Announcement Announcement Module
Collapse
No announcement yet.
Problems with roles and privileges. Please help ! Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Problems with roles and privileges. Please help !

    Hello,
    I try to develop json web services authenticated with spring security, with roles and privileges database tables.

    When I create a user I give him a role call FREE_WIFLYER, and then I login with it, it's ok.

    But then I have two issues :

    1 - I try to call another webservice with
    Code:
    @PreAuthorize ("hasPermission(#toto, 'WIFLOW')")
    (WIFLOW is a permission that correspond to the role FREE_WIFLYER), it dont work :
    My custom TemplatePermissionEvaluator is well called, but this line :
    Code:
    Collection<SimpleGrantedAuthority> authorities = (Collection<SimpleGrantedAuthority>) authentication.getAuthorities();
    returns me a simpleGrantedAuthority with ROLE_ANONYMOUS instead of FREE_WIFLYER. Where does this ROLE_ANONYMOUS comes from ?

    2 - In the following code of TemplatePermissionEvaluator :
    Code:
    		Collection<SimpleGrantedAuthority> authorities = (Collection<SimpleGrantedAuthority>) authentication.getAuthorities();
    		for (SimpleGrantedAuthority autho : authorities) {
    			Role role=new Role();
    			role.setName(autho.getAuthority());
                            List<Privilege> privileges = role.getPrivileges();
    			for (Privilege privilege : privileges) {
    I get a nullpointerexception here because my privilege list is null. It s normal because ROLE_ANONYMOUS isn t defined in my DB, but even if I called it with an existing role, I'm not sure I'll get privileges because I build a new Role object not connected to DB.
    So my question is : does spring security automatically loads in memory roles and permissions, or do I have to write a class to load them in cache or something... or do I need do read th DB each time a service is called.

    Any help would be greatly appreciated !
    Thanks.

  • #2
    Originally posted by waxapps View Post
    So my question is : does spring security automatically loads in memory roles and permissions, or do I have to write a class to load them in cache or something... or do I need do read th DB each time a service is called.
    Spring Security provides several ways to load roles and permissions - but you'll need to configure it using the method that's most appropriate for your project. If none of the provided solutions is what you need, you'll need to create your own class to load roles/permissions and then wire it into Spring Security.

    The second part of your question depends on what you mean by "permissions". If you mean "Authorities" - then typically those are only loaded when the user authenticates into your application and then pulled from memory afterwards as needed. If you mean ACL permissions - then the answer is more complicated.

    Regarding the ROLE_ANONYMOUS - Spring Security (I think by default), creates that Authority when a users session is created - and then removes it once the user has fully authenticated. If you're seeing that Authority - it's likely because your client hasn't authenticated into your application.

    Cheers,
    - Andy

    Comment

    Working...
    X