Announcement Announcement Module
Collapse
No announcement yet.
AND, OR Conditions for global-method-security>protect-pointcut access in XML Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • AND, OR Conditions for global-method-security>protect-pointcut access in XML

    Below is my configuration:
    <global-method-security pre-post-annotations="enabled" access-decision-manager-ref="accessDecisionManager">
    <expression-handler ref="expressionHandler"/>
    <protect-pointcut expression="execution(* com.myService.save(..))"
    access="ACL_WRITE,ROLE_ADMIN"/>
    <after-invocation-provider ref="afterAclObjectRead"/>
    <after-invocation-provider ref="afterAclCollectionRead"/>
    </global-method-security>

    I am using spring security 3.1 with ACL's and expecting access="ACL_WRITE,ROLE_ADMIN" will grant access to user with ROLE_ADMIN OR ACL_WRITE but it is working like an AND condition ie granting access only when user has both ACL_WRITE AND ROLE_ADMIN.

    I strictly what to do it in XML and not using annotations also i don't want to grant ACLs to ROLE_ADMIN because going forward i might want to give the save access to some other ROLE's based on business requirements.

    How can i solve this? How can i make it work as an OR condition?

    Also i couldn't use EL here is there anyway i can do something like access="ACL_WRITE or hasRole('ROLE_ADMIN')"

  • #2
    Even I am facing the same problem.

    My configuration is:
    Code:
            <security:protect-pointcut expression="execution(* com.*service.addEntity(..))" 
                access="hasAnyRole('ROLE_ADMIN','ROLE_USER')"/>
    where I am expecting access="hasAnyRole('ROLE_ADMIN','ROLE_EXTN')" will grant access to user with ROLE_ADMIN or ROLE_USER authority. But it is working like AND condition granting access to user who has both ROLE_ADMIN and ROLE_USER authorities.
    Last edited by charybr; Jan 28th, 2013, 07:19 AM.

    Comment


    • #3
      I came across the defect - Expression support in protect-pointcut xml config (https://jira.springsource.org/browse/SEC-1663).

      I could find a workaround by adding MethodExpressionVoter as mentioned in this defect.

      Also I was unable to use hasAnyRole because of attributes are built based on comma i.e hasAnyRole('ROLE_ADMIN','ROLE_USER') is broken down into 2 expression:
      hasAnyRole('ROLE_ADMIN and 'ROLE_USER) , which is invalid
      So used hasRole and its working with below config:
      Code:
              <security:protect-pointcut expression="execution(* com.*service.addEntity(..))" 
                  access="hasRole('ROLE_ADMIN') or hasRole('ROLE_USER')"/>
      Best Regards,
      Chary
      Last edited by charybr; Jan 28th, 2013, 07:19 AM.

      Comment

      Working...
      X