Announcement Announcement Module
Collapse
No announcement yet.
Spring Security + Java SE Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring Security + Java SE

    Hy everyone.
    I'm somewhat new to Spring Security but I do know the basics of Spring Framework (IoC).

    I have to create a Java SE 100% full entire complete ( ) desktop application and the user must log in the system and can only perform tasks that he/she is granted to do.

    Basically, every single method should be checked for permissions.

    Searching the WEB I found that AOP could do that for me by filtering methods.
    However, I have come to this:

    - Hibernate as persistency layer.
    - Model (business logic) layer based on POJOs with simple classes and methods for executing tasks.
    - View layer, based on Swing, that would create classes from within the business logic and execute methods within the objects.

    Not sure if I said it right, I'm not too good with English


    But that said, now I need to create a security layer for my app.
    There will be many users through my app. Every user must belong to a group that will define the user's permissions.

    I thought about Spring Security because I am already using Spring within my app and that would make sense.
    But every time I search the web for Spring Security and Java SE all I get is "yes, ACEGI works with SWING" and ONLY this. no tips, no clue, no "how-to"s, no guides, NOTHING.

    Does Spring Security really works for Java SE in this way? With no WEB APP defined, no container (like tomcat), just Java SE?
    Or would I need Spring AOP to do this job?

    Not asking for a detailed tutorial...
    just a "where to start" for my problem.

    Thanks.

  • #2
    Originally posted by LordALMMa View Post
    Hy everyone.
    I'm somewhat new to Spring Security but I do know the basics of Spring Framework (IoC).

    I have to create a Java SE 100% full entire complete ( ) desktop application and the user must log in the system and can only perform tasks that he/she is granted to do.

    Basically, every single method should be checked for permissions.

    Searching the WEB I found that AOP could do that for me by filtering methods.
    However, I have come to this:

    - Hibernate as persistency layer.
    - Model (business logic) layer based on POJOs with simple classes and methods for executing tasks.
    - View layer, based on Swing, that would create classes from within the business logic and execute methods within the objects.

    Not sure if I said it right, I'm not too good with English


    But that said, now I need to create a security layer for my app.
    There will be many users through my app. Every user must belong to a group that will define the user's permissions.

    I thought about Spring Security because I am already using Spring within my app and that would make sense.
    But every time I search the web for Spring Security and Java SE all I get is "yes, ACEGI works with SWING" and ONLY this. no tips, no clue, no "how-to"s, no guides, NOTHING.

    Does Spring Security really works for Java SE in this way? With no WEB APP defined, no container (like tomcat), just Java SE?
    Or would I need Spring AOP to do this job?

    Not asking for a detailed tutorial...
    just a "where to start" for my problem.

    Thanks.
    It depends on what you want to apply the 'security' to. One of the most common use cases is enabling/disabling/hiding/showing UI widgets based on the user's role. I too looked around for examples or even a Swing framework unrelated to Spring Security. I found nothing, so I created my own.

    You can of course just grab the role from the Security context within your code, then make decisions based on the role - this is the way a lot of apps do it. The downside of that is this logic is then embedded in your code and if you want to add a role, or change the access controls of a widget, you have to change the code (which generally entails testing, release, etc.). Also, what if you want to reuse a widget or panel or workflow in a different app or in a different part of the app where there are different access privileges and/or roles?

    What I did, as a proof of concept, is write my own Java SecurityManager class and just override the checkPermission() method. Inside that method I check whether the permission being asked for is one of the permission classes I care about (I wrote my own, extending BasicPermission) and if it is then I look at the role of the current user. For each widget I want to apply access controls to, I name the widget using the setName() method of Component. Then I append a short role to that name in the checkPermission() and call super.checkPermission.

    In a policy file I grant permissions like this:

    Code:
    grant {   permission com.simple.security.uicontrol.UIControlPermission "Okay.button User", "display";   };
    grant {   permission com.simple.security.uicontrol.UIControlPermission "Okay.button Admin", "display,invoke";   };
    And then I can ask the security manager whether I have permission to display and/or invoke something, so I call setVisible() if I can display it, and setEnabled() if the user can invoke it. "Okay.button" is the name of the component, and the SecurityManager appends either " User" or " Admin" to the name based on the role of the current user.

    The security logic is still inside your code, but now I have a permission configuration mechanism that is external to the code that can be reused and setup for different apps and it uses the standard Java Security mechanism. You can use the same mechanism for tasks, processes, etc. where you don't want or need method level security. Also, the logic can be applied as needed - not every UI widget needs to have this applied. However, if you apply it to every widget as you create/add them to your app, then if you need to add that capability it only requires changing the policy file.

    Note: I do not set the SecurityManager for the app - I will probably just use it (or an Access Controller) as a singleton. The default for Swing desktop apps is no SecurityManager and if you set one then it will check permissions for everything as if it were an applet. Things will probably start breaking (Spring Security did) because they don't have permissions to do the things they expect to do. To get around this you either have to add all of those the permissions to a policy file, or ignore such requests in your own SecurityManager.

    As for integration with Spring Security, when my app starts, I just load my authentication provider bean and then use that to authenticate (after show a login dialog to the user and getting their username/password) and set the authentication in the SecurityContextHolder.

    Comment

    Working...
    X