config="true" use-expressions="true" >
                    <form-login login-processing-url="/resources/j_spring_security_check" login-page="/login" authentication-failure-url="/login?login_error=t" />
                    <logout logout-url="/resources/j_spring_security_logout" />
                    <!-- Configure these elements to secure URIs in your application -->
                    <intercept-url pattern="/choices/**" access="hasRole('ROLE_ADMIN')" />
                    <intercept-url pattern="/member/**" access="isAuthenticated()" />
                    <intercept-url pattern="/projects/**" access="isAuthenticated()" />
                    <intercept-url pattern="/campaigns/**" access="isAuthenticated()" />
                    <intercept-url pattern="/property/**" access="isAuthenticated()" />
                    <intercept-url pattern="/formats/**" access="isAuthenticated()" />
                    <intercept-url pattern="/connectors/**" access="isAuthenticated()" />
                    <intercept-url pattern="/suites/**" access="isAuthenticated()" />
                    <intercept-url pattern="/providers/**" access="isAuthenticated()" />
                    <intercept-url pattern="/test-cases/**" access="isAuthenticated()" />
                    <intercept-url pattern="/**" access="permitAll" />
                </http>
                
                
                <!-- Configure Authentication mechanism -->
            <!--     <authentication-manager alias="authenticationManager"> -->
            <!--         SHA-256 values can be produced using 'echo -n your_desired_password | sha256sum' (using normal *nix environments) -->
            <!--         <authentication-provider> -->
            <!--             <password-encoder hash="sha-256" /> -->
            <!--             <user-service> -->
            <!--                 <user name="admin" password="8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918" authorities="ROLE_ADMIN" /> -->
            <!--                 <user name="user" password="04f8996da763b7a969b1028ee3007569eaf3a635486ddab211d512c85b9df8fb" authorities="ROLE_USER" /> -->
            <!--             </user-service> -->
            <!--         </authentication-provider> -->
            <!--     </authentication-manager> -->
                
                
            	<!-- Configure Authentication mechanism -->
            	<beans:bean name="conferenceAuthenticationProvider" class="com.logica.soa.ui.security.ConferenceAuthenticationProvider">
            	</beans:bean>
            	
              
            	<!-- Configure Authentication mechanism -->
            	<authentication-manager alias="authenticationManager">
            		<authentication-provider ref="conferenceAuthenticationProvider" />
            	</authentication-manager>
            	
            
            <!-- THE GLOBAL METHOD SECURITY -->
            		<global-method-security secured-annotations="enabled" pre-post-annotations="enabled"/>
            
            </beans:beans>
            And I use this annotation for protect the acces of my controller by exemple :
            Code:
                @RequestMapping(params = "crea", produces = "text/html", method = RequestMethod.GET)
                @PreAuthorize("hasRole('ROLE_ADMIN')")
                public String seeProject(@RequestParam(value="crea", required = true) TstTestTool project, Model uiModel)

            Comment


            • #7
              the @PreAuthorize("hasRole('ROLE_ADMIN')") work with all function or only with the controller?

              And I want use the @PreAuthorize("hasRole('ROLE_ADMIN')") in a controller :
              Code:
               @RequestMapping(produces = "text/html", value = "/view")
               @PreAuthorize("hasPermission(#tstt, 'view')")
               public String list(@RequestParam(value = "project", required = false) TstTestTool tstt, Model uiModel) {
              my applicationContext.xml :
              Code:
                      <!-- CONFIGURE THE PERMISSION EVALUATOR -->
               	<beans:bean name="FlowUnitPermissionEvaluator" class="com.logica.soa.ui.security.FlowUnitPermissionEvaluator"/>
              
              	<beans:bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
                      <beans:property name="permissionEvaluator" ref="FlowUnitPermissionEvaluator"/>
                	</beans:bean>
                	
              	<global-method-security secured-annotations="enabled" pre-post-annotations="enabled">
                    	<expression-handler ref="expressionHandler"/>
                 	</global-method-security>
              But When I use the application the debug show that is always "DenyAllPermissionEvaluator" who are used.
              And I never seen my FlowUnitPermissionEvaluator.
              I don't understand why.

              Thanks
              Last edited by deblockt; May 30th, 2012, 03:05 AM.

              Comment


              • #8
                I have try your code
                Code:
                <sec:accesscontrollist hasPermission="admin,viewer" domainObject="${someProject}">
                  // display the link giving access to the project
                </sec:accesscontrollist>
                this code is ok, my classe is used for test the permission.
                but with the annotation @PreAuthorize my class is not used I don't understand why...

                Thanks

                Comment


                • #9
                  Originally posted by deblockt View Post
                  And I use this annotation for protect the acces of my controller by exemple :
                  Code:
                      @RequestMapping(params = "crea", produces = "text/html", method = RequestMethod.GET)
                      @PreAuthorize("hasRole('ROLE_ADMIN')")
                      public String seeProject(@RequestParam(value="crea", required = true) TstTestTool project, Model uiModel)
                  It sounds as though you are trying to secure your Spring MVC Controllers. You will need to ensure that you place the global-method-security in the web configuration as mentioned in the FAQ

                  Comment


                  • #10
                    Thanks My issue is solved
                    I have put
                    Code:
                     <!-- CONFIGURE THE PERMISSION EVALUATOR -->
                     	<beans:bean name="FlowUnitPermissionEvaluator" class="com.logica.soa.ui.security.FlowUnitPermissionEvaluator"/>
                    
                    	<beans:bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
                            <beans:property name="permissionEvaluator" ref="FlowUnitPermissionEvaluator"/>
                      	</beans:bean>
                      	
                    	<global-method-security secured-annotations="enabled" pre-post-annotations="enabled">
                          	<expression-handler ref="expressionHandler"/>
                       	</global-method-security>
                    in the web.xml

                    Thanks

                    Comment

                    Working...
                    X