Announcement Announcement Module
Collapse
No announcement yet.
Authorize tag when using a custom Voter Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Authorize tag when using a custom Voter

    Hi all,

    I have a defined a custom Voter to check roles depending on business data that is in the http session (in fact it depends on the datasource we use).
    I can secure my method like that (and it works like a charm)

    Code:
        
        @Secured("DS_ROLE_EDITOR")
        public void deleteCustomer(String id){
        ...
        }
    In this example, the datasourceRoleVoter checks if the connected user has the role "EDITOR" on the datasource currently used.

    Now I would like to secure my JSP pages using these DS_ROLE_* roles.

    I tried to use
    Code:
    	<sec:authorize  access="hasRole('DS_ROLE_EDITOR')">
    	You are editor on this datasource
    	</sec:authorize>
    But it doesn't work.

    How can I tell Spring security authorize tag to use my voter, so it will so check if the user is an EDITOR for that datasource ?

    Here is my config file :
    Code:
    	
    	<http auto-config="true" use-expressions="true"
    		access-decision-manager-ref="webAccessDecisionManager">
    		<http-basic />
    		<intercept-url pattern="/**" access="isAuthenticated()" />
    	</http>
    	
    	<global-method-security secured-annotations="enabled"
    		jsr250-annotations="enabled" pre-post-annotations="enabled"
    		access-decision-manager-ref="methodAccessDecisionManager">
    	</global-method-security>
    
    	<beans:bean id="methodAccessDecisionManager"
    		class="org.springframework.security.access.vote.AffirmativeBased">
    		<beans:property name="decisionVoters">
    			<beans:list>
    				<beans:ref bean="datasourceRoleVoter" />
    				<beans:ref bean="roleVoter" />
    				<beans:ref bean="authenticatedVoter" />
    			</beans:list>
    		</beans:property>
    	</beans:bean>
    
    	<beans:bean id="webAccessDecisionManager"
    		class="org.springframework.security.access.vote.AffirmativeBased">
    		<beans:property name="decisionVoters">
    			<beans:list>
    				<beans:ref bean="datasourceRoleVoter" />
    				<beans:ref bean="roleVoter" />
    				<beans:ref bean="authenticatedVoter" />
    				<beans:ref bean="webExpressionVoter" />
    			</beans:list>
    		</beans:property>
    	</beans:bean>
    
    
    	<beans:bean id="datasourceRoleVoter"
    		class="com.mycompany.DataSourceRoleVoter">
    		<beans:property name="rolePrefix" value="DS_ROLE_" />
    	</beans:bean>
    	<beans:bean id="webExpressionVoter"
    		class="org.springframework.security.web.access.expression.WebExpressionVoter" />
    	<beans:bean id="authenticatedVoter"
    		class="org.springframework.security.access.vote.AuthenticatedVoter" />
    	<beans:bean id="roleVoter"
    		class="org.springframework.security.access.vote.RoleVoter" />
    
    	...
    Thanks in advance for you answer.

    Hervé

  • #2
    I finally created my own expression handlers and use them in both method and web security.

    Code:
    	<http auto-config="true" use-expressions="true">
    		<http-basic />
    		<expression-handler ref="datasourceRoleWebSecurityExpressionHandler"/>
    		<intercept-url pattern="/**" access="isAuthenticated()" />
    	</http>
    	
    	<beans:bean id="datasourceRoleWebSecurityExpressionHandler" class="com.ibm.bcc.adminapp.web.domain.datasource.security.DataSourceWebSecurityExpressionHandler"/>
    	
    
    	<global-method-security secured-annotations="enabled"
    		jsr250-annotations="enabled" pre-post-annotations="enabled">
    		<expression-handler ref="datasourceRoleMethodSecurityExpressionHandler"/>
    	</global-method-security>
    	
    	<beans:bean id="datasourceRoleMethodSecurityExpressionHandler" class="com.ibm.bcc.adminapp.web.domain.datasource.security.DataSourceMethodSecurityExpressionHandler"/>
    So now, I can use the same expression for web and method security.

    Code:
    <sec:authorize access="hasDsRole('EDITOR')"> The secured content </sec:authorize>
    Code:
    @PreAuthorize("hasDsRole('EDITOR')")
    public void aSecuredMethod()

    Comment

    Working...
    X